IETF Logo Mail Archive

Re: [dnsext] we need help to make names the same, was draft-yao-dnsext-identical-resolution-02 comment

Tony Finch <dot@dotat.at> Thu, 24 February 2011 10:06 UTC

Return-Path: <fanf2@hermes.cam.ac.uk>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D3D453A6A56 for <dnsext@core3.amsl.com>; Thu, 24 Feb 2011 02:06:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.349
X-Spam-Level:
X-Spam-Status: No, score=-6.349 tagged_above=-999 required=5 tests=[AWL=0.250, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VQ4bJpwuPGcj for <dnsext@core3.amsl.com>; Thu, 24 Feb 2011 02:06:21 -0800 (PST)
Received: from ppsw-51.csi.cam.ac.uk (ppsw-51.csi.cam.ac.uk [131.111.8.151]) by core3.amsl.com (Postfix) with ESMTP id 84B593A695C for <dnsext@ietf.org>; Thu, 24 Feb 2011 02:06:21 -0800 (PST)
X-Cam-AntiVirus: no malware found
X-Cam-SpamDetails: not scanned
X-Cam-ScannerInfo: http://www.cam.ac.uk/cs/email/scanner/
Received: from hermes-1.csi.cam.ac.uk ([131.111.8.51]:51141) by ppsw-51.csi.cam.ac.uk (smtp.hermes.cam.ac.uk [131.111.8.158]:25) with esmtpa (EXTERNAL:fanf2) id 1PsY6G-0004vj-Xx (Exim 4.72) (return-path <fanf2@hermes.cam.ac.uk>); Thu, 24 Feb 2011 10:07:08 +0000
Received: from fanf2 (helo=localhost) by hermes-1.csi.cam.ac.uk (hermes.cam.ac.uk) with local-esmtp id 1PsY6G-0004tS-Gf (Exim 4.67) (return-path <fanf2@hermes.cam.ac.uk>); Thu, 24 Feb 2011 10:07:08 +0000
Date: Thu, 24 Feb 2011 10:07:08 +0000
From: Tony Finch <dot@dotat.at>
X-X-Sender: fanf2@hermes-1.csi.cam.ac.uk
To: Nicholas Weaver <nweaver@ICSI.Berkeley.EDU>
In-Reply-To: <4CC95816-8225-4CAE-897F-3F13F965BCEE@ICSI.Berkeley.EDU>
Message-ID: <alpine.LSU.2.00.1102240953550.5244@hermes-1.csi.cam.ac.uk>
References: <20110216165921.GW96213@shinkuro.com> <3B90ED2E-980D-4B01-889F-447D66D0B58D@insensate.co.uk> <20110216174011.GZ96213@shinkuro.com> <20110218143653.GC84482@bikeshed.isc.org> <20110218151209.GF66684@shinkuro.com> <4D5EEE09.4080405@dougbarton.us> <20110218222950.GL74065@shinkuro.com> <4D5F270F.20401@abenaki.wabanaki.net> <199C7B2B4228461FB024E59A990DB46D@ics.forth.gr> <4D641DB6.4090705@necom830.hpcl.titech.ac.jp> <20110222205617.GS53815@shinkuro.com> <4D64489B.7020901@necom830.hpcl.titech.ac.jp> <713D992A-1DB9-4F72-9D18-8E923AD51D8D@icsi.berkeley.edu> <AANLkTikf2ixw7JkxQiRBobv-seYnaYS0E3G8TboosnA=@mail.gmail.com> <alpine.LSU.2.00.1102231029260.27602@hermes-1.csi.cam.ac.uk> <AANLkTin6-mXBeKC_TzgvWUaCyxKfeZxTK1BQvXtpwuCN@mail.gmail.com> <4CC95816-8225-4CAE-897F-3F13F965BCEE@ICSI.Berkeley.EDU>
User-Agent: Alpine 2.00 (LSU 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Sender: Tony Finch <fanf2@hermes.cam.ac.uk>
Cc: dnsext@ietf.org
Subject: Re: [dnsext] we need help to make names the same, was draft-yao-dnsext-identical-resolution-02 comment
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Feb 2011 10:06:22 -0000

On Wed, 23 Feb 2011, Nicholas Weaver wrote:
> On Feb 23, 2011, at 12:00 PM, Phillip Hallam-Baker wrote:
> >
> > True, but data origin authentication is probably the wrong model for a
> > DNS security scheme.

If you want to argue that, please get in your time machine and go back to
1993.

> > If we are going to consider changing the model of DNSSEC, which is
> > what moving to online signatures would entail, then the whole
> > architecture is back on the table.
>
> Online signatures work within the existing DNSSEC model, you just need
> to be willing to pay the computational cost in the cases where it is
> necessary (eg, mixed-casing non-ascii)

You can predict in advance the maximum size of the signature cache you
will need (since it's the same size as a pre-signed zone) and once the
cache is populated the work you need to do is exactly the same as for
re-signing a static zone. There are some cases where the maximum cache is
unfeasibly huge, for example pool.ntp.org, in which case you might be able
to get away with a smaller cache (which implies more computational work)
or a more restricted data model.

See also
http://www.ietf.org/mail-archive/web/dnsext/current/msg08593.html
and Colm's follow-up.

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
Shannon, Rockall, Malin, Hebrides: Southwest 6 to gale 8, occasionally severe
gale 9 in Rockall, perhaps severe gale 9 later in Hebrides. Very rough or
high, occasionally very high in northwest Rockall and northwest Hebrides.
Occasional rain. Moderate or poor.

v2.23.0 | Report a Bug | By Email