Re: [dnsext] DNSSEC, robustness, and several DS records

Tony Finch <dot@dotat.at> Tue, 17 May 2011 17:38 UTC

Return-Path: <fanf2@hermes.cam.ac.uk>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 099BAE06C6 for <dnsext@ietfa.amsl.com>; Tue, 17 May 2011 10:38:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KsYPynNi4eiS for <dnsext@ietfa.amsl.com>; Tue, 17 May 2011 10:38:47 -0700 (PDT)
Received: from ppsw-52.csi.cam.ac.uk (ppsw-52.csi.cam.ac.uk [131.111.8.152]) by ietfa.amsl.com (Postfix) with ESMTP id D9482E06B0 for <dnsext@ietf.org>; Tue, 17 May 2011 10:38:45 -0700 (PDT)
X-Cam-AntiVirus: no malware found
X-Cam-SpamDetails: not scanned
X-Cam-ScannerInfo: http://www.cam.ac.uk/cs/email/scanner/
Received: from hermes-2.csi.cam.ac.uk ([131.111.8.54]:43483) by ppsw-52.csi.cam.ac.uk (smtp.hermes.cam.ac.uk [131.111.8.159]:25) with esmtpa (EXTERNAL:fanf2) id 1QMOED-00069s-Dq (Exim 4.72) (return-path <fanf2@hermes.cam.ac.uk>); Tue, 17 May 2011 18:38:41 +0100
Received: from fanf2 (helo=localhost) by hermes-2.csi.cam.ac.uk (hermes.cam.ac.uk) with local-esmtp id 1QMOED-00039l-95 (Exim 4.67) (return-path <fanf2@hermes.cam.ac.uk>); Tue, 17 May 2011 18:38:41 +0100
Date: Tue, 17 May 2011 18:38:41 +0100
From: Tony Finch <dot@dotat.at>
X-X-Sender: fanf2@hermes-2.csi.cam.ac.uk
To: Phillip Hallam-Baker <hallam@gmail.com>
In-Reply-To: <BANLkTi=rkYRodQtW3tWg=W6oB6HQsM9+RQ@mail.gmail.com>
Message-ID: <alpine.LSU.2.00.1105171833440.19348@hermes-2.csi.cam.ac.uk>
References: <201105112022.p4BKMHmp010275@givry.fdupont.fr> <20110512012832.296D7EAE55F@drugs.dv.isc.org> <BANLkTikTiEwLWP10FoqO5wHrVK31RGHR8A@mail.gmail.com> <BANLkTi=rkYRodQtW3tWg=W6oB6HQsM9+RQ@mail.gmail.com>
User-Agent: Alpine 2.00 (LSU 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: Tony Finch <fanf2@hermes.cam.ac.uk>
Cc: dnsext@ietf.org, Paul Hoffman <paul.hoffman@vpnc.org>
Subject: Re: [dnsext] DNSSEC, robustness, and several DS records
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 May 2011 17:38:50 -0000

Phillip Hallam-Baker <hallam@gmail.com> wrote:
>
> 1) No, it is not likely that we will have an issue with SHA-1 with respect
> to DNSSEC. The reason for this is that DNSSEC is not used to provide
> non-repudiation. Thus it is not necessary to be able to state today that we
> are confident that SHA-1 will be acceptably secure in 20 years time.
>
> I have asked Adi Shamir about likely progress on SHA1 and I think we are
> good wrt DNSSEC for at least ten years.

A useful point, thanks.

> 4) Since SHA3 is being worked on right now, it would seem to me that the
> appropriate upgrade path for DNSSEC would be to ignore SHA2 and skip
> straight from SHA1 to SHA3.

SHA2 is already widely deployed in DNSSEC, e.g. in the root zone and
many TLDs.

> One of the biggest hassles in DNSSEC is that the RRSIG records cover
> individual record sets of the same type rather than all the records at a
> domain.

Why is that a hassle? It seems like an advantage to me. In particular it
makes it possible to sign a dynamic zone where there is no such thing as
"all the records at a domain".

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
Rockall, Malin, Hebrides: South 5 to 7, occasionally gale 8 at first in
Rockall and Malin, veering west or northwest 4 or 5, then backing southwest 5
or 6 later. Rough or very rough. Occasional rain. Moderate or good,
occasionally poor.