Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?

[Eric Rescorla <ekr@networkresonance.com>]

At Thu, 14 Aug 2008 10:43:46 +1000,
Mark Andrews wrote:
> 
> 
> > The problem here is not PKI or DNSSEC but that we have no good
> > mechanisms in the generic case for determining whether a given
> > individual is authorized to control a given domain. This makes any
> > cryptographic authentication of domain name ownership problematic.
> 
> 	Most zones are created when they are bought.  The buyer
> 	specifies the NS, DS and glue records as part of that
> 	transaction.  The credentials for future transactions are
> 	established as part of that initial transaction.
> 
> 	Now when zones are sold there are issues but those issues
> 	exist independent of whether DNSSEC is in use or not.
> 
> 	If you are authorised to update the delegation information
> 	in the parent then you should be authorised to change the
> 	DS records in the parent as they are just part of the
> 	delegation.  Changes to NS, A, AAAA and DS records as part
> 	of the delegation are equally dangerous as each other.
> 
> 	There is no need to make the parent / child trust relationship
> 	more complicated with DNSSEC than it is without DNSSEC.

Yes, I agree with that. But in many of these cases, the credentials
are "here's the email address to contact the technical contact with".
This is of course just as problematic as e-mail answerback for 
certificate authorites. 

And to the extent to which the registrars/registries have a
DNS-independent way of validating the domain owners, the CAs 
(who in at least some cases are the same people!) could
presumably leverage that to determine whether to issue
the certs.

-Ekr


--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>