IETF Logo Mail Archive

Re: DNSSEC on autopilot (was: OFFTOPIC: DNSSEC groupthink versus improving DNS)

Mark Andrews <Mark_Andrews@isc.org> Tue, 12 August 2008 23:34 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3CBE73A691A; Tue, 12 Aug 2008 16:34:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.173
X-Spam-Level:
X-Spam-Status: No, score=-2.173 tagged_above=-999 required=5 tests=[AWL=-0.174, BAYES_00=-2.599, J_CHICKENPOX_32=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o8D-RS0OST9N; Tue, 12 Aug 2008 16:34:14 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id E7A563A6847; Tue, 12 Aug 2008 16:34:13 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KT3Gl-0008L9-3D for namedroppers-data@psg.com; Tue, 12 Aug 2008 23:27:15 +0000
Received: from [2001:470:1f00:820:214:22ff:fed9:fbdc] (helo=drugs.dv.isc.org) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <marka@isc.org>) id 1KT3Gb-0008Jq-Tg for namedroppers@ops.ietf.org; Tue, 12 Aug 2008 23:27:09 +0000
Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (8.14.2/8.14.2) with ESMTP id m7CNQv9u073254; Wed, 13 Aug 2008 09:26:58 +1000 (EST) (envelope-from marka@drugs.dv.isc.org)
Message-Id: <200808122326.m7CNQv9u073254@drugs.dv.isc.org>
To: Otmar Lendl <lendl@nic.at>
Cc: Andrew Sullivan <ajs@commandprompt.com>, namedroppers@ops.ietf.org
From: Mark Andrews <Mark_Andrews@isc.org>
Subject: Re: DNSSEC on autopilot (was: OFFTOPIC: DNSSEC groupthink versus improving DNS)
In-reply-to: Your message of "Tue, 12 Aug 2008 23:03:39 +0200." <20080812210339.GA23393@nic.at>
Date: Wed, 13 Aug 2008 09:26:57 +1000
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>

> On 2008/08/12 18:08, Andrew Sullivan <ajs@commandprompt.com> wrote:
> > On Tue, Aug 12, 2008 at 06:02:35PM +0200, Otmar Lendl wrote:
> > 
> > > I'm in brainstorming mode, so: Why can't 5011 be used by TLDs instead of
> > > extending the Registry/Registrar protocol? That change takes time
> > > and puts the Registrar into the critical path for DNSSEC rollout.
> > 
> > In at least some cases, two reasons:
> > 
> > 1.  The EPP extension for DS management has been ready for ages.  So
> > there's very little work to do there anyway.  It's in RFC 4310.  (Of
> > course, some registries aren't using EPP, so it's not relevant to them.)
> 
> It's not the protocol extension specification, which is the problem.
> It's getting the registrars to actually implement it and support it in
> their customer-facing interfaces. Bringing the registrar into the loop
> also might means legal work: T&Cs, liability questions, ...

	They are already in the loop.  They are already exposed.
	This happens the moment they attempt to change any record
	in the parent zone.  There is no difference between
	changing/adding a NS, A or AAAA records and DS records.

	You can do as much damage with any of them.

	Do the wrong thing and the zone is not visible or it is
	handed to a attacker.  DS records do not change that exposure
	in anyway.

	This is also a strength of DNSSEC.  It doesn't change the
	trust model.  The same person that is authorised to change
	the NS, A and AAAA records is also the same person that
	changes the DS records.

> > 2.  Many TLDs aren't actually allowed to talk to the party that has
> > administrative control of the domain.  In the ICANN world, for
> > instance, registries may only speak to the registrar, and not the
> > registrant.  This is admittedly a policy and not a technical reason,
> > but it's a reason anyway.
> 
> Acknowledged, but luckily that doesn't apply to .at.
> 
> /ol
> -- 
> // Otmar Lendl <lendl@nic.at>, T: +43 1 5056416 - 33, F: - 933
> // nic.at Internet Verwaltungs- und Betriebsgesellschaft m.b.H
> // http://www.nic.at/  LG Salzburg, FN 172568b, Sitz: Salzburg
> 
> --
> to unsubscribe send a message to namedroppers-request@ops.ietf.org with
> the word 'unsubscribe' in a single line as the message text body.
> archive: <http://ops.ietf.org/lists/namedroppers/>
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews@isc.org

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.23.0 | Report a Bug | By Email