IETF Logo Mail Archive

Re: [dnsext] we need help to make names the same, was draft-yao-dnsext-identical-resolution-02 comment

Phillip Hallam-Baker <hallam@gmail.com> Thu, 24 February 2011 13:07 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E50403A6AFE for <dnsext@core3.amsl.com>; Thu, 24 Feb 2011 05:07:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.564
X-Spam-Level:
X-Spam-Status: No, score=-3.564 tagged_above=-999 required=5 tests=[AWL=0.034, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2fNtPf33IwBU for <dnsext@core3.amsl.com>; Thu, 24 Feb 2011 05:07:48 -0800 (PST)
Received: from mail-bw0-f44.google.com (mail-bw0-f44.google.com [209.85.214.44]) by core3.amsl.com (Postfix) with ESMTP id 3358E3A6AF9 for <dnsext@ietf.org>; Thu, 24 Feb 2011 05:07:48 -0800 (PST)
Received: by bwz13 with SMTP id 13so1206136bwz.31 for <dnsext@ietf.org>; Thu, 24 Feb 2011 05:08:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=zZ3kVXS5z+7Dv6Y0/U+hJLM0tw8+iyYwJU477V9U8oQ=; b=AJp4cOzD4Qo8yTETFTKkI5L1u1lIfuBYvfeJHT7XzCtrvnUR1HQhHJzkMkj8HFn0mV 6EDtaB373CtT5T+wE5HpcYgaUKGjvRi10aGZKtRxBF8Quc0huF2T52safEkV8/jTfhPP qXq27RXkHUqGgIP9J2sDakss6R3GIs8iCSIKY=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=hSoMZ3eQ6TPkvxQyHJ/LFfIA/CcHc4PsD8JerMeoXL3o+HuZ6T7C5IO9CdvxITfpO3 CZGd0ZF0Mr8Yo0lgMPnH3MU9tmD67f3Pzl533HzfvJhBXxn96cO3Y4/e7rABnkLXnUFQ Lcz/0RLQpyKoo39DQugfyrfyCHXHKDTKMjqpA=
MIME-Version: 1.0
Received: by 10.204.7.213 with SMTP id e21mr733865bke.47.1298552917183; Thu, 24 Feb 2011 05:08:37 -0800 (PST)
Received: by 10.204.14.139 with HTTP; Thu, 24 Feb 2011 05:08:37 -0800 (PST)
In-Reply-To: <AANLkTin_so10158NidsaBKb0Vi644N4ACQJ6t2Z23Y75@mail.gmail.com>
References: <20110216165921.GW96213@shinkuro.com> <3B90ED2E-980D-4B01-889F-447D66D0B58D@insensate.co.uk> <20110216174011.GZ96213@shinkuro.com> <20110218143653.GC84482@bikeshed.isc.org> <20110218151209.GF66684@shinkuro.com> <4D5EEE09.4080405@dougbarton.us> <20110218222950.GL74065@shinkuro.com> <4D5F270F.20401@abenaki.wabanaki.net> <199C7B2B4228461FB024E59A990DB46D@ics.forth.gr> <4D641DB6.4090705@necom830.hpcl.titech.ac.jp> <20110222205617.GS53815@shinkuro.com> <4D64489B.7020901@necom830.hpcl.titech.ac.jp> <713D992A-1DB9-4F72-9D18-8E923AD51D8D@icsi.berkeley.edu> <AANLkTikf2ixw7JkxQiRBobv-seYnaYS0E3G8TboosnA=@mail.gmail.com> <alpine.LSU.2.00.1102231029260.27602@hermes-1.csi.cam.ac.uk> <AANLkTin6-mXBeKC_TzgvWUaCyxKfeZxTK1BQvXtpwuCN@mail.gmail.com> <AANLkTin_so10158NidsaBKb0Vi644N4ACQJ6t2Z23Y75@mail.gmail.com>
Date: Thu, 24 Feb 2011 08:08:37 -0500
Message-ID: <AANLkTi=yNaaUn2c8uf25_ECimxa0tpZiNpymaRvz-9-w@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Donald Eastlake <d3e3e3@gmail.com>
Content-Type: multipart/alternative; boundary="00151750e55259ce83049d06e909"
Cc: dnsext@ietf.org
Subject: Re: [dnsext] we need help to make names the same, was draft-yao-dnsext-identical-resolution-02 comment
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Feb 2011 13:07:50 -0000

On Wed, Feb 23, 2011 at 5:25 PM, Donald Eastlake <d3e3e3@gmail.com> wrote:

> Hi,
>
> On Wed, Feb 23, 2011 at 12:00 PM, Phillip Hallam-Baker <hallam@gmail.com>
> wrote:
> >
> >
> > On Wed, Feb 23, 2011 at 5:30 AM, Tony Finch <dot@dotat.at> wrote:
> >>
> >> On Tue, 22 Feb 2011, Phillip Hallam-Baker wrote:
> >>
> >> > If you are going to do [online signing], you might as well do a key
> >> > exchange inline as well as we do in TLS. One key exchange can then be
> >> > leveraged across multiple connections using kerberos style tickets
> (see
> >> > DPLS for an example).
> >>
> >> That gives you channel security whereas DNSSEC gives you data origin
> >> authentication. They are not the same things.
> >
> > True, but data origin authentication is probably the wrong model for a
> DNS
> > security scheme.
>
> Why? Is your goal to make it easy for some entity not the authority
> for a zone to forge data in that zone?


Data origin authentication is very expensive. If the use cases only require
channel authentication, that is going to be more practical.



> > If we are going to consider changing the model of DNSSEC, which is what
> > moving to online signatures would entail, then the whole architecture is
> > back on the table.
>
> Total nonsense. The on or off line signing question is pretty minor
> and completely orthogonal to the channel versus origin authentication
> question. As soon as you have a zone with dynamic update, your are
> shoved in the direction of on-line signing, it doesn't take mixed case
> non-ascii.


The original poster was being imprecise. DNSSEC already has an 'online'
signature model in that the only practical way to sign a zone is to have the
signing keys connected to the Internet.

What is being proposed here is really an inline signature scheme in which
the signatures are generated within the DNS request-response loop. It would
require every DNS server to have signature capability, not just the zone
master. It would require the signatures to be generated on demand in
response to attacker generated queries.

It would be a total change of the security model.


I think that it would be unwise to make such a change to the DNS
infrastructure in order to support a requirement that is probably nonsense.


-- 
Website: http://hallambaker.com/

v2.23.0 | Report a Bug | By Email