IETF Logo Mail Archive

Re: [dnsext] DS digest downgrade

Edward Lewis <Ed.Lewis@neustar.biz> Tue, 22 March 2011 12:10 UTC

Return-Path: <Ed.Lewis@neustar.biz>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CC31528C113 for <dnsext@core3.amsl.com>; Tue, 22 Mar 2011 05:10:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.572
X-Spam-Level:
X-Spam-Status: No, score=-102.572 tagged_above=-999 required=5 tests=[AWL=0.027, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j14NOdKBXdbQ for <dnsext@core3.amsl.com>; Tue, 22 Mar 2011 05:10:33 -0700 (PDT)
Received: from stora.ogud.com (stora.ogud.com [66.92.146.20]) by core3.amsl.com (Postfix) with ESMTP id 914AB28C10A for <dnsext@ietf.org>; Tue, 22 Mar 2011 05:10:31 -0700 (PDT)
Received: from Work-Laptop-2.local (gatt.md.ogud.com [10.20.30.6]) by stora.ogud.com (8.14.4/8.14.4) with ESMTP id p2MCBtbs094590; Tue, 22 Mar 2011 08:11:55 -0400 (EDT) (envelope-from Ed.Lewis@neustar.biz)
Received: from [10.31.200.115] by Work-Laptop-2.local (PGP Universal service); Tue, 22 Mar 2011 08:12:05 -0400
X-PGP-Universal: processed; by Work-Laptop-2.local on Tue, 22 Mar 2011 08:12:05 -0400
Mime-Version: 1.0
Message-Id: <a06240804c9ae415989b3@[10.31.200.119]>
In-Reply-To: <AB3F9CFB9B6948139A2BE01269B399D5@local>
References: <AB3F9CFB9B6948139A2BE01269B399D5@local>
Date: Tue, 22 Mar 2011 08:11:53 -0400
To: dnsext@ietf.org
From: Edward Lewis <Ed.Lewis@neustar.biz>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-Scanned-By: MIMEDefang 2.68 on 10.20.30.4
Cc: ed.lewis@neustar.biz
Subject: Re: [dnsext] DS digest downgrade
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Mar 2011 12:10:33 -0000

At 21:25 +0000 3/21/11, George Barwood wrote:

>Was this ever discussed?

In the 90's, at the dawn of all this we considered downgrade situations.

DNSSEC is not there to protect the zone, it exists to protect the 
cache.  The cache is the element tha decides what to trust or not. 
Local policy and all that.

A zone only makes data available to the cache.  The more the merrier. 
Caches should be liberal in what they trust - but also firm in what 
they don't.  If SHA-1 is at risk, never use it, remove it from 
consideration.

-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis
NeuStar                    You can leave a voice message at +1-571-434-5468

Me to infant son: "Waah! Waah! Is that all you can say?  Waah?"
Son: "Waah!"

v2.23.0 | Report a Bug | By Email