Re: Interpreting DNSSEC was Re: [dnsext] flip-flopping secure and unsecure DNAME/CNAME

[Michael StJohns <mstjohns@comcast.net>]

At 06:24 PM 10/23/2008, Mark Andrews wrote:

>In message <E1Kt301-000LBZ-QW@psg.com>, Michael StJohns writes:
>> At 06:59 AM 10/23/2008, Ben Laurie wrote:
>> >Michael StJohns wrote:
>> >
>> >I don't understand the rationale behind all this complication.
>> >
>> >If I chose to point a DNAME at an unsecured domain, then that was my
>> >choice, and I should live with it. If I don't want the domain to be
>> >unsecured, then I should either not delegate to it, or ensure it is
>> >secured by non-protocol means (e.g. by owning the domain myself, by
>> >contract, by sufficient purchase of beer for the domain owner, etc.)
>> 
>> Hi Ben -
>> 
>> One of the problem we get with DNS is that there are two views of the data (a
>> t least) - the publisher's, and the resolver's views. DNSSEC makes this more 
>> complicated by the presence or absence of certain trust anchors.
>> 
>> As publisher, I have a signed domain, and as publisher, I publish a DNAME als
>> o pointing at a signed domain.  I've done my due diligence as you suggest - I
>> even own the target zone.
>
>        Signing the zones and publishing DS / DLV records is due
>        diligence.  At that point you need to trust that the resolver
>        operator will do due diligence and configure all known trust
>        anchors or use a DLV service.

I haven't a clue how you would expect to administer this.  When was the last time you heard of someone running a zone who changed it out for a DNAME announcing this to the world? 

5011 provides a mechanism to track changes in trust anchors without having to have an out of band path to those changes.  Are you proposing that we create some sort of DNAME announcement protocol?  Or are you suggesting something else?

Let's work this further.  Say .COM is signed, but .EDU isn't.  Say I'm in a secure zone under .com - example.com.  Say the DNAME is from subzone.example.com to  otherzone.edu.  Say otherzone.edu is signed.  Say the resolver has a trust anchor for .COM.     How the heck do I as the owner of subzone.example.com figure out which resolvers to tell about the change??  

 In many (most?) organizations, the guys who run the authoritative servers and update the data in the zones are not the guys who run the local resolvers, so even in the same organization the administrators may not realize they need to do something special.  Certainly the DNAME documentation doesn't describe any operational considerations related to DNSSEC.



>        Yes there will be configurations that will not return SECURE
>        when there is theoretically enough information to return
>        SECURE.
>
>        And the simple answer is to just ensure that there is a
>        chain of trust from the root to both zones.  If you are
>        unhappy about the lack of trust chains lobby your politicians
>        and registry operators to get the root and infrastructure
>        zones signed.

That may be the simple answer, but even simple answers are difficult. See above.

And the fact that all nodes chain to a trust anchor is not sufficient to say that there is an unbroken chain of trust from the first trust anchor to the last answer.


>        This is not something we need to "fix" using technology.
>        What we have today is complicated enough to manage without
>        having to track cross zone pseudo delegations

*sigh*  There's complicated and there's correct.  If its complicated and wrong, its still wrong.


>        Mark
>-- 
>Mark Andrews, ISC
>1 Seymour St., Dundas Valley, NSW 2117, Australia
>PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews@isc.org
>
>--
>to unsubscribe send a message to namedroppers-request@ops.ietf.org with
>the word 'unsubscribe' in a single line as the message text body.
>archive: <http://ops.ietf.org/lists/namedroppers/>



--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>