IETF Logo Mail Archive

Re: [dnsext] we need help to make names the same, was draft-yao-dnsext-identical-resolution-02 comment

Donald Eastlake <d3e3e3@gmail.com> Wed, 23 February 2011 22:25 UTC

Return-Path: <d3e3e3@gmail.com>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E29A63A6953 for <dnsext@core3.amsl.com>; Wed, 23 Feb 2011 14:25:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.245
X-Spam-Level:
X-Spam-Status: No, score=-104.245 tagged_above=-999 required=5 tests=[AWL=-0.646, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id taSTKr1u9jUt for <dnsext@core3.amsl.com>; Wed, 23 Feb 2011 14:25:15 -0800 (PST)
Received: from mail-wy0-f172.google.com (mail-wy0-f172.google.com [74.125.82.172]) by core3.amsl.com (Postfix) with ESMTP id D4F013A68FD for <dnsext@ietf.org>; Wed, 23 Feb 2011 14:25:14 -0800 (PST)
Received: by wyb42 with SMTP id 42so3179767wyb.31 for <dnsext@ietf.org>; Wed, 23 Feb 2011 14:26:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:from:date :message-id:subject:to:content-type; bh=JMMSVpt/OKeDohw0iIjxnveSZmpRHuDcPQZZgdXdWnM=; b=Y3qNdzGaTU7QOlkzm3FZE80eiEosJ8U29V9b/a9iMaUG9iI1fhhmSaYjI3b1oT6Q1/ tmm3NKujrk1bB2Y0XXpqlxsgWkRD/HgfhA6TUvrq/XmewlK0qDz/YzjMmLNl3ntlFOsD GT6tXbsULB8bonKukY/ECn0MyMNjFCg6EELy4=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type; b=luHExTTCFJEksH7DyIh1zfq8Ru+X1dvzwA6XCPyt782cXE1dUc7Ja68VgdtwgMkRBV xjkAiLtXR+d0hy47wHG7zWyClbiP1bt0WAK4CBYNo5B5k9uU89+ftoEQQyANEKOGiL4s N5B/txxq2BgSLk+tVBk7f6m6L2vUOR4E1BKto=
Received: by 10.227.10.134 with SMTP id p6mr5068wbp.180.1298499962310; Wed, 23 Feb 2011 14:26:02 -0800 (PST)
MIME-Version: 1.0
Received: by 10.227.68.140 with HTTP; Wed, 23 Feb 2011 14:25:41 -0800 (PST)
In-Reply-To: <AANLkTin6-mXBeKC_TzgvWUaCyxKfeZxTK1BQvXtpwuCN@mail.gmail.com>
References: <20110216165921.GW96213@shinkuro.com> <3B90ED2E-980D-4B01-889F-447D66D0B58D@insensate.co.uk> <20110216174011.GZ96213@shinkuro.com> <20110218143653.GC84482@bikeshed.isc.org> <20110218151209.GF66684@shinkuro.com> <4D5EEE09.4080405@dougbarton.us> <20110218222950.GL74065@shinkuro.com> <4D5F270F.20401@abenaki.wabanaki.net> <199C7B2B4228461FB024E59A990DB46D@ics.forth.gr> <4D641DB6.4090705@necom830.hpcl.titech.ac.jp> <20110222205617.GS53815@shinkuro.com> <4D64489B.7020901@necom830.hpcl.titech.ac.jp> <713D992A-1DB9-4F72-9D18-8E923AD51D8D@icsi.berkeley.edu> <AANLkTikf2ixw7JkxQiRBobv-seYnaYS0E3G8TboosnA=@mail.gmail.com> <alpine.LSU.2.00.1102231029260.27602@hermes-1.csi.cam.ac.uk> <AANLkTin6-mXBeKC_TzgvWUaCyxKfeZxTK1BQvXtpwuCN@mail.gmail.com>
From: Donald Eastlake <d3e3e3@gmail.com>
Date: Wed, 23 Feb 2011 14:25:41 -0800
Message-ID: <AANLkTin_so10158NidsaBKb0Vi644N4ACQJ6t2Z23Y75@mail.gmail.com>
To: dnsext@ietf.org
Content-Type: text/plain; charset="ISO-8859-1"
Subject: Re: [dnsext] we need help to make names the same, was draft-yao-dnsext-identical-resolution-02 comment
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Feb 2011 22:25:16 -0000

Hi,

On Wed, Feb 23, 2011 at 12:00 PM, Phillip Hallam-Baker <hallam@gmail.com> wrote:
>
>
> On Wed, Feb 23, 2011 at 5:30 AM, Tony Finch <dot@dotat.at> wrote:
>>
>> On Tue, 22 Feb 2011, Phillip Hallam-Baker wrote:
>>
>> > If you are going to do [online signing], you might as well do a key
>> > exchange inline as well as we do in TLS. One key exchange can then be
>> > leveraged across multiple connections using kerberos style tickets (see
>> > DPLS for an example).
>>
>> That gives you channel security whereas DNSSEC gives you data origin
>> authentication. They are not the same things.
>
> True, but data origin authentication is probably the wrong model for a DNS
> security scheme.

Why? Is your goal to make it easy for some entity not the authority
for a zone to forge data in that zone?

> If we are going to consider changing the model of DNSSEC, which is what
> moving to online signatures would entail, then the whole architecture is
> back on the table.

Total nonsense. The on or off line signing question is pretty minor
and completely orthogonal to the channel versus origin authentication
question. As soon as you have a zone with dynamic update, your are
shoved in the direction of on-line signing, it doesn't take mixed case
non-ascii.

Donald

v2.23.0 | Report a Bug | By Email