Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?

Mark Andrews <Mark_Andrews@isc.org> Thu, 14 August 2008 00:51 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 709673A680C; Wed, 13 Aug 2008 17:51:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.471
X-Spam-Level:
X-Spam-Status: No, score=-2.471 tagged_above=-999 required=5 tests=[AWL=0.128, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J+gc0vScZObq; Wed, 13 Aug 2008 17:51:16 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 83CFB3A67A8; Wed, 13 Aug 2008 17:51:16 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KTQwd-000BxD-QU for namedroppers-data@psg.com; Thu, 14 Aug 2008 00:44:03 +0000
Received: from [2001:470:1f00:820:214:22ff:fed9:fbdc] (helo=drugs.dv.isc.org) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <marka@isc.org>) id 1KTQwa-000Bwj-1P for namedroppers@ops.ietf.org; Thu, 14 Aug 2008 00:44:01 +0000
Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (8.14.2/8.14.2) with ESMTP id m7E0hkbK096439; Thu, 14 Aug 2008 10:43:46 +1000 (EST) (envelope-from marka@drugs.dv.isc.org)
Message-Id: <200808140043.m7E0hkbK096439@drugs.dv.isc.org>
To: Eric Rescorla <ekr@networkresonance.com>
Cc: Joe Abley <jabley@ca.afilias.info>, Ray.Bellis@nominet.org.uk, Namedroppers WG <namedroppers@ops.ietf.org>
From: Mark Andrews <Mark_Andrews@isc.org>
Subject: Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
In-reply-to: Your message of "Wed, 13 Aug 2008 10:18:16 MST." <20080813171816.D7B3C50846@romeo.rtfm.com>
Date: Thu, 14 Aug 2008 10:43:46 +1000
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>

> The problem here is not PKI or DNSSEC but that we have no good
> mechanisms in the generic case for determining whether a given
> individual is authorized to control a given domain. This makes any
> cryptographic authentication of domain name ownership problematic.

	Most zones are created when they are bought.  The buyer
	specifies the NS, DS and glue records as part of that
	transaction.  The credentials for future transactions are
	established as part of that initial transaction.

	Now when zones are sold there are issues but those issues
	exist independent of whether DNSSEC is in use or not.

	If you are authorised to update the delegation information
	in the parent then you should be authorised to change the
	DS records in the parent as they are just part of the
	delegation.  Changes to NS, A, AAAA and DS records as part
	of the delegation are equally dangerous as each other.

	There is no need to make the parent / child trust relationship
	more complicated with DNSSEC than it is without DNSSEC.

	Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews@isc.org

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>