IETF Logo Mail Archive

Re: OFFTOPIC: DNSSEC groupthink versus improving DNS

Havard Eidnes <he@uninett.no> Tue, 12 August 2008 14:47 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8D4523A6AB9; Tue, 12 Aug 2008 07:47:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.74
X-Spam-Level:
X-Spam-Status: No, score=-100.74 tagged_above=-999 required=5 tests=[BAYES_20=-0.74, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yIw-ggpLG9-N; Tue, 12 Aug 2008 07:47:58 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 651DA3A68B9; Tue, 12 Aug 2008 07:47:58 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KSv3P-0007Wy-A2 for namedroppers-data@psg.com; Tue, 12 Aug 2008 14:40:55 +0000
Received: from [2001:700:1:0:211:9ff:fe8c:7386] (helo=smistad.uninett.no) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from <he@uninett.no>) id 1KSv3H-0007W3-EA for namedroppers@ops.ietf.org; Tue, 12 Aug 2008 14:40:52 +0000
Received: from smistad.uninett.no (smistad.uninett.no [158.38.62.77]) by smistad.uninett.no (Postfix) with ESMTP id DC51721DC44; Tue, 12 Aug 2008 16:40:48 +0200 (CEST)
Date: Tue, 12 Aug 2008 16:40:48 +0200
Message-Id: <20080812.164048.246546894.he@uninett.no>
To: lendl@nic.at
Cc: namedroppers@ops.ietf.org
Subject: Re: OFFTOPIC: DNSSEC groupthink versus improving DNS
From: Havard Eidnes <he@uninett.no>
In-Reply-To: <489C5202.4080405@nic.at>
References: <489B09FE.8050701@e164.org> <49451.1218124457@nsa.vix.com> <489C5202.4080405@nic.at>
X-Mailer: Mew version 5.2 on Emacs 22.1 / Mule 5.0 (SAKAKI)
Mime-Version: 1.0
Content-Type: Text/Plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>

>   * Are there any open protocol issues which make such a
>     "single checkbox" deployment of DNSSEC impossible?

The need to communicate off-line or at least out-of-protocol with
the parent zone administrator when you need to change/roll-over your
KSKs -- this is probably what you meant by "automatic DS generation
in the parent" in your next item.  Although this might be seen as
similar to making changes to the NS RRset, the initiative is
triggered by a timer and not by administrator action, which is a
considerable change from previous operational practice.

There's also the issue of trust anchor maintenance, but that's being
worked on, as I understand it.

When reading some of the DNSSEC RFCs, I've sometimes come away with the
understanding that the authors think that "zone administrators needs to
sign the zone on an off-line machine to maintain a sufficiently high
level of security".  If I've understood correctly, that's completely at
odds with the goal of having a fully automated feature with a checkbox
for "maintain (generate and periodically roll) ZSKs and KSKs and sign
and re-sign all my zones automatically".  My guess is that only TLD and
root zone maintainers would care enough about their zones and keys to
bear the level of pain involved in implementing complete off-line
signing ("zone transfer via sneakernet").  For a simple leaf zone master
name server administrator, is there a good reason he needs to care more
about his DNS private keys than about the protection and host security
on the master name server (which might be "hidden", i.e. not in the NS
set)?  (OK, that probably wasn't a protocol issue...)

Then there's the aspect of having the root signed, which is really
needed in order to alleviate the pain of maintaining the trust
anchors, a pain which is to be felt on all the recursive name servers
who want to get the benefits of DNSSEC.  Even if it appears to be a
non-protocol issue does not make it any less important in the view of
deployment.

Best regards,

- Håvard

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.23.0 | Report a Bug | By Email