Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
Mark Andrews <Mark_Andrews@isc.org> Thu, 14 August 2008 04:38 UTC
Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8D5EE3A6834; Wed, 13 Aug 2008 21:38:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.476
X-Spam-Level:
X-Spam-Status: No, score=-2.476 tagged_above=-999 required=5 tests=[AWL=0.123, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bjpZZfw0++-o; Wed, 13 Aug 2008 21:38:02 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 8026F3A682A; Wed, 13 Aug 2008 21:38:01 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KTUT9-00020d-P1 for namedroppers-data@psg.com; Thu, 14 Aug 2008 04:29:51 +0000
Received: from [2001:470:1f00:820:214:22ff:fed9:fbdc] (helo=drugs.dv.isc.org) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <marka@isc.org>) id 1KTUT5-000204-7B for namedroppers@ops.ietf.org; Thu, 14 Aug 2008 04:29:49 +0000
Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (8.14.2/8.14.2) with ESMTP id m7E4TXeB000543; Thu, 14 Aug 2008 14:29:33 +1000 (EST) (envelope-from marka@drugs.dv.isc.org)
Message-Id: <200808140429.m7E4TXeB000543@drugs.dv.isc.org>
To: Eric Rescorla <ekr@networkresonance.com>
Cc: Joe Abley <jabley@ca.afilias.info>, Ray.Bellis@nominet.org.uk, Namedroppers WG <namedroppers@ops.ietf.org>
From: Mark Andrews <Mark_Andrews@isc.org>
Subject: Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
In-reply-to: Your message of "Wed, 13 Aug 2008 18:16:25 MST." <20080814011626.2DAE05369E9@kilo.rtfm.com>
Date: Thu, 14 Aug 2008 14:29:33 +1000
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
> At Thu, 14 Aug 2008 10:43:46 +1000, > Mark Andrews wrote: > > > > > > > The problem here is not PKI or DNSSEC but that we have no good > > > mechanisms in the generic case for determining whether a given > > > individual is authorized to control a given domain. This makes any > > > cryptographic authentication of domain name ownership problematic. > > > > Most zones are created when they are bought. The buyer > > specifies the NS, DS and glue records as part of that > > transaction. The credentials for future transactions are > > established as part of that initial transaction. > > > > Now when zones are sold there are issues but those issues > > exist independent of whether DNSSEC is in use or not. > > > > If you are authorised to update the delegation information > > in the parent then you should be authorised to change the > > DS records in the parent as they are just part of the > > delegation. Changes to NS, A, AAAA and DS records as part > > of the delegation are equally dangerous as each other. > > > > There is no need to make the parent / child trust relationship > > more complicated with DNSSEC than it is without DNSSEC. > > Yes, I agree with that. But in many of these cases, the credentials > are "here's the email address to contact the technical contact with". > This is of course just as problematic as e-mail answerback for > certificate authorites. And how does this change with DNSSEC? DNSSEC doesn't magically make this any more or less important / difficult. This is NOT a DNSSEC issue. It is a delegation management issue and DNSSEC does NOT change the level of care required when managing a delegation. All DNSSEC changes is whether a DS record is recorded at the delegation or not. Labeling this a DNSSEC deployment issue is doing DNSSEC a dis-service. What would help would be for ICANN to list which registrars support DS and/or AAAA records as part of normal operations and which ones don't. By normal operations I mean that you don't have to send special email to get the records added. At the moment it's hard to find a registrar which supports AAAA and/or DS records. > And to the extent to which the registrars/registries have a > DNS-independent way of validating the domain owners, the CAs > (who in at least some cases are the same people!) could > presumably leverage that to determine whether to issue > the certs. > > -Ekr -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/namedroppers/>
- How do we get the whole world to upgrade to DNSSE… Ben Laurie
- Re: How do we get the whole world to upgrade to D… Alex Bligh
- Re: How do we get the whole world to upgrade to D… David Conrad
- Re: How do we get the whole world to upgrade to D… bert hubert
- Re: How do we get the whole world to upgrade to D… Ted Lemon
- Re: How do we get the whole world to upgrade to D… bert hubert
- Re: How do we get the whole world to upgrade to D… David Conrad
- Re: How do we get the whole world to upgrade to D… Mark Andrews
- Re: How do we get the whole world to upgrade to D… bert hubert
- Re: How do we get the whole world to upgrade to D… bmanning
- Re: How do we get the whole world to upgrade to D… Mark Andrews
- Re: How do we get the whole world to upgrade to D… bert hubert
- Re: How do we get the whole world to upgrade to D… bert hubert
- Re: How do we get the whole world to upgrade to D… Brian Dickson
- Re: How do we get the whole world to upgrade to D… bmanning
- Re: How do we get the whole world to upgrade to D… Joe Abley
- Re: How do we get the whole world to upgrade to D… Jelte Jansen
- Re: How do we get the whole world to upgrade to D… Joe Abley
- Re: How do we get the whole world to upgrade to D… Joe Abley
- Re: How do we get the whole world to upgrade to D… Brian Dickson
- Re: How do we get the whole world to upgrade to D… David Conrad
- Re: How do we get the whole world to upgrade to D… bert hubert
- Re: How do we get the whole world to upgrade to D… Joe Abley
- Re: How do we get the whole world to upgrade to D… Andrew Sullivan
- Re: How do we get the whole world to upgrade to D… Jelte Jansen
- Re: How do we get the whole world to upgrade to D… Roy Arends
- Re: How do we get the whole world to upgrade to D… Joe Abley
- Re: How do we get the whole world to upgrade to D… bmanning
- Re: How do we get the whole world to upgrade to D… bmanning
- Re: How do we get the whole world to upgrade to D… Stephane Bortzmeyer
- Re: How do we get the whole world to upgrade to D… Brian Dickson
- Re: How do we get the whole world to upgrade to D… bmanning
- Re: How do we get the whole world to upgrade to D… Matthijs Mekking
- Re: How do we get the whole world to upgrade to D… David Conrad
- Re: How do we get the whole world to upgrade to D… bmanning
- RE: How do we get the whole world to upgrade to D… Jesper G. Høy
- RE: How do we get the whole world to upgrade to D… Alex Bligh
- RE: How do we get the whole world to upgrade to D… Jesper G. Høy
- RE: How do we get the whole world to upgrade to D… Alex Bligh
- RE: How do we get the whole world to upgrade to D… Jesper G. Høy
- Re: How do we get the whole world to upgrade to D… Jelte Jansen
- RE: How do we get the whole world to upgrade to D… Jesper G. Høy
- Re: How do we get the whole world to upgrade to D… Mark Andrews
- Re: How do we get the whole world to upgrade to D… David Conrad
- Re: How do we get the whole world to upgrade to D… Michael StJohns
- RE: How do we get the whole world to upgrade to D… Jesper G. Høy
- Re: How do we get the whole world to upgrade to D… David Conrad
- Re: How do we get the whole world to upgrade to D… Mark Andrews
- Re: How do we get the whole world to upgrade to D… Mark Andrews
- Re: How do we get the whole world to upgrade to D… Tony Finch
- Re: How do we get the whole world to upgrade to D… Mark Andrews
- Re: How do we get the whole world to upgrade to D… Edward Lewis
- Re: How do we get the whole world to upgrade to D… Mark Andrews
- Re: How do we get the whole world to upgrade to D… Dean Anderson
- Re: How do we get the whole world to upgrade to D… Ray.Bellis
- Re: How do we get the whole world to upgrade to D… Joe Abley
- Re: How do we get the whole world to upgrade to D… Eric Rescorla
- Re: How do we get the whole world to upgrade to D… Eric Rescorla
- Re: How do we get the whole world to upgrade to D… bmanning
- Re: How do we get the whole world to upgrade to D… David W. Hankins
- Re: How do we get the whole world to upgrade to D… Jim Fenton
- Re: How do we get the whole world to upgrade to D… Eric Rescorla
- Re: How do we get the whole world to upgrade to D… Eric Rescorla
- Re: How do we get the whole world to upgrade to D… Eric Rescorla
- Re: How do we get the whole world to upgrade to D… Ted Lemon
- Re: How do we get the whole world to upgrade to D… Ted Lemon
- Re: How do we get the whole world to upgrade to D… Duane at e164 dot org
- Re: How do we get the whole world to upgrade to D… Paul Vixie
- Re: How do we get the whole world to upgrade to D… David Conrad
- Re: How do we get the whole world to upgrade to D… Alex Bligh
- Re: How do we get the whole world to upgrade to D… Mark Andrews
- Re: How do we get the whole world to upgrade to D… Eric Rescorla
- Re: How do we get the whole world to upgrade to D… Mark Andrews
- Re: How do we get the whole world to upgrade to D… Duane at e164 dot org
- Re: Kaminsky, Cache Poisoning, and Censorship Brian Dickson
- A note of apology (Was: Kaminsky, Cache Poisoning… Andrew Sullivan
- Re: Kaminsky, Cache Poisoning, and Censorship Dean Anderson
- Kaminsky, Cache Poisoning, and Censorship Dean Anderson
- Re: A note of apology (Was: Kaminsky, Cache Poiso… Dean Anderson