IETF Logo Mail Archive

Re: [dnsext] does making names the same NEED protocol changes at all?

Phillip Hallam-Baker <hallam@gmail.com> Fri, 25 February 2011 17:57 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7567A3A67F2 for <dnsext@core3.amsl.com>; Fri, 25 Feb 2011 09:57:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.568
X-Spam-Level:
X-Spam-Status: No, score=-3.568 tagged_above=-999 required=5 tests=[AWL=0.030, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3MMOUr2VA9ek for <dnsext@core3.amsl.com>; Fri, 25 Feb 2011 09:57:13 -0800 (PST)
Received: from mail-bw0-f44.google.com (mail-bw0-f44.google.com [209.85.214.44]) by core3.amsl.com (Postfix) with ESMTP id 0F4A33A67ED for <dnsext@ietf.org>; Fri, 25 Feb 2011 09:57:12 -0800 (PST)
Received: by bwz13 with SMTP id 13so2536974bwz.31 for <dnsext@ietf.org>; Fri, 25 Feb 2011 09:58:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=NUaq4hzCHTIyJTtvfL/HOXp3/e+0KJzWdkO9NyEIYig=; b=PNV8ZjuU50Sh/EnoShBGswvMB+9MtHdZZNpMABv1azkz8dhpwtuyn6P2pesXgig742 G17UoRHt91PlRtNj90INMSSEMzmudiO2Tg7ElYPjtFeaf/YzOGUCmanuLwKSjqS/6zBc n0Kg5qPQB5dv8Om6N199znlEKI0Zz9kMW6lU4=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=QncwnOUJGFXoPqMXHM07I5IcPyx3B71ViWcw+gPSAFVjsJ2SSFOvrUMz2BUYO56LMO 9dq0q9Cj3Z6IO5ojWHyM2QSAvT2F7lHvZj4a37ju/Jy0ZSMu/1fznLeZE57yISbPHisU UPPE1VgrPHcurO+UjBSe9YuN3OHQmk2VKTrf0=
MIME-Version: 1.0
Received: by 10.204.100.82 with SMTP id x18mr2308108bkn.20.1298656684635; Fri, 25 Feb 2011 09:58:04 -0800 (PST)
Received: by 10.204.14.139 with HTTP; Fri, 25 Feb 2011 09:58:04 -0800 (PST)
In-Reply-To: <20110225174623.GP74938@shinkuro.com>
References: <8657EF4A-A08D-46E5-8917-553AE377CAD8@ICSI.Berkeley.EDU> <AANLkTikHm62x=+xWpSRyERw2cB31yZZhVkTT-90dgFjk@mail.gmail.com> <39EBBA76-22F1-4935-9300-B0078B229793@ICSI.Berkeley.EDU> <5A100E65-FB09-4556-AA5A-BF9FE0468DDA@ICSI.Berkeley.EDU> <AANLkTikECGtJm5WyDnX=s8zTERu89qLbFDebf8R1y4Pa@mail.gmail.com> <6AD400292B2C771C7FE70E8F@Ximines.local> <20110225143043.GB74938@shinkuro.com> <AANLkTimfhfsj65Vec61-_Q18+RoC1144Zf1E2bQhvt18@mail.gmail.com> <alpine.LSU.2.00.1102251653290.5244@hermes-1.csi.cam.ac.uk> <AANLkTinvqqGTGPeMXUcAv5iY1KGn_=LwfGr3debWo_GE@mail.gmail.com> <20110225174623.GP74938@shinkuro.com>
Date: Fri, 25 Feb 2011 12:58:04 -0500
Message-ID: <AANLkTikMq6q66895KrckbzB4HHC7snR9vH11OxScb39q@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Andrew Sullivan <ajs@shinkuro.com>
Content-Type: multipart/alternative; boundary="001485f773785f74d8049d1f1281"
Cc: dnsext@ietf.org
Subject: Re: [dnsext] does making names the same NEED protocol changes at all?
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Feb 2011 17:57:14 -0000

On Fri, Feb 25, 2011 at 12:46 PM, Andrew Sullivan <ajs@shinkuro.com> wrote:

> On Fri, Feb 25, 2011 at 12:43:29PM -0500, Phillip Hallam-Baker wrote:
> > Requiring slaves to be signers is a major change to the security model.
>
> Depending on how you implement this, it might be.  But anyway, this is
> why we are doing a requirements analysis _before_ we start planning
> how to solve these problems, since it isn't obvious at least to me
> that what you describe above is a requirement in any case.


True, but what I was originally complaining about was the rush to put this
on the table in the first place and then I was reacting to the statements to
the effect that this is no big deal.

As a provider of DNS services I think that we have to have a very clear
requirement that any proposed solution not impact the deployments of DNSSEC
currently taking place. Requiring servers be capable of signing inline would
represent a major architectural change. It would have a major impact on the
cost of deployment.


At the moment I can put a DNS slave pretty much anywhere. If I need more
capacity I can simply rent it as required at commodity rates.

If every slave has to be a signer then I either have to engage in some very
expensive engineering effort or I have to locate every slave in a Tier 6
secure facility.

-- 
Website: http://hallambaker.com/

v2.23.0 | Report a Bug | By Email