Re: [dnsext] does making names the same NEED protocol changes at all?
Phillip Hallam-Baker <hallam@gmail.com> Fri, 25 February 2011 17:42 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 20C953A6814 for <dnsext@core3.amsl.com>; Fri, 25 Feb 2011 09:42:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.568
X-Spam-Level:
X-Spam-Status: No, score=-3.568 tagged_above=-999 required=5 tests=[AWL=0.030, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H-rEAZjPIOpY for <dnsext@core3.amsl.com>; Fri, 25 Feb 2011 09:42:37 -0800 (PST)
Received: from mail-bw0-f44.google.com (mail-bw0-f44.google.com [209.85.214.44]) by core3.amsl.com (Postfix) with ESMTP id 5CDD93A679F for <dnsext@ietf.org>; Fri, 25 Feb 2011 09:42:37 -0800 (PST)
Received: by bwz13 with SMTP id 13so2523653bwz.31 for <dnsext@ietf.org>; Fri, 25 Feb 2011 09:43:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=D31qS9Lawr0MmxD8bMG6HkhrtaJUqt+xZRx8vPMW9Os=; b=Z3NeEFn9kqe/qpPFzKyqZbd3HDJdwGKB/lD3xFhJ9tX5yzhdJA51TZeLT6FHFHZ40/ Xq8ezHWWjCPTu8o8lOPZvYevLrKT9eee5t2YY7d9Hx4024mUdUMJK5j59kbkgP+vXlAx rhIFr2ykjP749P38mSmYvVR/szvV4nbxoZ/MQ=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=PBdnuWkzTo2MnUzish+qOH9U38dboA9l7b97823zprBvXisVmA0M9Zw82vs8pvyr+G l70NGfT0GfNOkkVGZqJy9yiHle6Z+o2mMH8hv4UYJOWY0A7yijsZsagzfgLYxHyyDY+v hgMj7xCEBQO7j6db/zS30zThsRB82waqTv4/o=
MIME-Version: 1.0
Received: by 10.204.73.160 with SMTP id q32mr2274792bkj.155.1298655809379; Fri, 25 Feb 2011 09:43:29 -0800 (PST)
Received: by 10.204.14.139 with HTTP; Fri, 25 Feb 2011 09:43:29 -0800 (PST)
In-Reply-To: <alpine.LSU.2.00.1102251653290.5244@hermes-1.csi.cam.ac.uk>
References: <AANLkTin6-mXBeKC_TzgvWUaCyxKfeZxTK1BQvXtpwuCN@mail.gmail.com> <4CC95816-8225-4CAE-897F-3F13F965BCEE@ICSI.Berkeley.EDU> <alpine.LSU.2.00.1102240953550.5244@hermes-1.csi.cam.ac.uk> <AANLkTiniVDDZXFOV4WryNN=+hK29rBO8_HTAqw7bK=Nf@mail.gmail.com> <8657EF4A-A08D-46E5-8917-553AE377CAD8@ICSI.Berkeley.EDU> <AANLkTikHm62x=+xWpSRyERw2cB31yZZhVkTT-90dgFjk@mail.gmail.com> <39EBBA76-22F1-4935-9300-B0078B229793@ICSI.Berkeley.EDU> <5A100E65-FB09-4556-AA5A-BF9FE0468DDA@ICSI.Berkeley.EDU> <AANLkTikECGtJm5WyDnX=s8zTERu89qLbFDebf8R1y4Pa@mail.gmail.com> <6AD400292B2C771C7FE70E8F@Ximines.local> <20110225143043.GB74938@shinkuro.com> <AANLkTimfhfsj65Vec61-_Q18+RoC1144Zf1E2bQhvt18@mail.gmail.com> <alpine.LSU.2.00.1102251653290.5244@hermes-1.csi.cam.ac.uk>
Date: Fri, 25 Feb 2011 12:43:29 -0500
Message-ID: <AANLkTinvqqGTGPeMXUcAv5iY1KGn_=LwfGr3debWo_GE@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Tony Finch <dot@dotat.at>
Content-Type: multipart/alternative; boundary="0016e6d96d0a341da5049d1ede21"
Cc: dnsext@ietf.org
Subject: Re: [dnsext] does making names the same NEED protocol changes at all?
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Feb 2011 17:42:39 -0000
Requiring slaves to be signers is a major change to the security model. In the current architecture it is sufficient to have online keys at a hidden master. The hidden master can be placed behind a firewall that rejects inbound requests. In the proposed architecture every DNS server has to have signing capability. It is not possible to prep the zone at the hidden master and then push the data out. The keys are not only online, they are reacting to queries prepared by potential attackers. >From a risk analysis point of view these changes are very significant indeed. On Fri, Feb 25, 2011 at 12:09 PM, Tony Finch <dot@dotat.at> wrote: > On Fri, 25 Feb 2011, Phillip Hallam-Baker wrote: > > > I suspect that the point of these requirements is precisely the fact that > > they cannot be met within the current architecture. > > A lot of the argument is because we aren't sure that that is true. Can the > requirements be met with improved provisioning technology and no protocol > changes? > > > I am seeing people rushing to change the security model of DNSSEC to > support > > this requirement, but I doubt that is going to be sufficient. > > Online signing is not a change to the DNSSEC security model. > > Tony. > -- > f.anthony.n.finch <dot@dotat.at> http://dotat.at/ > Forties, Cromarty, Forth: Southwest 5 to 7 veering northwest 4 or 5. > Moderate > or rough. Occasional rain. Moderate or good, occasionally poor. > -- Website: http://hallambaker.com/
- Re: [dnsext] DNSEXT progress and possible meeting… Vaggelis Segredakis
- [dnsext] DNSEXT progress and possible meeting at … Olafur Gudmundsson
- Re: [dnsext] DNSEXT progress and possible meeting… Suzanne Woolf
- [dnsext] draft-yao-dnsext-identical-resolution-02… Vaggelis Segredakis
- Re: [dnsext] draft-yao-dnsext-identical-resolutio… Suzanne Woolf
- Re: [dnsext] draft-yao-dnsext-identical-resolutio… Vaggelis Segredakis
- Re: [dnsext] draft-yao-dnsext-identical-resolutio… Andrew Sullivan
- Re: [dnsext] draft-yao-dnsext-identical-resolutio… Suzanne Woolf
- Re: [dnsext] draft-yao-dnsext-identical-resolutio… Andrew Sullivan
- Re: [dnsext] draft-yao-dnsext-identical-resolutio… Masataka Ohta
- Re: [dnsext] we need help to make names the same,… John Levine
- Re: [dnsext] we need help to make names the same,… Jay Ashworth
- Re: [dnsext] we need help to make names the same,… Masataka Ohta
- Re: [dnsext] we need help to make names the same,… John Levine
- Re: [dnsext] we need help to make names the same,… Alex Bligh
- Re: [dnsext] we need help to make names the same,… John R. Levine
- Re: [dnsext] we need help to make names the same,… Masataka Ohta
- Re: [dnsext] we need help to make names the same,… Alex Bligh
- Re: [dnsext] we need help to make names the same,… Tony Finch
- Re: [dnsext] we need help to make names the same,… Masataka Ohta
- Re: [dnsext] we need help to make names the same,… Masataka Ohta
- Re: [dnsext] we need help to make names the same,… Vaggelis Segredakis
- Re: [dnsext] we need help to make names the same,… Andrew Sullivan
- Re: [dnsext] we need help to make names the same,… Andrew Sullivan
- Re: [dnsext] we need help to make names the same,… Lawrence Conroy
- Re: [dnsext] we need help to make names the same,… Alex Bligh
- Re: [dnsext] we need help to make names the same,… Nicholas Weaver
- Re: [dnsext] we need help to make names the same,… Andrew Sullivan
- Re: [dnsext] we need help to make names the same,… John R. Levine
- Re: [dnsext] we need help to make names the same,… John R. Levine
- Re: [dnsext] we need help to make names the same,… Masataka Ohta
- Re: [dnsext] we need help to make names the same,… Mark Andrews
- Re: [dnsext] we need help to make names the same,… Mark Andrews
- Re: [dnsext] we need help to make names the same,… Mark Andrews
- Re: [dnsext] we need help to make names the same,… Doug Barton
- Re: [dnsext] we need help to make names the same,… John Levine
- Re: [dnsext] we need help to make names the same,… Mark Andrews
- Re: [dnsext] we need help to make names the same,… Vaggelis Segredakis
- Re: [dnsext] we need help to make names the same,… Vaggelis Segredakis
- Re: [dnsext] we need help to make names the same,… Vaggelis Segredakis
- Re: [dnsext] we need help to make names the same,… Vaggelis Segredakis
- Re: [dnsext] we need help to make names the same,… Tony Finch
- Re: [dnsext] we need help to make names the same,… Masataka Ohta
- Re: [dnsext] we need help to make names the same,… Niall O'Reilly
- Re: [dnsext] we need help to make names the same,… Danny Mayer
- Re: [dnsext] we need help to make names the same,… Vaggelis Segredakis
- Re: [dnsext] we need help to make names the same,… Vaggelis Segredakis
- Re: [dnsext] we need help to make names the same,… Jay Ashworth
- Re: [dnsext] we need help to make names the same,… Jay Ashworth
- Re: [dnsext] we need help to make names the same,… Andrew Sullivan
- Re: [dnsext] we need help to make names the same,… Mark Andrews
- Re: [dnsext] we need help to make names the same,… Danny Mayer
- Re: [dnsext] we need help to make names the same,… Mark Andrews
- Re: [dnsext] we need help to make names the same,… Danny Mayer
- Re: [dnsext] we need help to make names the same,… Mark Andrews
- Re: [dnsext] we need help to make names the same,… Brian Dickson
- [dnsext] SRV and wildcard CNAME Masataka Ohta
- Re: [dnsext] we need help to make names the same,… Patrik Fältström
- Re: [dnsext] we need help to make names the same,… John R. Levine
- Re: [dnsext] we need help to make names the same,… Masataka Ohta
- Re: [dnsext] we need help to make names the same,… Patrik Fältström
- Re: [dnsext] we need help to make names the same,… Masataka Ohta
- Re: [dnsext] we need help to make names the same,… Danny Mayer
- Re: [dnsext] we need help to make names the same,… Suzanne Woolf
- Re: [dnsext] we need help to make names the same,… Andrew Sullivan
- Re: [dnsext] we need help to make names the same,… Paul Vixie
- Re: [dnsext] we need help to make names the same,… Doug Barton
- Re: [dnsext] we need help to make names the same,… Andrew Sullivan
- Re: [dnsext] we need help to make names the same,… Doug Barton
- Re: [dnsext] we need help to make names the same,… Mark Andrews
- Re: [dnsext] we need help to make names the same,… Andrew Sullivan
- Re: [dnsext] we need help to make names the same,… Doug Barton
- Re: [dnsext] we need help to make names the same,… Eric Brunner-Williams
- Re: [dnsext] SRV and wildcard CNAME Phillip Hallam-Baker
- Re: [dnsext] we need help to make names the same,… Jay Ashworth
- Re: [dnsext] we need help to make names the same,… Phillip Hallam-Baker
- Re: [dnsext] we need help to make names the same,… Tony Finch
- Re: [dnsext] SRV and wildcard CNAME Masataka Ohta
- Re: [dnsext] SRV and wildcard CNAME Mark Andrews
- Re: [dnsext] SRV and wildcard CNAME Masataka Ohta
- Re: [dnsext] SRV and wildcard CNAME Mark Andrews
- Re: [dnsext] SRV and wildcard CNAME Masataka Ohta
- Re: [dnsext] SRV and wildcard CNAME Larry Brower
- Re: [dnsext] SRV and wildcard CNAME Masataka Ohta
- Re: [dnsext] SRV and wildcard CNAME Phillip Hallam-Baker
- Re: [dnsext] SRV and wildcard CNAME Mark Andrews
- Re: [dnsext] SRV and wildcard CNAME Masataka Ohta
- Re: [dnsext] SRV and wildcard CNAME Masataka Ohta
- Re: [dnsext] SRV and wildcard CNAME Phillip Hallam-Baker
- Re: [dnsext] we need help to make names the same,… Vaggelis Segredakis
- Re: [dnsext] we need help to make names the same,… Phillip Hallam-Baker
- Re: [dnsext] we need help to make names the same,… Eric Brunner-Williams
- Re: [dnsext] we need help to make names the same,… Masataka Ohta
- Re: [dnsext] we need help to make names the same,… Andrew Sullivan
- Re: [dnsext] we need help to make names the same,… Masataka Ohta
- [dnsext] bi-directionality Masataka Ohta
- Re: [dnsext] we need help to make names the same,… Nicholas Weaver
- Re: [dnsext] we need help to make names the same,… Masataka Ohta
- Re: [dnsext] we need help to make names the same,… Nicholas Weaver
- Re: [dnsext] we need help to make names the same,… Phillip Hallam-Baker
- Re: [dnsext] we need help to make names the same,… Masataka Ohta
- Re: [dnsext] we need help to make names the same,… Tony Finch
- Re: [dnsext] we need help to make names the same,… Tony Finch
- Re: [dnsext] we need help to make names the same,… Tony Finch
- Re: [dnsext] we need help to make names the same,… Nicholas Weaver
- Re: [dnsext] we need help to make names the same,… Eric Brunner-Williams
- Re: [dnsext] we need help to make names the same,… Phillip Hallam-Baker
- Re: [dnsext] we need help to make names the same,… Nicholas Weaver
- Re: [dnsext] we need help to make names the same,… Donald Eastlake
- Re: [dnsext] we need help to make names the same,… Masataka Ohta
- Re: [dnsext] we need help to make names the same,… Tony Finch
- Re: [dnsext] we need help to make names the same,… Phillip Hallam-Baker
- Re: [dnsext] we need help to make names the same,… Tony Finch
- Re: [dnsext] we need help to make names the same,… Phillip Hallam-Baker
- Re: [dnsext] we need help to make names the same,… Phillip Hallam-Baker
- Re: [dnsext] we need help to make names the same,… Tony Finch
- Re: [dnsext] we need help to make names the same,… Nicholas Weaver
- Re: [dnsext] we need help to make names the same,… Phillip Hallam-Baker
- Re: [dnsext] we need help to make names the same,… Nicholas Weaver
- Re: [dnsext] we need help to make names the same,… Eric Brunner-Williams
- Re: [dnsext] we need help to make names the same,… Alex Nicoll
- Re: [dnsext] we need help to make names the same,… Tony Finch
- [dnsext] does making names the same NEED protocol… Nicholas Weaver
- Re: [dnsext] does making names the same NEED prot… Phillip Hallam-Baker
- Re: [dnsext] does making names the same NEED prot… Nicholas Weaver
- Re: [dnsext] does making names the same NEED prot… Alex Bligh
- Re: [dnsext] does making names the same NEED prot… Suzanne Woolf
- Re: [dnsext] does making names the same NEED prot… Andrew Sullivan
- Re: [dnsext] does making names the same NEED prot… Phillip Hallam-Baker
- Re: [dnsext] does making names the same NEED prot… Tony Finch
- Re: [dnsext] does making names the same NEED prot… Alex Bligh
- Re: [dnsext] does making names the same NEED prot… Phillip Hallam-Baker
- Re: [dnsext] does making names the same NEED prot… Andrew Sullivan
- Re: [dnsext] does making names the same NEED prot… Phillip Hallam-Baker
- Re: [dnsext] does making names the same NEED prot… Tony Finch
- Re: [dnsext] does making names the same NEED prot… Michael Graff
- Re: [dnsext] does making names the same NEED prot… Nicholas Weaver
- Re: [dnsext] does making names the same NEED prot… Andrew Sullivan
- Re: [dnsext] does making names the same NEED prot… Nicholas Weaver
- Re: [dnsext] does making names the same NEED prot… Brian Dickson
- Re: [dnsext] does making names the same NEED prot… Andrew Sullivan
- Re: [dnsext] does making names the same NEED prot… Ted Hardie
- Re: [dnsext] slave signing, was does making names… John Levine
- Re: [dnsext] slave signing, was does making names… Phillip Hallam-Baker
- Re: [dnsext] slave signing, was does making names… John Levine
- Re: [dnsext] slave signing, was does making names… Phillip Hallam-Baker
- Re: [dnsext] the same in old days, was making nam… John Levine
- Re: [dnsext] slave signing, was does making names… John Levine
- Re: [dnsext] the same in old days, was making nam… Alex Bligh
- Re: [dnsext] the same in old days, was making nam… John R. Levine
- Re: [dnsext] the same in old days, was making nam… Alex Bligh
- Re: [dnsext] the same in old days, was making nam… John R. Levine
- Re: [dnsext] the same in old days, was making nam… Phillip Hallam-Baker
- Re: [dnsext] the same in old days, was making nam… Ted Hardie
- Re: [dnsext] the same in old days, was making nam… Eric Brunner-Williams
- Re: [dnsext] the same in old days, was making nam… Ted Hardie
- Re: [dnsext] the same in old days, was making nam… Eric Brunner-Williams
- [dnsext] Terminological precision (was: the same … Andrew Sullivan
- Re: [dnsext] the same in old days, was making nam… Ted Hardie
- Re: [dnsext] does making names the same NEED prot… Olafur Gudmundsson
- Re: [dnsext] the same in old days, was making nam… Doug Barton