Re: [dnsext] does making names the same NEED protocol changes at all?

Phillip Hallam-Baker <hallam@gmail.com> Fri, 25 February 2011 17:42 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 20C953A6814 for <dnsext@core3.amsl.com>; Fri, 25 Feb 2011 09:42:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.568
X-Spam-Level:
X-Spam-Status: No, score=-3.568 tagged_above=-999 required=5 tests=[AWL=0.030, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H-rEAZjPIOpY for <dnsext@core3.amsl.com>; Fri, 25 Feb 2011 09:42:37 -0800 (PST)
Received: from mail-bw0-f44.google.com (mail-bw0-f44.google.com [209.85.214.44]) by core3.amsl.com (Postfix) with ESMTP id 5CDD93A679F for <dnsext@ietf.org>; Fri, 25 Feb 2011 09:42:37 -0800 (PST)
Received: by bwz13 with SMTP id 13so2523653bwz.31 for <dnsext@ietf.org>; Fri, 25 Feb 2011 09:43:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=D31qS9Lawr0MmxD8bMG6HkhrtaJUqt+xZRx8vPMW9Os=; b=Z3NeEFn9kqe/qpPFzKyqZbd3HDJdwGKB/lD3xFhJ9tX5yzhdJA51TZeLT6FHFHZ40/ Xq8ezHWWjCPTu8o8lOPZvYevLrKT9eee5t2YY7d9Hx4024mUdUMJK5j59kbkgP+vXlAx rhIFr2ykjP749P38mSmYvVR/szvV4nbxoZ/MQ=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=PBdnuWkzTo2MnUzish+qOH9U38dboA9l7b97823zprBvXisVmA0M9Zw82vs8pvyr+G l70NGfT0GfNOkkVGZqJy9yiHle6Z+o2mMH8hv4UYJOWY0A7yijsZsagzfgLYxHyyDY+v hgMj7xCEBQO7j6db/zS30zThsRB82waqTv4/o=
MIME-Version: 1.0
Received: by 10.204.73.160 with SMTP id q32mr2274792bkj.155.1298655809379; Fri, 25 Feb 2011 09:43:29 -0800 (PST)
Received: by 10.204.14.139 with HTTP; Fri, 25 Feb 2011 09:43:29 -0800 (PST)
In-Reply-To: <alpine.LSU.2.00.1102251653290.5244@hermes-1.csi.cam.ac.uk>
References: <AANLkTin6-mXBeKC_TzgvWUaCyxKfeZxTK1BQvXtpwuCN@mail.gmail.com> <4CC95816-8225-4CAE-897F-3F13F965BCEE@ICSI.Berkeley.EDU> <alpine.LSU.2.00.1102240953550.5244@hermes-1.csi.cam.ac.uk> <AANLkTiniVDDZXFOV4WryNN=+hK29rBO8_HTAqw7bK=Nf@mail.gmail.com> <8657EF4A-A08D-46E5-8917-553AE377CAD8@ICSI.Berkeley.EDU> <AANLkTikHm62x=+xWpSRyERw2cB31yZZhVkTT-90dgFjk@mail.gmail.com> <39EBBA76-22F1-4935-9300-B0078B229793@ICSI.Berkeley.EDU> <5A100E65-FB09-4556-AA5A-BF9FE0468DDA@ICSI.Berkeley.EDU> <AANLkTikECGtJm5WyDnX=s8zTERu89qLbFDebf8R1y4Pa@mail.gmail.com> <6AD400292B2C771C7FE70E8F@Ximines.local> <20110225143043.GB74938@shinkuro.com> <AANLkTimfhfsj65Vec61-_Q18+RoC1144Zf1E2bQhvt18@mail.gmail.com> <alpine.LSU.2.00.1102251653290.5244@hermes-1.csi.cam.ac.uk>
Date: Fri, 25 Feb 2011 12:43:29 -0500
Message-ID: <AANLkTinvqqGTGPeMXUcAv5iY1KGn_=LwfGr3debWo_GE@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Tony Finch <dot@dotat.at>
Content-Type: multipart/alternative; boundary="0016e6d96d0a341da5049d1ede21"
Cc: dnsext@ietf.org
Subject: Re: [dnsext] does making names the same NEED protocol changes at all?
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Feb 2011 17:42:39 -0000

Requiring slaves to be signers is a major change to the security model.

In the current architecture it is sufficient to have online keys at a hidden
master. The hidden master can be placed behind a firewall that rejects
inbound requests.

In the proposed architecture every DNS server has to have signing
capability. It is not possible to prep the zone at the hidden master and
then push the data out. The keys are not only online, they are reacting to
queries prepared by potential attackers.


>From a risk analysis point of view these changes are very significant
indeed.


On Fri, Feb 25, 2011 at 12:09 PM, Tony Finch <dot@dotat.at> wrote:

> On Fri, 25 Feb 2011, Phillip Hallam-Baker wrote:
>
> > I suspect that the point of these requirements is precisely the fact that
> > they cannot be met within the current architecture.
>
> A lot of the argument is because we aren't sure that that is true. Can the
> requirements be met with improved provisioning technology and no protocol
> changes?
>
> > I am seeing people rushing to change the security model of DNSSEC to
> support
> > this requirement, but I doubt that is going to be sufficient.
>
> Online signing is not a change to the DNSSEC security model.
>
> Tony.
> --
> f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
> Forties, Cromarty, Forth: Southwest 5 to 7 veering northwest 4 or 5.
> Moderate
> or rough. Occasional rain. Moderate or good, occasionally poor.
>



-- 
Website: http://hallambaker.com/