IETF Logo Mail Archive

Re: Signature at parent (draft-ietf-dnsop-parent-sig-00.txt)

Peter Koch <pk@TechFak.Uni-Bielefeld.DE> Fri, 06 April 2001 18:07 UTC

Received: from psg.com (exim@[147.28.0.62]) by ietf.org (8.9.1a/8.9.1a) with SMTP id OAA15951 for <dnsext-archive@lists.ietf.org>; Fri, 6 Apr 2001 14:07:12 -0400 (EDT)
Received: from lserv by psg.com with local (Exim 3.16 #1) id 14la50-0008kU-00 for namedroppers-data@psg.com; Fri, 06 Apr 2001 10:31:26 -0700
Received: from [63.218.17.194] (helo=h236.s254.netsol.com) by psg.com with esmtp (Exim 3.16 #1) id 14la4z-0008kO-00 for namedroppers@ops.ietf.org; Fri, 06 Apr 2001 10:31:25 -0700
Received: (from markk@localhost) by h236.s254.netsol.com (8.11.0/8.11.0) id f36GZPd01114 for namedroppers@ops.ietf.org; Fri, 6 Apr 2001 12:35:25 -0400
Received: from gemma.techfak.uni-bielefeld.de ([129.70.136.103]) by psg.com with esmtp (Exim 3.16 #1) id 14lZ9Z-0006Cx-00 for namedroppers@ops.ietf.org; Fri, 06 Apr 2001 09:32:05 -0700
Received: from grimsvotn.TechFak.Uni-Bielefeld.DE (grimsvotn.TechFak.Uni-Bielefeld.DE [129.70.137.40]) by gemma.TechFak.Uni-Bielefeld.DE (8.9.1/8.9.1/TechFak/pk+ro20000427) with SMTP id SAA15605; Fri, 6 Apr 2001 18:32:03 +0200 (MET DST)
Received: from localhost by grimsvotn.TechFak.Uni-Bielefeld.DE (SMI-8.6/pk19971205) id SAA23547; Fri, 6 Apr 2001 18:32:03 +0200
Message-Id: <200104061632.SAA23547@grimsvotn.TechFak.Uni-Bielefeld.DE>
To: Ted.Lindgreen@tednet.nl
Cc: namedroppers@ops.ietf.org
Subject: Re: Signature at parent (draft-ietf-dnsop-parent-sig-00.txt)
In-reply-to: Your message of "Fri, 06 Apr 2001 15:01:04 +0200." <200104061301.f36D14s95349@open.nlnetlabs.nl>
X-Organization: Uni Bielefeld, Technische Fakultaet
X-Phone: +49 521 106 2902
Date: Fri, 06 Apr 2001 18:32:03 +0200
From: Peter Koch <pk@TechFak.Uni-Bielefeld.DE>
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk

> The problems with it are:
> 
> 1. Inflexibility: [...]
> 2. Cost: [...]
> 3. Liability:
>     He, who signs, must make sure that he knows he is signing, and
>     must accept some responsibility for it (otherwise the signature
>     is worthless). I think a TLD should accept the responsibility for
>     a proper delegation of a domain, but I don't think the TLD will
>     accept the responsibility for local stuff like IPSEC-KEYS under
>     those already delegated domains.

While I agree with (1) and (2), this statement sounds dangerous. SIG RRs
have a purpose defined and restricted by the "protocol" octet in the
corresponding KEY RR. SIGnatures for DNSSEC purposes provide for data
origin authentication. They do not say anything about applicability or
correctness of the signed data. So, a child's non-zone KEY RR SIGned by
the DNSSEC key of the parent zone is not 'certified' w.r.t. the protocol
it is made for. The normal resolution/verification process would only
accept the child's SIG for the KEY RR, wouldn't it?

-Peter



to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.

v2.23.0 | Report a Bug | By Email