IETF Logo Mail Archive

Re: [dnsext] Authenticated denial of existence...

Jelte Jansen <jelte.jansen@sidn.nl> Mon, 25 November 2013 15:56 UTC

Return-Path: <Jelte.Jansen@sidn.nl>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 10B1C1ADEA7 for <dnsext@ietfa.amsl.com>; Mon, 25 Nov 2013 07:56:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.093
X-Spam-Level:
X-Spam-Status: No, score=0.093 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_NL=0.55, HOST_EQ_NL=1.545, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YZKR_rs78_WS for <dnsext@ietfa.amsl.com>; Mon, 25 Nov 2013 07:56:20 -0800 (PST)
Received: from ede1-kamx.sidn.nl (kamx.sidn.nl [IPv6:2a00:d78:0:147:94:198:152:69]) by ietfa.amsl.com (Postfix) with ESMTP id 37CFA1ADBFF for <dnsext@ietf.org>; Mon, 25 Nov 2013 07:56:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; d=sidn.nl; s=sidn_nl; c=relaxed/relaxed; h=message-id:date:from:user-agent:mime-version:to:cc:subject:references:in-reply-to:x-enigmail-version:content-type:content-transfer-encoding:x-originating-ip; bh=nLkt0uPbNH3O8VajyGaCTcW4STF035wZrmq9frpkD/8=; b=EmN6Ujtm7Nrhb1N3Nbc8sL+coQ1UKKna+49xm0i/eMvMzeMRLg+zQTfG3jk4ZNJDi6TzBdHPmRpMJtqvjVSNxUchOvAyPptYAhbt7Ai/p3wtB/Y8E4oJPcnaR1wg7lJVcTKHKLgJLd8aw/iFyha6wZd17AlBu3QyEvi3WwwlexU=
Received: from kahubcasn01.SIDN.local ([192.168.2.73]) by ede1-kamx.sidn.nl with ESMTP id rAPFtmUM031687-rAPFtmUO031687 (version=TLSv1 cipher=AES128-SHA bits=128 verify=CAFAIL); Mon, 25 Nov 2013 16:55:48 +0100
Received: from [94.198.152.214] (94.198.152.214) by kahubcasn01.SIDN.local (192.168.2.77) with Microsoft SMTP Server (TLS) id 14.3.158.1; Mon, 25 Nov 2013 16:55:47 +0100
Message-ID: <52937303.4070904@sidn.nl>
Date: Mon, 25 Nov 2013 16:55:47 +0100
From: Jelte Jansen <jelte.jansen@sidn.nl>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.1.1
MIME-Version: 1.0
To: Tony Finch <dot@dotat.at>, Miek Gieben <miek@miek.nl>
References: <CFD6B510-D70E-4308-BF3E-B2E7C2ADCBEB@nominum.com> <alpine.LSU.2.00.1311201202570.11548@hermes-2.csi.cam.ac.uk> <21132.63250.716415.755401@gro.dd.org> <20131125140508.GB20994@miek.nl> <alpine.LSU.2.00.1311251538220.24198@hermes-2.csi.cam.ac.uk>
In-Reply-To: <alpine.LSU.2.00.1311251538220.24198@hermes-2.csi.cam.ac.uk>
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [94.198.152.214]
Cc: dnsext@ietf.org
Subject: Re: [dnsext] Authenticated denial of existence...
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext/>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Nov 2013 15:56:22 -0000

On 11/25/2013 04:43 PM, Tony Finch wrote:
> Miek Gieben <miek@miek.nl> wrote:
> 
>> Matthijs and I added an extra appendix to cover on-line signing and
>> made some tweaks to the rest of the text.
> 
> Looks good.
> 
> A point I just noticed in section 3 which I think could do with
> elaborating:
> 
>       Given all these troubles, why didn't the designers of DNSSEC go
>       for the (easy) route and allowed for on-line signing?  Well, at
>       that time (pre 2000), on-line signing was not feasible with the
>       then current hardware.  Keep in mind that the larger servers get
>       between 2000 and 6000 queries per second (qps), with peaks up to
>       20,000 qps or more.  Scaling signature generation to these kind of
>       levels is always a challenge.  Another issue was (and is) key
>       management, for on-line signing to work you need access to the
>       private key(s).  This is considered a security risk.
> 
> I think it is worth saying that online signing makes it difficult to have
> third party secondary authoritative servers, since they would need a copy
> of the private ZSK. With normal DNSSEC, even with a dynamically updated
> zone, the private keys do not need to be on a publicly accessible machine.
> 

now that you quote it like that, I think that using 'allowed' in that
first line is misleading; it's not so much that the protocol doesn't
allow on-line signing, the requirement was that it didn't have to rely
on it. Also, IIRC the preferred term was on-the-fly rather than on-line.

Need to re-read doc :)

Jelte

v2.39.1 | Report a Bug | By Email | System Status