Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?

Joe Abley <jabley@ca.afilias.info> Fri, 25 July 2008 18:08 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9E6FE3A698F; Fri, 25 Jul 2008 11:08:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.048
X-Spam-Level:
X-Spam-Status: No, score=-1.048 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K0crN5JN5sTL; Fri, 25 Jul 2008 11:08:49 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 7D37E3A695F; Fri, 25 Jul 2008 11:08:49 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KMRXV-000Mpv-SW for namedroppers-data@psg.com; Fri, 25 Jul 2008 17:57:13 +0000
Received: from [199.212.90.4] (helo=monster.hopcount.ca) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <jabley@ca.afilias.info>) id 1KMRXO-000Mp6-O7 for namedroppers@ops.ietf.org; Fri, 25 Jul 2008 17:57:11 +0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=monster; d=ca.afilias.info; h=Received:Cc:Message-Id:From:To:In-Reply-To:Content-Type:Content-Transfer-Encoding:Mime-Version:Subject:Date:References:X-Mailer; b=CT5Oj+CcN78VZjJoVaeGJRx6PvFTIR2bp07rFo094lzkAKjhdMVuCw2lwFskppCZU833Rh4BAlGiIy44G1Ii2cctiC+I1fcrQbuopKpNYwr3iy1OqEXCNsSP13b7gNEU;
Received: from [199.212.90.13] (helo=calamari.hopcount.ca) by monster.hopcount.ca with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.69 (FreeBSD)) (envelope-from <jabley@ca.afilias.info>) id 1KMRXN-000895-9q; Fri, 25 Jul 2008 17:57:05 +0000
Cc: Jelte Jansen <jelte@NLnetLabs.nl>, DNSEXT WG <namedroppers@ops.ietf.org>
Message-Id: <52A6E331-4970-4F59-BC82-FBFC1575E005@ca.afilias.info>
From: Joe Abley <jabley@ca.afilias.info>
To: Brian Dickson <briand@ca.afilias.info>
In-Reply-To: <488A0F4F.9050704@ca.afilias.info>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v928.1)
Subject: Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
Date: Fri, 25 Jul 2008 13:57:05 -0400
References: <48875934.8080101@links.org> <F113C53F-D189-45A0-8DC3-14725395D1BD@virtualized.org> <20080723183227.GA11957@outpost.ds9a.nl> <2FFE6519-7E9C-4DE8-AF69-697A4D875011@nominum.com> <20080723191636.GB32507@outpost.ds9a.nl> <8A91CF57-0CBD-4CF2-BF59-C7D59CB4B7B9@virtualized.org> <20080724060743.GA7420@outpost.ds9a.nl> <48886C4D.4020500@ca.afilias.info> <63C0FFE7-17E6-4ECE-9A12-0537FE2E3F4B@ca.afilias.info> <4888FED2.6060204@NLnetLabs.nl> <E7388E94-D031-4059-91F9-1596A254E21C@ca.afilias.info> <488A0F4F.9050704@ca.afilias.info>
X-Mailer: Apple Mail (2.928.1)
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>

On 25 Jul 2008, at 13:37, Brian Dickson wrote:

> This would enable in-band resolvers to validate both the data, and  
> the presence or absence of zone signatures, on delegation chains,  
> and prevent downgrade attacks even by man-in-the-middle interference.

If the transport can't be trusted then the presence or absence of such  
markers surely can't be trusted either. Hence "out-of-band" in my  
previous note.

But I have not done very much thinking about this. I am mainly  
suggesting things as a way of learning. :-)


Joe


--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>