Re: OFFTOPIC: DNSSEC groupthink versus improving DNS

[Mark Andrews <Mark_Andrews@isc.org>]

> Mark Andrews wrote:
> > 	and the alterative is arbitary data insertion.
> > 
> > 	You could have online keys and sign every response with a
> > 	ttl + clock skew based window.  This requires that the
> > 	private key is on all slaves.  The crypto hardware guys
> > 	will love you :-)
> 
> I'm working on it, I'm fighting 2 issues at present, one to standardise
> attributes on OpenPGP keys for server purposes, and once that's sorted
> and all the hubbub about DNS has died down the 2nd issue is using
> encryption to provide both confidentiality and effectively remove the
> need for signing at all.
> 
> Thanks to feed back from people in this group I've improve the draft
> considerably but yea, the idea now is to setup a AES session key that is
> good for X hours using an initial RSA encrypted request from the client.
> 
> > 	Note this is a implementation / deployment trade off.  The
> > 	protocol supports either senario.
> 
> It's 2008 and hardware is cheap it's silly to think of 1960's credit
> card processing models are even valid 10 years ago let alone now.
> 
> > 	Which can be completely automated.  Has already been in
> > 	some senarios.  I havn't re-signed my zones for months
> > 	despite using a 30 day expiry period on the signatures.
> 
> Shows how much DNSSEC is used by you then, otherwise you would be
> rejecting your own DNS replies.

	I missed the "by hand" part.

	I havn't re-signed my zones, by hand, for months despite
	using a 30 day expiry period on the signatures. 

	Completely automated re-signing.
 
> > 	It is set and forget.  More and more of the process will
> > 	become "set and forget" as the tools develop.
> 
> You miss the point, that presentation outlined what is now, not what
> will be when someone can be bothered to.
> 
> > 	Well if you know that the data will be stable for a year
> > 	you can sign once a year.
> 
> At the vest least natural disasters don't stick to time tables last time
> I checked.
> 
> > 	The tools today can take a signed zone and re-sign it as
> > 	well as incrementing the SOA serial in the process.  Re-signing
> > 	then reloading can be run from cron on a weekly basis.
> 
> That's a nice 'hack'
> 
> > 	Note the tools will only get better so the costs will
> > 	continue to go down.  They have gone down enormously from
> > 	the original design costs.
> 
> Again, I can only comment on what is, not what will be.
> 
> -- 
> 
> Best regards,
>  Duane
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews@isc.org

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>