Re: [DNSOP] Should root-servers.net be signed

Jim Reid <jim@rfc1035.com> Sun, 07 March 2010 13:22 UTC

Return-Path: <jim@rfc1035.com>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B31C13A89E0 for <dnsop@core3.amsl.com>; Sun, 7 Mar 2010 05:22:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.495
X-Spam-Level:
X-Spam-Status: No, score=-1.495 tagged_above=-999 required=5 tests=[AWL=1.104, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kOG1tb8Z1pUR for <dnsop@core3.amsl.com>; Sun, 7 Mar 2010 05:22:41 -0800 (PST)
Received: from hutch.rfc1035.com (router.rfc1035.com [195.54.233.65]) by core3.amsl.com (Postfix) with ESMTP id 30F713A873B for <dnsop@ietf.org>; Sun, 7 Mar 2010 05:22:41 -0800 (PST)
Received: from gromit.rfc1035.com (gromit.rfc1035.com [195.54.233.69]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: jim) by hutch.rfc1035.com (Postfix) with ESMTPSA id 7DEE2154208B; Sun, 7 Mar 2010 13:22:42 +0000 (GMT)
Message-Id: <FBF55545-A279-4AA1-ACD3-E2EBBCEF5AFC@rfc1035.com>
From: Jim Reid <jim@rfc1035.com>
To: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
In-Reply-To: <4B93A046.4020209@necom830.hpcl.titech.ac.jp>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v936)
Date: Sun, 07 Mar 2010 13:22:41 +0000
References: <2AA0F45200E147D1ADC86A4B373C3D46@localhost> <A76BB63E-F13B-4D90-BABB-89EB06C8E5F0@rfc1035.com> <4B93A046.4020209@necom830.hpcl.titech.ac.jp>
X-Mailer: Apple Mail (2.936)
Cc: George Barwood <george.barwood@blueyonder.co.uk>, dnsop@ietf.org
Subject: Re: [DNSOP] Should root-servers.net be signed
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Mar 2010 13:22:45 -0000

On 7 Mar 2010, at 12:47, Masataka Ohta wrote:

> While the Bad Guy as an ISP administrator won't have the private
> keys, the Bad Guy as a zone administrator will have the private keys.

True, but irrelevant. The original discussion was a theoretical,  
misplaced concern about spoofed priming queries. It was not about  
whether the Bad Guy had control over the zone being spoofed. Please  
don't confuse the two.

> That is, DNSSEC is not secure cryptographically, which is another
> reason why not to deploy DNSSEC.

This claim is ridiculous. Unless someone uncovers a fundamental flaw  
in public key cryptography, DNSSEC is secure cryptographically  
provided the private key(s) remain private.

Now some people may (or may not) trust a third party to manage their  
keys and zone signing for them. That's their choice. It's just one of  
the many trade-offs that have to be considered in any sort of security  
system. For some, a private key held by a third party may well meet or  
exceed their security requirements. It takes a wild leap of the  
imagination and powerful reality distortion to use that as  
justification for the claims you made.