Re: [DNSOP] Should be signed

Jim Reid <> Sun, 07 March 2010 13:22 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B31C13A89E0 for <>; Sun, 7 Mar 2010 05:22:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.495
X-Spam-Status: No, score=-1.495 tagged_above=-999 required=5 tests=[AWL=1.104, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id kOG1tb8Z1pUR for <>; Sun, 7 Mar 2010 05:22:41 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 30F713A873B for <>; Sun, 7 Mar 2010 05:22:41 -0800 (PST)
Received: from ( []) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: jim) by (Postfix) with ESMTPSA id 7DEE2154208B; Sun, 7 Mar 2010 13:22:42 +0000 (GMT)
Message-Id: <>
From: Jim Reid <>
To: Masataka Ohta <>
In-Reply-To: <>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v936)
Date: Sun, 07 Mar 2010 13:22:41 +0000
References: <2AA0F45200E147D1ADC86A4B373C3D46@localhost> <> <>
X-Mailer: Apple Mail (2.936)
Cc: George Barwood <>,
Subject: Re: [DNSOP] Should be signed
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 07 Mar 2010 13:22:45 -0000

On 7 Mar 2010, at 12:47, Masataka Ohta wrote:

> While the Bad Guy as an ISP administrator won't have the private
> keys, the Bad Guy as a zone administrator will have the private keys.

True, but irrelevant. The original discussion was a theoretical,  
misplaced concern about spoofed priming queries. It was not about  
whether the Bad Guy had control over the zone being spoofed. Please  
don't confuse the two.

> That is, DNSSEC is not secure cryptographically, which is another
> reason why not to deploy DNSSEC.

This claim is ridiculous. Unless someone uncovers a fundamental flaw  
in public key cryptography, DNSSEC is secure cryptographically  
provided the private key(s) remain private.

Now some people may (or may not) trust a third party to manage their  
keys and zone signing for them. That's their choice. It's just one of  
the many trade-offs that have to be considered in any sort of security  
system. For some, a private key held by a third party may well meet or  
exceed their security requirements. It takes a wild leap of the  
imagination and powerful reality distortion to use that as  
justification for the claims you made.