Re: [DNSOP] Should be signed

Nicholas Weaver <nweaver@ICSI.Berkeley.EDU> Sun, 07 March 2010 21:47 UTC

Return-Path: <nweaver@ICSI.Berkeley.EDU>
Received: from localhost (localhost []) by (Postfix) with ESMTP id F2E9D28C1C6 for <>; Sun, 7 Mar 2010 13:47:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -5.739
X-Spam-Status: No, score=-5.739 tagged_above=-999 required=5 tests=[AWL=0.260, BAYES_00=-2.599, J_CHICKENPOX_14=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id UCfm49+ppmFw for <>; Sun, 7 Mar 2010 13:47:55 -0800 (PST)
Received: from fruitcake.ICSI.Berkeley.EDU (fruitcake.ICSI.Berkeley.EDU []) by (Postfix) with ESMTP id 169CC28C16D for <>; Sun, 7 Mar 2010 13:47:55 -0800 (PST)
Received: from [IPv6:::1] (jack.ICSI.Berkeley.EDU []) by fruitcake.ICSI.Berkeley.EDU ( with ESMTP id o27LlZgN019999; Sun, 7 Mar 2010 13:47:56 -0800 (PST)
Mime-Version: 1.0 (Apple Message framework v1077)
Content-Type: text/plain; charset="us-ascii"
From: Nicholas Weaver <nweaver@ICSI.Berkeley.EDU>
In-Reply-To: <>
Date: Sun, 07 Mar 2010 13:47:56 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <0568FB04-7F9F-430B-ADDF-2295619562A6@ICSI.Berkeley.EDU>
References: <2AA0F45200E147D1ADC86A4B373C3D46@localhost> <> <> <> <>
To: Masataka Ohta <>
X-Mailer: Apple Mail (2.1077)
Cc: George Barwood <>,, Nicholas Weaver <nweaver@ICSI.Berkeley.EDU>
Subject: Re: [DNSOP] Should be signed
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 07 Mar 2010 21:47:56 -0000

On Mar 7, 2010, at 11:03 AM, Masataka Ohta wrote:

> Nicholas Weaver wrote:
>>> That is, DNSSEC is not secure cryptographically, which is another
>>> reason why not to deploy DNSSEC.
>> I don't see what your argument here is.
>> DNSSEC is a "PKI in disguise", and like ANY PKI, you still depend
>> on trust up the heirarchy,
> Yes, you do understand the problem.
>> But DNS has ALWAYS depended on trust-up-the-heirarchy anyway,
>> so this aspect of DNSSEC doesn't increase the level of trust
>> required in DNS,
> The problem is that DNSSEC was wrongly advertised to increase
> the level of security.
> The reality, however, is that ISPs are as secure/reliable/trustable
> as zones, which means DNSSEC does not increase the level of security.

IF you use DNSSEC for A records, I agree with you completely.  Simply put because either the end application never trusted DNS OR is trivially p0wned by a MitM.

IF you use DNSSEC for TXT and CERT records, its a very different story.  Existing PKIs have too MANY paths of trust, and path of trust which is disjoint from the name heirarchy.  By uniting these and REDUCING the paths of trust, you end up with a better system.

And PKI, dispite what you say, is not broken.  Heirarchical trust OR web of trust, you have to have some transitive trust to make a usable system.