IETF Logo Mail Archive

Re: [DNSOP] DNSSEC as a Best Current Practice

james@qualityaccelerator.com Thu, 14 April 2022 12:02 UTC

Return-Path: <james@qualityaccelerator.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6AE573A1154 for <dnsop@ietfa.amsl.com>; Thu, 14 Apr 2022 05:02:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.907
X-Spam-Level:
X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=qualityaccelerator-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RUYfrHpFPz63 for <dnsop@ietfa.amsl.com>; Thu, 14 Apr 2022 05:02:20 -0700 (PDT)
Received: from mail-wr1-x432.google.com (mail-wr1-x432.google.com [IPv6:2a00:1450:4864:20::432]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DC3043A1147 for <dnsop@ietf.org>; Thu, 14 Apr 2022 05:02:19 -0700 (PDT)
Received: by mail-wr1-x432.google.com with SMTP id g18so6565428wrb.10 for <dnsop@ietf.org>; Thu, 14 Apr 2022 05:02:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qualityaccelerator-com.20210112.gappssmtp.com; s=20210112; h=from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:content-transfer-encoding:thread-index :content-language; bh=5TY9G666gyW+tICNE39YwtCvUChr5cqv+XCrDnBduU8=; b=z+4ThqA8B4YPz6LpuBkODpKeakBrNQt3dzcQmH72RIxuxOGkXSu6v24isJv2uf3H/1 sjjyGgff1COhrJfXeigREc7eKe0IBzxN+no9tjE33VkA7/afBjvG0+8O1ya2NNwk3HJu h1r2YWIxfaU8xYZ+ij+u6V1xWX/TKmSckGdam48WJddcNFrSzNqya4hAitPc8T3TrBpC gvQOnmajfzEfPcev9PFDMWXatMhdtI9+/V9wnYJpyENrv7wDmleWb1bQLzDDFDaYk/I6 qMYEn3+imU8Zo/twYhVKXpNtnWF1C47b7zbkm1M99Wfc09tpZkQyOhqklHOhxREPn+nA BOGQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:content-transfer-encoding:thread-index :content-language; bh=5TY9G666gyW+tICNE39YwtCvUChr5cqv+XCrDnBduU8=; b=aIa+IxSxOLxV9L/JRQ5blWuF1alV2yT152++4w4c/aE8BMpkFMiFAPY1EJrezjhO2K PzkhYTePmkebNGhVS+EyupZTY4P9QIa5AxpU/GTPL2hrbpGhPCA0WyELAb1uX/9MasK2 +8uCINkIqDNbIRASD6qGeOQabMWPfONMYBAw6iXFD/DW8J92cmwiP8QC1DUFBefUimDR tgm1t4Ioix02BqzoMKcn8+0yN8uhGuVWJipO/AcC26qv95eyC2YR/iJvHWghAG11t/A7 WF3KR5hxF9qUwKxPxsx6GO/lN9e1GmapdQKr15WBF3xTL/UAIvGjk4MnMJI7l0EUQPkS 5hLw==
X-Gm-Message-State: AOAM530aFZTgM067pnOYkJJNnaIR8Aauxy8dqRkIDtAJ/l1cj+Cr05kD llP9DHPaHjNrwSuya9hUTWWTMt4XIUo6kA==
X-Google-Smtp-Source: ABdhPJzlj46qlOeOXn576yW9gb6SJdKn2tYi9rCYYhwS+AWH6Ki8CS65Rfns/5eSlksvIDFlf0XppQ==
X-Received: by 2002:a5d:64a3:0:b0:20a:7931:5b91 with SMTP id m3-20020a5d64a3000000b0020a79315b91mr120513wrp.388.1649937737601; Thu, 14 Apr 2022 05:02:17 -0700 (PDT)
Received: from PC ([2001:bb6:dba:2700:2974:b877:87e8:23c9]) by smtp.gmail.com with ESMTPSA id l9-20020a1c7909000000b0038eb8171fa5sm1915713wme.1.2022.04.14.05.02.17 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 14 Apr 2022 05:02:17 -0700 (PDT)
From: james@qualityaccelerator.com
To: 'Masataka Ohta' <mohta@necom830.hpcl.titech.ac.jp>, 'Paul Wouters' <paul@nohats.ca>
Cc: dnsop@ietf.org
References: <57f1c37b-497c-e1a0-329c-4b9c8b7e197b@necom830.hpcl.titech.ac.jp> <A9F689C9-4ABF-4947-AA6B-56E2F0C17D13@nohats.ca> <9732682e-78e7-f6bf-84fc-685de22d5e12@necom830.hpcl.titech.ac.jp> <350d8ab8-0477-b656-8b08-56f7561a7fda@necom830.hpcl.titech.ac.jp> <CAH1iCiqkAPHq1QBKdkbh86j8UhimjEMG9DU15O9Tkch4BedBjg@mail.gmail.com> <0e2dffab-6afc-b1b6-9028-175f89f0d29e@necom830.hpcl.titech.ac.jp> <b3bf6748-be6d-a287-27e4-87af36ab10@nohats.ca> <dc4a21ee-cc4c-9cb1-9a56-b4992201378c@necom830.hpcl.titech.ac.jp> <c47227f6-5556-1e75-3a48-8aa6bad498ac@nohats.ca> <61b46811-fa52-5ec0-e16b-eb7e9d9560d4@necom830.hpcl.titech.ac.jp>
In-Reply-To: <61b46811-fa52-5ec0-e16b-eb7e9d9560d4@necom830.hpcl.titech.ac.jp>
Date: Thu, 14 Apr 2022 13:01:57 +0100
Message-ID: <06f401d84ff7$7228e9f0$567abdd0$@qualityaccelerator.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQHdCgFkMRRyXtpt9e2gRm2O+W2aJwIbE+GtArj/KwICn+FOTwIs2XszAmG1GucC0dtUkQJfzhyrASSH2ocBeB4L5qxHVDpg
Content-Language: en-us
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/6SzEobYVCdB9V0sQw0jWEm4sw6s>
X-Mailman-Approved-At: Thu, 14 Apr 2022 05:58:24 -0700
Subject: Re: [DNSOP] DNSSEC as a Best Current Practice
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Apr 2022 12:03:12 -0000

Surely this is at the point of just being trolling right?

-----Original Message-----
From: DNSOP <dnsop-bounces@ietf.org> On Behalf Of Masataka Ohta
Sent: Thursday, April 14, 2022 12:56 PM
To: Paul Wouters <paul@nohats.ca>
Cc: dnsop@ietf.org WG <dnsop@ietf.org>
Subject: Re: [DNSOP] DNSSEC as a Best Current Practice

Paul Wouters wrote:

>> I can't see any reason why you think the root zone is more secure 
>> than TLDs, especially because, as I wrote:
> 
> Because I am informed about their operational procedures and I 
> contributed to the technical design as one of the for the DNS Root 
> Zone Key-Signing-Key of the Root Zone Rollover advisory group.

So, you mean the root zone is secure because of "operational procedures",
which is not cryptographic.

Thank you very much to have confirmed my  point that DNSSEC is not
cryptographically secure.

Your point is, surely, conclusive.

 > I was also responsible for the design and implementation of a large TLD
> fully implementation redundant DNSSEC signer solution.

So, the root and TLD zones are as secure as diginotar.

 > I talked to a lot of TLD operators at ICANN during my term as the  > IETF
Liason to the ICANN Technical Expert Group.

I'm sure none of them were aware that PKI is not cryptographically secure.
So?

 >> :  Third, all the CAs, including TLDs, pursuing commercial  >> :
success have very good appearance using such words as  >> :  "HSMs" or "four
eyes minimum". That is, you can't  >> :  compare actual operational/physical
strength from  >> :  their formal documents.
 >
 > This is an anecdote, that a logical reasoned argument.

That's your anecdote to mention "HSMs" or "four eyes minimum"
proven to be useless by diginotar.

							Masataka Ohta

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

v2.23.0 | Report a Bug | By Email