Re: [DNSOP] DNSSEC as a Best Current Practice
james@qualityaccelerator.com Thu, 14 April 2022 12:02 UTC
Return-Path: <james@qualityaccelerator.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6AE573A1154 for <dnsop@ietfa.amsl.com>; Thu, 14 Apr 2022 05:02:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.907
X-Spam-Level:
X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=qualityaccelerator-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RUYfrHpFPz63 for <dnsop@ietfa.amsl.com>; Thu, 14 Apr 2022 05:02:20 -0700 (PDT)
Received: from mail-wr1-x432.google.com (mail-wr1-x432.google.com [IPv6:2a00:1450:4864:20::432]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DC3043A1147 for <dnsop@ietf.org>; Thu, 14 Apr 2022 05:02:19 -0700 (PDT)
Received: by mail-wr1-x432.google.com with SMTP id g18so6565428wrb.10 for <dnsop@ietf.org>; Thu, 14 Apr 2022 05:02:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qualityaccelerator-com.20210112.gappssmtp.com; s=20210112; h=from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:content-transfer-encoding:thread-index :content-language; bh=5TY9G666gyW+tICNE39YwtCvUChr5cqv+XCrDnBduU8=; b=z+4ThqA8B4YPz6LpuBkODpKeakBrNQt3dzcQmH72RIxuxOGkXSu6v24isJv2uf3H/1 sjjyGgff1COhrJfXeigREc7eKe0IBzxN+no9tjE33VkA7/afBjvG0+8O1ya2NNwk3HJu h1r2YWIxfaU8xYZ+ij+u6V1xWX/TKmSckGdam48WJddcNFrSzNqya4hAitPc8T3TrBpC gvQOnmajfzEfPcev9PFDMWXatMhdtI9+/V9wnYJpyENrv7wDmleWb1bQLzDDFDaYk/I6 qMYEn3+imU8Zo/twYhVKXpNtnWF1C47b7zbkm1M99Wfc09tpZkQyOhqklHOhxREPn+nA BOGQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:content-transfer-encoding:thread-index :content-language; bh=5TY9G666gyW+tICNE39YwtCvUChr5cqv+XCrDnBduU8=; b=aIa+IxSxOLxV9L/JRQ5blWuF1alV2yT152++4w4c/aE8BMpkFMiFAPY1EJrezjhO2K PzkhYTePmkebNGhVS+EyupZTY4P9QIa5AxpU/GTPL2hrbpGhPCA0WyELAb1uX/9MasK2 +8uCINkIqDNbIRASD6qGeOQabMWPfONMYBAw6iXFD/DW8J92cmwiP8QC1DUFBefUimDR tgm1t4Ioix02BqzoMKcn8+0yN8uhGuVWJipO/AcC26qv95eyC2YR/iJvHWghAG11t/A7 WF3KR5hxF9qUwKxPxsx6GO/lN9e1GmapdQKr15WBF3xTL/UAIvGjk4MnMJI7l0EUQPkS 5hLw==
X-Gm-Message-State: AOAM530aFZTgM067pnOYkJJNnaIR8Aauxy8dqRkIDtAJ/l1cj+Cr05kD llP9DHPaHjNrwSuya9hUTWWTMt4XIUo6kA==
X-Google-Smtp-Source: ABdhPJzlj46qlOeOXn576yW9gb6SJdKn2tYi9rCYYhwS+AWH6Ki8CS65Rfns/5eSlksvIDFlf0XppQ==
X-Received: by 2002:a5d:64a3:0:b0:20a:7931:5b91 with SMTP id m3-20020a5d64a3000000b0020a79315b91mr120513wrp.388.1649937737601; Thu, 14 Apr 2022 05:02:17 -0700 (PDT)
Received: from PC ([2001:bb6:dba:2700:2974:b877:87e8:23c9]) by smtp.gmail.com with ESMTPSA id l9-20020a1c7909000000b0038eb8171fa5sm1915713wme.1.2022.04.14.05.02.17 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 14 Apr 2022 05:02:17 -0700 (PDT)
From: james@qualityaccelerator.com
To: 'Masataka Ohta' <mohta@necom830.hpcl.titech.ac.jp>, 'Paul Wouters' <paul@nohats.ca>
Cc: dnsop@ietf.org
References: <57f1c37b-497c-e1a0-329c-4b9c8b7e197b@necom830.hpcl.titech.ac.jp> <A9F689C9-4ABF-4947-AA6B-56E2F0C17D13@nohats.ca> <9732682e-78e7-f6bf-84fc-685de22d5e12@necom830.hpcl.titech.ac.jp> <350d8ab8-0477-b656-8b08-56f7561a7fda@necom830.hpcl.titech.ac.jp> <CAH1iCiqkAPHq1QBKdkbh86j8UhimjEMG9DU15O9Tkch4BedBjg@mail.gmail.com> <0e2dffab-6afc-b1b6-9028-175f89f0d29e@necom830.hpcl.titech.ac.jp> <b3bf6748-be6d-a287-27e4-87af36ab10@nohats.ca> <dc4a21ee-cc4c-9cb1-9a56-b4992201378c@necom830.hpcl.titech.ac.jp> <c47227f6-5556-1e75-3a48-8aa6bad498ac@nohats.ca> <61b46811-fa52-5ec0-e16b-eb7e9d9560d4@necom830.hpcl.titech.ac.jp>
In-Reply-To: <61b46811-fa52-5ec0-e16b-eb7e9d9560d4@necom830.hpcl.titech.ac.jp>
Date: Thu, 14 Apr 2022 13:01:57 +0100
Message-ID: <06f401d84ff7$7228e9f0$567abdd0$@qualityaccelerator.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQHdCgFkMRRyXtpt9e2gRm2O+W2aJwIbE+GtArj/KwICn+FOTwIs2XszAmG1GucC0dtUkQJfzhyrASSH2ocBeB4L5qxHVDpg
Content-Language: en-us
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/6SzEobYVCdB9V0sQw0jWEm4sw6s>
X-Mailman-Approved-At: Thu, 14 Apr 2022 05:58:24 -0700
Subject: Re: [DNSOP] DNSSEC as a Best Current Practice
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Apr 2022 12:03:12 -0000
Surely this is at the point of just being trolling right? -----Original Message----- From: DNSOP <dnsop-bounces@ietf.org> On Behalf Of Masataka Ohta Sent: Thursday, April 14, 2022 12:56 PM To: Paul Wouters <paul@nohats.ca> Cc: dnsop@ietf.org WG <dnsop@ietf.org> Subject: Re: [DNSOP] DNSSEC as a Best Current Practice Paul Wouters wrote: >> I can't see any reason why you think the root zone is more secure >> than TLDs, especially because, as I wrote: > > Because I am informed about their operational procedures and I > contributed to the technical design as one of the for the DNS Root > Zone Key-Signing-Key of the Root Zone Rollover advisory group. So, you mean the root zone is secure because of "operational procedures", which is not cryptographic. Thank you very much to have confirmed my point that DNSSEC is not cryptographically secure. Your point is, surely, conclusive. > I was also responsible for the design and implementation of a large TLD > fully implementation redundant DNSSEC signer solution. So, the root and TLD zones are as secure as diginotar. > I talked to a lot of TLD operators at ICANN during my term as the > IETF Liason to the ICANN Technical Expert Group. I'm sure none of them were aware that PKI is not cryptographically secure. So? >> : Third, all the CAs, including TLDs, pursuing commercial >> : success have very good appearance using such words as >> : "HSMs" or "four eyes minimum". That is, you can't >> : compare actual operational/physical strength from >> : their formal documents. > > This is an anecdote, that a logical reasoned argument. That's your anecdote to mention "HSMs" or "four eyes minimum" proven to be useless by diginotar. Masataka Ohta _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
- [DNSOP] Is DNSSEC a Best Current Practice? Paul Hoffman
- Re: [DNSOP] Is DNSSEC a Best Current Practice? Paul Wouters
- Re: [DNSOP] Is DNSSEC a Best Current Practice? Tim Wicinski
- Re: [DNSOP] Is DNSSEC a Best Current Practice? Stephen Farrell
- Re: [DNSOP] Is DNSSEC a Best Current Practice? Bill Woodcock
- Re: [DNSOP] Is DNSSEC a Best Current Practice? Grant Taylor
- Re: [DNSOP] Is DNSSEC a Best Current Practice? Colm MacCárthaigh
- Re: [DNSOP] Is DNSSEC a Best Current Practice? Livingood, Jason
- Re: [DNSOP] Is DNSSEC a Best Current Practice? Grant Taylor
- Re: [DNSOP] Is DNSSEC a Best Current Practice? Yasuhiro Orange Morishita / 森下泰宏
- Re: [DNSOP] Is DNSSEC a Best Current Practice? Tim Wicinski
- Re: [DNSOP] Is DNSSEC a Best Current Practice? Paul Vixie
- Re: [DNSOP] Is DNSSEC a Best Current Practice? Mukund Sivaraman
- Re: [DNSOP] Is DNSSEC a Best Current Practice? Tim Wicinski
- Re: [DNSOP] Is DNSSEC a Best Current Practice? Masataka Ohta
- Re: [DNSOP] Is DNSSEC a Best Current Practice? Viktor Dukhovni
- [DNSOP] DNSSEC as a Best Current Practice Paul Hoffman
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Paul Wouters
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Ted Lemon
- Re: [DNSOP] DNSSEC as a Best Current Practice Paul Wouters
- Re: [DNSOP] DNSSEC as a Best Current Practice Paul Wouters
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Ted Lemon
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Paul Wouters
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Jim Reid
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Paul Wouters
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Jim Reid
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice David Conrad
- Re: [DNSOP] DNSSEC as a Best Current Practice Brian Dickson
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Bjørn Mork
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Bjørn Mork
- Re: [DNSOP] DNSSEC as a Best Current Practice Joe Abley
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Paul Wouters
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] [Ext] DNSSEC as a Best Current Practi… Paul Hoffman
- Re: [DNSOP] DNSSEC as a Best Current Practice Brian Dickson
- Re: [DNSOP] DNSSEC as a Best Current Practice Ted Lemon
- Re: [DNSOP] [Ext] DNSSEC as a Best Current Practi… Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Paul Wouters
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Dr Eberhard W Lisse
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Dr Eberhard W Lisse
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Ted Lemon
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Paul Vixie
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Paul Wouters
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Bjørn Mork
- Re: [DNSOP] DNSSEC as a Best Current Practice Brian Dickson
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] [Ext] DNSSEC as a Best Current Practi… Paul Hoffman
- Re: [DNSOP] DNSSEC as a Best Current Practice Paul Wouters
- Re: [DNSOP] [Ext] DNSSEC as a Best Current Practi… Masataka Ohta
- Re: [DNSOP] [Ext] DNSSEC as a Best Current Practi… Jerry Lundström
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Paul Wouters
- Re: [DNSOP] [Ext] DNSSEC as a Best Current Practi… Jim Reid
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice james
- Re: [DNSOP] DNSSEC as a Best Current Practice Paul Wouters
- Re: [DNSOP] DNSSEC as a Best Current Practice Tim Wicinski
- Re: [DNSOP] DNSSEC as a Best Current Practice Mukund Sivaraman
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta