Re: [DNSOP] Fwd: NewVersion Notificationfor draft-mekking-dnsop-auto-cpsync-00
"Stephan Lagerholm" <stephan.lagerholm@secure64.com> Tue, 29 June 2010 15:15 UTC
Return-Path: <stephan.lagerholm@secure64.com>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 084DE3A6851 for <dnsop@core3.amsl.com>; Tue, 29 Jun 2010 08:15:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cSSIeTmRksX5 for <dnsop@core3.amsl.com>; Tue, 29 Jun 2010 08:15:37 -0700 (PDT)
Received: from mail.secure64.com (mail.secure64.com [66.37.130.20]) by core3.amsl.com (Postfix) with ESMTP id 99CCE3A6781 for <dnsop@ietf.org>; Tue, 29 Jun 2010 08:15:31 -0700 (PDT)
Received: by mail.secure64.com (Postfix, from userid 65534) id B07FA12552392; Tue, 29 Jun 2010 09:15:39 -0600 (MDT)
Received: from exchange.secure64.com (exchange.secure64.com [192.168.254.250]) by mail.secure64.com (Postfix) with ESMTP id 30FED12552392; Tue, 29 Jun 2010 09:15:38 -0600 (MDT)
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
X-MimeOLE: Produced By Microsoft Exchange V6.5
Date: Tue, 29 Jun 2010 09:15:07 -0600
Message-ID: <DD056A31A84CFC4AB501BD56D1E14BBB826B87@exchange.secure64.com>
In-Reply-To: <4C2A0696.7080204@ripe.net>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [DNSOP] Fwd: NewVersion Notificationfor draft-mekking-dnsop-auto-cpsync-00
Thread-Index: AcsXmYG8pcmnaOlSTlmd9/kl9r8tnAAA4swg
References: <4C29F2FA.1000907@nlnetlabs.nl> <4C29FE8F.6030002@nlnetlabs.nl><DD056A31A84CFC4AB501BD56D1E14BBB826B70@exchange.secure64.com> <4C2A0696.7080204@ripe.net>
From: Stephan Lagerholm <stephan.lagerholm@secure64.com>
To: Wolfgang Nagele <wnagele@ripe.net>
Cc: dnsop@ietf.org, Matthijs Mekking <matthijs@NLnetLabs.nl>
Subject: Re: [DNSOP] Fwd: NewVersion Notificationfor draft-mekking-dnsop-auto-cpsync-00
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Jun 2010 15:15:42 -0000
Hi Wolfgang, My concern was not about the updates but rather about the gigantic number of keys a busy parent would have to create, revoke, store, renew, etc. It doesn't make sense to me to utilize symmetric encryption (such as TSIG) to solve this problem. A scheme that utilized an asymmetric key would be a much better fit. DNSSEC itself would be a strong candidate here. Thanks, S ---------------------------------------------------------------------- Stephan Lagerholm Senior DNS Architect, M.Sc. ,CISSP Secure64 Software Corporation, www.secure64.com Cell: 469-834-3940 > -----Original Message----- > From: dnsop-bounces@ietf.org [mailto:dnsop-bounces@ietf.org] On Behalf Of > Wolfgang Nagele > Sent: Tuesday, June 29, 2010 9:44 AM > To: Stephan Lagerholm > Cc: dnsop@ietf.org; Matthijs Mekking > Subject: Re: [DNSOP] Fwd: NewVersion Notificationfor draft-mekking-dnsop- > auto-cpsync-00 > > Hi Stephan, > > > I like this draft but I'm a little bit concerned about the scalability. > > How will a busy parent provision a unique secret key for each of the > > child? > Do you mean the scalability for capacity on the update server side? > Although > BIND might not be able to scale this out of the box, the example has only > been > given in the draft to have a hands-on way for ppl to try this draft. > > In reality it should not be a major issue to receive those DNS updates and > process them (with or without signatures) - similar efforts are currently > made > for each request to change NS-sets on the parent (admittedly those might > happen > less frequent). > > > And how will this key be transported between the parent and the > > child in a secure way? > The same way a parent is currently providing a domain owner with > credentials for > their management interfaces. If a domain owner has specific requirements > in > terms of security on that channel it is something where registrars can > offer > whatever their customers demand. > > Regards, > Wolfgang > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop
- Re: [DNSOP] Fwd: New Version Notificationfor draf… Wolfgang Nagele
- [DNSOP] Fwd: New Version Notification for draft-m… Matthijs Mekking
- Re: [DNSOP] Fwd: New Version Notification for dra… Matthijs Mekking
- Re: [DNSOP] Fwd: New Version Notificationfor draf… Stephan Lagerholm
- Re: [DNSOP] Fwd: NewVersion Notificationfor draft… Stephan Lagerholm
- Re: [DNSOP] Fwd: NewVersion Notificationfor draft… Wolfgang Nagele
- Re: [DNSOP] Fwd: New Version Notificationfor draf… Mark Andrews
- Re: [DNSOP] Fwd: New Version Notification fordraf… George Barwood
- Re: [DNSOP] Fwd: New Version Notificationfordraft… Stephan Lagerholm
- Re: [DNSOP] Fwd: New Version Notificationfordraft… George Barwood
- Re: [DNSOP] Fwd: New Version Notificationfordraft… Tony Finch
- Re: [DNSOP] Fwd: NewVersion Notificationfor draft… Matthijs Mekking
- Re: [DNSOP] Fwd: New Version Notification fordraf… Wolfgang Nagele
- Re: [DNSOP] Fwd: New Version Notification fordraf… Shane Kerr
- Re: [DNSOP] Fwd: New Version Notification fordraf… Mark Andrews
- Re: [DNSOP] Fwd: New Version Notificationfordraft… George Barwood
- Re: [DNSOP] Fwd: New Version Notificationfordraft… Wolfgang Nagele
- Re: [DNSOP] Fwd: New Version Notificationfordraft… Mark Andrews
- Re: [DNSOP] Fwd: New Version Notificationfordraft… George Barwood
- Re: [DNSOP] Fwd: New Version Notification fordraf… George Barwood
- Re: [DNSOP] Fwd: New Version Notificationfordraft… Andrew Sullivan
- Re: [DNSOP] Fwd: New Version Notificationfordraft… Wolfgang Nagele
- Re: [DNSOP] Fwd: New Version Notificationfordraft… Jakob Schlyter
- Re: [DNSOP] Fwd: New Version Notificationfordraft… Jakob Schlyter
- Re: [DNSOP] Fwd: New Version Notification for dra… bmanning