IETF Logo Mail Archive

Re: [DNSOP] Fwd: NewVersion Notificationfor draft-mekking-dnsop-auto-cpsync-00

"Stephan Lagerholm" <stephan.lagerholm@secure64.com> Tue, 29 June 2010 15:15 UTC

Return-Path: <stephan.lagerholm@secure64.com>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 084DE3A6851 for <dnsop@core3.amsl.com>; Tue, 29 Jun 2010 08:15:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cSSIeTmRksX5 for <dnsop@core3.amsl.com>; Tue, 29 Jun 2010 08:15:37 -0700 (PDT)
Received: from mail.secure64.com (mail.secure64.com [66.37.130.20]) by core3.amsl.com (Postfix) with ESMTP id 99CCE3A6781 for <dnsop@ietf.org>; Tue, 29 Jun 2010 08:15:31 -0700 (PDT)
Received: by mail.secure64.com (Postfix, from userid 65534) id B07FA12552392; Tue, 29 Jun 2010 09:15:39 -0600 (MDT)
Received: from exchange.secure64.com (exchange.secure64.com [192.168.254.250]) by mail.secure64.com (Postfix) with ESMTP id 30FED12552392; Tue, 29 Jun 2010 09:15:38 -0600 (MDT)
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
X-MimeOLE: Produced By Microsoft Exchange V6.5
Date: Tue, 29 Jun 2010 09:15:07 -0600
Message-ID: <DD056A31A84CFC4AB501BD56D1E14BBB826B87@exchange.secure64.com>
In-Reply-To: <4C2A0696.7080204@ripe.net>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [DNSOP] Fwd: NewVersion Notificationfor draft-mekking-dnsop-auto-cpsync-00
Thread-Index: AcsXmYG8pcmnaOlSTlmd9/kl9r8tnAAA4swg
References: <4C29F2FA.1000907@nlnetlabs.nl> <4C29FE8F.6030002@nlnetlabs.nl><DD056A31A84CFC4AB501BD56D1E14BBB826B70@exchange.secure64.com> <4C2A0696.7080204@ripe.net>
From: Stephan Lagerholm <stephan.lagerholm@secure64.com>
To: Wolfgang Nagele <wnagele@ripe.net>
Cc: dnsop@ietf.org, Matthijs Mekking <matthijs@NLnetLabs.nl>
Subject: Re: [DNSOP] Fwd: NewVersion Notificationfor draft-mekking-dnsop-auto-cpsync-00
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Jun 2010 15:15:42 -0000

Hi Wolfgang,

My concern was not about the updates but rather about the gigantic
number of keys a busy parent would have to create, revoke, store, renew,
etc. 

It doesn't make sense to me to utilize symmetric encryption (such as
TSIG) to solve this problem. A scheme that utilized an asymmetric key
would be a much better fit. DNSSEC itself would be a strong candidate
here.

Thanks, S
----------------------------------------------------------------------
Stephan Lagerholm
Senior DNS Architect, M.Sc. ,CISSP
Secure64 Software Corporation, www.secure64.com
Cell: 469-834-3940

> -----Original Message-----
> From: dnsop-bounces@ietf.org [mailto:dnsop-bounces@ietf.org] On Behalf
Of
> Wolfgang Nagele
> Sent: Tuesday, June 29, 2010 9:44 AM
> To: Stephan Lagerholm
> Cc: dnsop@ietf.org; Matthijs Mekking
> Subject: Re: [DNSOP] Fwd: NewVersion Notificationfor
draft-mekking-dnsop-
> auto-cpsync-00
> 
> Hi Stephan,
> 
> > I like this draft but I'm a little bit concerned about the
scalability.
> > How will a busy parent provision a unique secret key for each of the
> > child?
> Do you mean the scalability for capacity on the update server side?
> Although
> BIND might not be able to scale this out of the box, the example has
only
> been
> given in the draft to have a hands-on way for ppl to try this draft.
> 
> In reality it should not be a major issue to receive those DNS updates
and
> process them (with or without signatures) - similar efforts are
currently
> made
> for each request to change NS-sets on the parent (admittedly those
might
> happen
> less frequent).
> 
> > And how will this key be transported between the parent and the
> > child in a secure way?
> The same way a parent is currently providing a domain owner with
> credentials for
> their management interfaces. If a domain owner has specific
requirements
> in
> terms of security on that channel it is something where registrars can
> offer
> whatever their customers demand.
> 
> Regards,
> Wolfgang
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

v2.23.0 | Report a Bug | By Email