Re: [DNSOP] Should be signed

Masataka Ohta <> Sun, 07 March 2010 13:55 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 075B93A8307 for <>; Sun, 7 Mar 2010 05:55:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.09
X-Spam-Status: No, score=-0.09 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_JP=1.244, HOST_EQ_JP=1.265]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id tmCHnF1iHhQy for <>; Sun, 7 Mar 2010 05:55:45 -0800 (PST)
Received: from ( []) by (Postfix) with SMTP id 719493A6774 for <>; Sun, 7 Mar 2010 05:55:45 -0800 (PST)
Received: (qmail 85644 invoked from network); 7 Mar 2010 15:01:37 -0000
Received: from (HELO ( by with SMTP; 7 Mar 2010 15:01:37 -0000
Message-ID: <>
Date: Sun, 07 Mar 2010 22:55:06 +0900
From: Masataka Ohta <>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ja-JP; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)
X-Accept-Language: ja, en
MIME-Version: 1.0
To: Jim Reid <>
References: <2AA0F45200E147D1ADC86A4B373C3D46@localhost> <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Cc: George Barwood <>,
Subject: Re: [DNSOP] Should be signed
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 07 Mar 2010 13:55:47 -0000

Jim Reid wrote:

>> While the Bad Guy as an ISP administrator won't have the private
>> keys, the Bad Guy as a zone administrator will have the private keys.

> True,

Good enough.

> This claim is ridiculous. Unless someone uncovers a fundamental flaw  in 
> public key cryptography,

The fundamental flow of public key cryptography for its, wrongly
claimed, cryptographical security is that trusted third parties
are not cryptographically secure, which you have already said

As you can see that the Bad Guy as a zone administrator will
have the private keys, there is no cryptographical security,

> DNSSEC is secure cryptographically  provided 
> the private key(s) remain private.

The provision is not cryptographical.

> Now some people may (or may not) trust a third party to manage their  
> keys and zone signing for them. That's their choice.

Have you ever heard about such thing as monopoly?

With monopoly, consumers do not have any choice, which is the case
with DNS.

You are totally bound to "." and many are to ".com".

> It's just one of  
> the many trade-offs that have to be considered in any sort of security  
> system. For some, a private key held by a third party may well meet or  
> exceed their security requirements.

That there are many operational trade-offs means that the security
is not cryptographic. 

						Masataka Ohta