Re: [DNSOP] fragile dnssec, was Fwd: New Version
Matthew Pounsett <matt@conundrum.com> Thu, 17 August 2017 11:33 UTC
Return-Path: <matt@conundrum.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C05E13213D for <dnsop@ietfa.amsl.com>; Thu, 17 Aug 2017 04:33:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=conundrum-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N1-DO6PIRLz1 for <dnsop@ietfa.amsl.com>; Thu, 17 Aug 2017 04:33:08 -0700 (PDT)
Received: from mail-io0-x232.google.com (mail-io0-x232.google.com [IPv6:2607:f8b0:4001:c06::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BBA04126DD9 for <dnsop@ietf.org>; Thu, 17 Aug 2017 04:33:08 -0700 (PDT)
Received: by mail-io0-x232.google.com with SMTP id c74so21974322iod.4 for <dnsop@ietf.org>; Thu, 17 Aug 2017 04:33:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=conundrum-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=p2u0HrWWcC4d+CpGKjQhu1BRfRtLDl6lvmaRWTZ/KUA=; b=FJxCJFmxPJBPlQXk5c2i6lc4jRBgvOIGZZjDNGDsiWNdWUa6UKvnLjSpq3n3PgehRS sTWqQ5usIlJf12O3XpSdAqJe+p6qhb07uSaQ362ZUJHr7BGLzxiagwrXlcwS0xw7D11W hmbhLjbS0dwf7SYwLuqX5oNL01woePMfvMGN2KJL4vPnspOFB0AXGiW9hvlMcHcrDI8X sCpASiOG8uViV/0CuPqV5sKImkQlINPo6Kkyx8ZEQb/yfg6dqnfUd/0c77x77/26n7QD LnpKBqPXqYCWrPhpVLlqDQw9hE57qPHf4W+b4wusyoa6EHvWYpJA2bWOCbGD0wPD5zob P+eA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=p2u0HrWWcC4d+CpGKjQhu1BRfRtLDl6lvmaRWTZ/KUA=; b=SVy93WluUJc3yjEJVbG8tZqcXYT7WmJOp/rI3vq0f3ZsojDIZUJOGYa9Nou8D3ZYeJ FKO+jjjqeyqFtmpq3+oOdahakwb9jYyHBZK6YfkNm53La3H7fJXVHH6UZJU43dRUXZa2 VgwQnmYxINtChpTCOWKcBLKLlg+SgkQicm0hoqGxkW7VrmN0b/tCOGmxIT463iBxEY8S NbXGGetX5R60dyVuVYZiwNrT4dEcr4ixBYNWxwLzDeOfUUGK7NmhTT9nrZjLPClJyNQw +Kn9R9FYsXGNOSKu2rJ9988luUpBVSeM281G6kh2r72otojnhyXiwxWlJwoDhti/uwKW IzJw==
X-Gm-Message-State: AHYfb5ieL8iRci9fxTu/5l6GujAzFFu1pIAUAhxL9Y1iXTpTnCAzECo3 RrMfjryp22WdZbeWfDk/u/WOyuD4r9BF3XrAcA==
X-Received: by 10.107.59.207 with SMTP id i198mr4830267ioa.198.1502969587645; Thu, 17 Aug 2017 04:33:07 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.2.8.215 with HTTP; Thu, 17 Aug 2017 04:33:07 -0700 (PDT)
In-Reply-To: <20170816230917.4475.qmail@ary.lan>
References: <20170816071920.BA2C98287EA4@rock.dv.isc.org> <20170816230917.4475.qmail@ary.lan>
From: Matthew Pounsett <matt@conundrum.com>
Date: Thu, 17 Aug 2017 07:33:07 -0400
Message-ID: <CAAiTEH9=sz_PE2QrJiM9gFxrVnUrVcuHcimut3cXxsC7ndE8GA@mail.gmail.com>
To: John Levine <johnl@taugh.com>
Cc: dnsop <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c06a4986161860556f160d9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/CoI1rWb2cbix0dcDXygKZbdfYcs>
Subject: Re: [DNSOP] fragile dnssec, was Fwd: New Version
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Aug 2017 11:33:11 -0000
On 16 August 2017 at 19:09, John Levine <johnl@taugh.com> wrote: > In article <20170816071920.BA2C98287EA4@rock.dv.isc.org> you write: > >> A colleague says "If TLDs allowed UPDATE messages to be processed most > >> of the issues with DNSSEC would go away. At the moment we have a whole > >> series of kludges because people are scared of signed update messages." > > Someone is wildly overoptimistic. > > The problem I run into over and over again is that I run someone's DNS > and other services, but I am not the registrant and I am not the > registrar, I just run the DNS. Either I have to walk the registrant > through the process of installing DNSSEC keys, or she has to give me > her registrar account password, neither of which scales. Slightly > more automatic processing of updates for which I do not have the > credentials will not help. > > Have a look at: < https://datatracker.ietf.org/doc/draft-ietf-regext-dnsoperator-to-rrr-protocol/ > It allows a registrar (or a registry in some ccTLD environments) to do CDS/CDNSKEY without having to constantly scan their registrants' name servers, and provides some advice on how to safely bootstrap DNSSEC using CDS/CDNSKEY. There's currently a registrar implementation at Gandi, enabled for the TLDs for which they do DNSSEC (I believe it's beta, so you have to speak to their support to find the API URI), and registry implementations at CIRA (.ca) and APNIC (for their reverse zones). The CZ.NIC folks have also started building it into Fred, their open source registry software. There are a few more changes the draft will go through before it's ready for last call, but the API it describes should remain largely unchanged from this point onward.
- [DNSOP] Fwd: New Version Notification for draft-p… Lanlan Pan
- Re: [DNSOP] Fwd: New Version Notification for dra… Tony Finch
- Re: [DNSOP] Fwd: New Version Notification for dra… Lanlan Pan
- Re: [DNSOP] Fwd: New Version Notification for dra… Petr Špaček
- Re: [DNSOP] Fwd: New Version Notification for dra… Lanlan Pan
- Re: [DNSOP] Fwd: New Version Notification for dra… Matthew Pounsett
- Re: [DNSOP] New Version Notification for draft-pa… Paul Hoffman
- Re: [DNSOP] Fwd: New Version Notification for dra… Richard Gibson
- Re: [DNSOP] Fwd: New Version Notification for dra… Lanlan Pan
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Vixie
- Re: [DNSOP] Fwd: New Version Notification for dra… Matthew Pounsett
- Re: [DNSOP] Fwd: New Version Notification for dra… Dave Crocker
- Re: [DNSOP] New Version Notification for draft-pa… Peter van Dijk
- Re: [DNSOP] New Version Notification for draft-pa… Matthew Pounsett
- Re: [DNSOP] Fwd: New Version Notification for dra… Lanlan Pan
- Re: [DNSOP] Fwd: New Version Notification for dra… Lanlan Pan
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Vixie
- Re: [DNSOP] Fwd: New Version Notification for dra… Mark Andrews
- Re: [DNSOP] Fwd: New Version Notification for dra… Lanlan Pan
- Re: [DNSOP] Fwd: New Version Notification for dra… Mark Andrews
- Re: [DNSOP] Fwd: New Version Notification for dra… Lanlan Pan
- Re: [DNSOP] Fwd: New Version Notification for dra… Vernon Schryver
- Re: [DNSOP] Fwd: New Version Notification for dra… Lanlan Pan
- Re: [DNSOP] Fwd: New Version Notification for dra… Vernon Schryver
- Re: [DNSOP] Fwd: New Version Notification for dra… Ted Lemon
- Re: [DNSOP] Fwd: New Version Notification for dra… Lanlan Pan
- Re: [DNSOP] Fwd: New Version Notification for dra… Mukund Sivaraman
- Re: [DNSOP] Fwd: New Version Notification for dra… Mikael Abrahamsson
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Vixie
- Re: [DNSOP] Fwd: New Version Notification for dra… Mukund Sivaraman
- Re: [DNSOP] Fwd: New Version Notification for dra… Mukund Sivaraman
- Re: [DNSOP] Fwd: New Version Notification for dra… Mikael Abrahamsson
- Re: [DNSOP] Fwd: New Version Notification for dra… Mukund Sivaraman
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Vixie
- Re: [DNSOP] Fwd: New Version Notification for dra… Lanlan Pan
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Vixie
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Vixie
- Re: [DNSOP] Fwd: New Version Notification for dra… Mark Andrews
- Re: [DNSOP] Fwd: New Version Notification for dra… Davey Song
- Re: [DNSOP] Fwd: New Version Notification for dra… Lanlan Pan
- Re: [DNSOP] New Version Notification for draft-pa… Ralf Weber
- Re: [DNSOP] New Version Notification for draft-pa… Lanlan Pan
- Re: [DNSOP] Fwd: New Version Notification for dra… Davey Song
- Re: [DNSOP] Fwd: New Version Notification for dra… Mikael Abrahamsson
- Re: [DNSOP] Fwd: New Version Notification for dra… Ted Lemon
- Re: [DNSOP] Fwd: New Version Notification for dra… Vernon Schryver
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Vixie
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Vixie
- Re: [DNSOP] Fwd: New Version Notification for dra… Vernon Schryver
- Re: [DNSOP] fragile dnssec, was Fwd: New Version John Levine
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Vixie
- Re: [DNSOP] Fwd: New Version Notification for dra… Vernon Schryver
- Re: [DNSOP] fragile dnssec, was Fwd: New Version Mark Andrews
- Re: [DNSOP] Fwd: New Version Notification for dra… Lanlan Pan
- Re: [DNSOP] fragile dnssec, was Fwd: New Version Petr Špaček
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Vixie
- Re: [DNSOP] fragile dnssec, was Fwd: New Version Matthew Pounsett
- Re: [DNSOP] fragile dnssec, was Fwd: New Version John R Levine
- Re: [DNSOP] New Version Notification for draft-pa… Ted Lemon
- Re: [DNSOP] fragile dnssec, was Fwd: New Version John R Levine
- Re: [DNSOP] New Version Notification for draft-pa… Ralf Weber
- Re: [DNSOP] fragile dnssec, was Fwd: New Version Mark Andrews
- Re: [DNSOP] fragile dnssec, was Fwd: New Version John R Levine
- Re: [DNSOP] fragile dnssec, was Fwd: New Version Mark Andrews
- Re: [DNSOP] updating fragile dnssec, was Fwd: New… John R Levine
- Re: [DNSOP] updating fragile dnssec, was Fwd: New… Patrik Fältström
- Re: [DNSOP] New Version Notification for draft-pa… Lanlan Pan
- Re: [DNSOP] New Version Notification for draft-pa… Lanlan Pan
- Re: [DNSOP] New Version Notification for draft-pa… Ted Lemon
- Re: [DNSOP] fragile dnssec, was Fwd: New Version John Levine
- Re: [DNSOP] New Version Notification for draft-pa… Warren Kumari
- Re: [DNSOP] New Version Notification for draft-pa… Lanlan Pan
- Re: [DNSOP] fragile dnssec, was Fwd: New Version Petr Špaček
- Re: [DNSOP] fragile dnssec, was Fwd: New Version A. Schulze