Re: [DNSOP] [Ext] Re: Resolver behaviour with multiple trust anchors

Petr Špaček <> Mon, 06 November 2017 15:56 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2647E13FAD9 for <>; Mon, 6 Nov 2017 07:56:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -7
X-Spam-Status: No, score=-7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id VeVyPSk3c4fX for <>; Mon, 6 Nov 2017 07:56:49 -0800 (PST)
Received: from ( [IPv6:2001:1488:800:400::400]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 955C313FC4C for <>; Mon, 6 Nov 2017 07:56:48 -0800 (PST)
Received: from [IPv6:2001:1488:fffe:6:b083:7eff:fe6f:13cd] (unknown [IPv6:2001:1488:fffe:6:b083:7eff:fe6f:13cd]) by (Postfix) with ESMTPSA id CB6EA6352F; Mon, 6 Nov 2017 16:56:46 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;; s=default; t=1509983807; bh=4PEejeaWRESE0AoMa//sc+rtDizno4slX/u4ZyBBD80=; h=To:From:Date; b=vyEgoUG7w5CabvOG3uNdJpaaNebrcUTdFYkNoltapwl1CCozWkBD7YYaqzVs42W79 ABGVGNxmWpdPOf7TriTppsbuoal3couXQHfGFHGYYO6/OXOp7DCMsKqNOQer1xdq3L /lSZWMoizfL6yfeD1M2Sq6jS9tm5LVqx8DTTUunU=
To: Paul Hoffman <>,
References: <> <> <> <> <>
From: Petr Špaček <>
Organization: CZ.NIC
Message-ID: <>
Date: Mon, 06 Nov 2017 16:56:46 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-Virus-Scanned: clamav-milter 0.99.2 at mail
X-Virus-Status: Clean
Archived-At: <>
Subject: Re: [DNSOP] [Ext] Re: Resolver behaviour with multiple trust anchors
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 06 Nov 2017 15:56:58 -0000

On 6.11.2017 16:15, Paul Hoffman wrote:
> Doesn't "I don't trust my parent's security policy" open up a million
> cans of worms anyway? It feels like making this change to the default

1. The problem is that there were (and certainly will be) successfull
hacks into registries, that seems just inevitable.

2. Vast majority of people will not bother with setting up own trust
anchors. I.e. vast majority of people will not be affected by any
brittlenes you envision.

3. The small fraction of people who configure their own TA do it for a
reason. The reason I can see is "TA pinning". This provides users
ability to to configure their critical systems in a way which turns
successfull hack into my parent registry into Bogus status.

Yes, it requires them to keep TA up-to-date, but that is the price you
pay for pinning.

> behavior will make validation more brittle (because people *will* forget
> to update their lower-level trust anchors) in order to help a very small
> number of people who could have made the configuration change themselves.

Personally I do not see justification for 'trust DS or TA' behavior so
I'm not willing to make security critical code paths more complex just
for sake of having an unused configuration knob.

In other words, "could have made the configuration change themselves" is
not applicable here because the knob is not going to be available.

I did my best to explain my reasoning, let me know if you can see some
holes in the reasoning.

Petr Špaček  @  CZ.NIC