Re: [DNSOP] Should root-servers.net be signed

"George Barwood" <george.barwood@blueyonder.co.uk> Sun, 07 March 2010 23:08 UTC

Return-Path: <george.barwood@blueyonder.co.uk>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B98E53A6405 for <dnsop@core3.amsl.com>; Sun, 7 Mar 2010 15:08:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.821
X-Spam-Level: *
X-Spam-Status: No, score=1.821 tagged_above=-999 required=5 tests=[AWL=1.226, BAYES_00=-2.599, HELO_EQ_BLUEYON=1.4, MIME_BASE64_BLANKS=0.041, MIME_BASE64_TEXT=1.753]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VrTA2Cboagsw for <dnsop@core3.amsl.com>; Sun, 7 Mar 2010 15:08:34 -0800 (PST)
Received: from smtp-out4.blueyonder.co.uk (smtp-out4.blueyonder.co.uk [195.188.213.7]) by core3.amsl.com (Postfix) with ESMTP id 880F43A63EC for <dnsop@ietf.org>; Sun, 7 Mar 2010 15:08:34 -0800 (PST)
Received: from [172.23.170.139] (helo=anti-virus01-10) by smtp-out4.blueyonder.co.uk with smtp (Exim 4.52) id 1NoPaL-0001oX-16; Sun, 07 Mar 2010 23:08:33 +0000
Received: from [92.238.99.235] (helo=GeorgeLaptop) by asmtp-out6.blueyonder.co.uk with esmtpa (Exim 4.52) id 1NoPaK-0003pj-FP; Sun, 07 Mar 2010 23:08:32 +0000
Message-ID: <F7C1873BC5BD40988CEC30A6BC67CDDF@localhost>
From: George Barwood <george.barwood@blueyonder.co.uk>
To: Nicholas Weaver <nweaver@ICSI.Berkeley.EDU>
References: <2AA0F45200E147D1ADC86A4B373C3D46@localhost> <A76BB63E-F13B-4D90-BABB-89EB06C8E5F0@rfc1035.com> <4B93A046.4020209@necom830.hpcl.titech.ac.jp> <B98D66FF-E4EB-47BE-8302-D4C6D3E70238@icsi.berkeley.edu>
Date: Sun, 07 Mar 2010 23:08:31 -0000
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: base64
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5843
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] Should root-servers.net be signed
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Mar 2010 23:08:35 -0000

> But since unless you manually or do some other finagling can't easily establish trust if you don't have trust above, root-servers.net should only sign after .net is signed at this point in the rollout.

The dependency on .net for the root name servers seems strange to me.

Intuitively, I should not have to trust .net to get a validated set of root name servers.

The names of the root name servers are somewhat arbitrary, and since they are very integral to the
root zone, it would seem more straight-forward to not put them into a public registry TLD, but rather
to use a special TLD ( e.g. "root-servers" or possibly a sub-domain of ARPA ). I don't see any
reason to use a sub-zone, the records may as well go in the root I think ( allows a secure resolver
to start up slightly faster ).

> And any PROPER useage of DNSSEC won't rely on root-servers.net ever being signed at all, because its only on the name path for resolvers.

I think a proper use of DNSSEC is to use it to get a validated set of root server IP addresses.

This doesn't cure all the security ills of the world, but does constitute a small improvement in security,
especially for TLDs that have not yet been signed.

If TLDs also do not sign their name server domains, then a single blind spoof packet allows
an attacker to intercept all the traffic for a resolver. Even the root server traffic is somewhat
sensitive - it can often be what some end-user has just typed, which could well be confidential,
such as a password ( e.g. they think they are entering a password, but are actually typing into an address bar ).

Sure, it doesn't allow an attacker to forge signatures - but that's not the be-all and end-all of security.

I note that .se does sign it's name servers.