Re: [DNSOP] Should root-servers.net be signed

Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp> Sun, 07 March 2010 19:03 UTC

Return-Path: <mohta@necom830.hpcl.titech.ac.jp>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8175A3A9105 for <dnsop@core3.amsl.com>; Sun, 7 Mar 2010 11:03:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.09
X-Spam-Level:
X-Spam-Status: No, score=-0.09 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HELO_EQ_JP=1.244, HOST_EQ_JP=1.265]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZtQoJT6QWUcD for <dnsop@core3.amsl.com>; Sun, 7 Mar 2010 11:03:40 -0800 (PST)
Received: from necom830.hpcl.titech.ac.jp (necom830.hpcl.titech.ac.jp [131.112.32.132]) by core3.amsl.com (Postfix) with SMTP id B32183A8D63 for <dnsop@ietf.org>; Sun, 7 Mar 2010 11:03:39 -0800 (PST)
Received: (qmail 16718 invoked from network); 7 Mar 2010 20:09:36 -0000
Received: from softbank219178199025.bbtec.net (HELO necom830.hpcl.titech.ac.jp) (219.178.199.25) by necom830.hpcl.titech.ac.jp with SMTP; 7 Mar 2010 20:09:36 -0000
Message-ID: <4B93F864.9090003@necom830.hpcl.titech.ac.jp>
Date: Mon, 08 Mar 2010 04:03:00 +0900
From: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ja-JP; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)
X-Accept-Language: ja, en
MIME-Version: 1.0
To: Nicholas Weaver <nweaver@ICSI.Berkeley.EDU>
References: <2AA0F45200E147D1ADC86A4B373C3D46@localhost> <A76BB63E-F13B-4D90-BABB-89EB06C8E5F0@rfc1035.com> <4B93A046.4020209@necom830.hpcl.titech.ac.jp> <B98D66FF-E4EB-47BE-8302-D4C6D3E70238@icsi.berkeley.edu>
In-Reply-To: <B98D66FF-E4EB-47BE-8302-D4C6D3E70238@icsi.berkeley.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Cc: George Barwood <george.barwood@blueyonder.co.uk>, dnsop@ietf.org
Subject: Re: [DNSOP] Should root-servers.net be signed
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Mar 2010 19:03:41 -0000

Nicholas Weaver wrote:

>>That is, DNSSEC is not secure cryptographically, which is another
>>reason why not to deploy DNSSEC.

> I don't see what your argument here is.
> 
> DNSSEC is a "PKI in disguise", and like ANY PKI, you still depend
> on trust up the heirarchy,

Yes, you do understand the problem.

> But DNS has ALWAYS depended on trust-up-the-heirarchy anyway,
> so this aspect of DNSSEC doesn't increase the level of trust
> required in DNS,

The problem is that DNSSEC was wrongly advertised to increase
the level of security.

The reality, however, is that ISPs are as secure/reliable/trustable
as zones, which means DNSSEC does not increase the level of security.

> it IS a PKI

PKI is broken, of course. So?

> Additionally, since it would be end-host application validating
> those signatures, it can enforce that "there must exist a
> signature path from the root" (aka, it is actually a PKI). [1]

The meaningful security for end hosts is that the security is
broken only if one of the end hosts is compromised, which means
fate sharing, whereas, with DNSSEC, end hosts can do nothing if
intermediate zones are compromised.

> [1] Thus, you don't have to worry about also needing the name
> path for the resolvers signed or the DOS attack by a MitM
> stripping signatures as part of their changing DNS results.

MitM of a zone chain can easily change DNS results.

						Masataka Ohta