Re: [DNSOP] Should be signed

Masataka Ohta <> Sun, 07 March 2010 19:03 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8175A3A9105 for <>; Sun, 7 Mar 2010 11:03:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.09
X-Spam-Status: No, score=-0.09 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HELO_EQ_JP=1.244, HOST_EQ_JP=1.265]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ZtQoJT6QWUcD for <>; Sun, 7 Mar 2010 11:03:40 -0800 (PST)
Received: from ( []) by (Postfix) with SMTP id B32183A8D63 for <>; Sun, 7 Mar 2010 11:03:39 -0800 (PST)
Received: (qmail 16718 invoked from network); 7 Mar 2010 20:09:36 -0000
Received: from (HELO ( by with SMTP; 7 Mar 2010 20:09:36 -0000
Message-ID: <>
Date: Mon, 08 Mar 2010 04:03:00 +0900
From: Masataka Ohta <>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ja-JP; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)
X-Accept-Language: ja, en
MIME-Version: 1.0
To: Nicholas Weaver <nweaver@ICSI.Berkeley.EDU>
References: <2AA0F45200E147D1ADC86A4B373C3D46@localhost> <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Cc: George Barwood <>,
Subject: Re: [DNSOP] Should be signed
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 07 Mar 2010 19:03:41 -0000

Nicholas Weaver wrote:

>>That is, DNSSEC is not secure cryptographically, which is another
>>reason why not to deploy DNSSEC.

> I don't see what your argument here is.
> DNSSEC is a "PKI in disguise", and like ANY PKI, you still depend
> on trust up the heirarchy,

Yes, you do understand the problem.

> But DNS has ALWAYS depended on trust-up-the-heirarchy anyway,
> so this aspect of DNSSEC doesn't increase the level of trust
> required in DNS,

The problem is that DNSSEC was wrongly advertised to increase
the level of security.

The reality, however, is that ISPs are as secure/reliable/trustable
as zones, which means DNSSEC does not increase the level of security.

> it IS a PKI

PKI is broken, of course. So?

> Additionally, since it would be end-host application validating
> those signatures, it can enforce that "there must exist a
> signature path from the root" (aka, it is actually a PKI). [1]

The meaningful security for end hosts is that the security is
broken only if one of the end hosts is compromised, which means
fate sharing, whereas, with DNSSEC, end hosts can do nothing if
intermediate zones are compromised.

> [1] Thus, you don't have to worry about also needing the name
> path for the resolvers signed or the DOS attack by a MitM
> stripping signatures as part of their changing DNS results.

MitM of a zone chain can easily change DNS results.

						Masataka Ohta