Re: [DNSOP] [Ext] Re: I-D Action: draft-ietf-dnsop-rfc5011-security-considerations-01.txt

Andrew Sullivan <ajs@anvilwalrusden.com> Thu, 01 June 2017 15:35 UTC

Return-Path: <ajs@anvilwalrusden.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5DE9C129557 for <dnsop@ietfa.amsl.com>; Thu, 1 Jun 2017 08:35:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.8
X-Spam-Level:
X-Spam-Status: No, score=0.8 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=yitter.info header.b=D/uBPvDT; dkim=pass (1024-bit key) header.d=yitter.info header.b=RFnTlUVM
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oToeirsqV8-v for <dnsop@ietfa.amsl.com>; Thu, 1 Jun 2017 08:35:30 -0700 (PDT)
Received: from mx4.yitter.info (mx4.yitter.info [159.203.56.111]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D7CE5129549 for <dnsop@ietf.org>; Thu, 1 Jun 2017 08:35:30 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mx4.yitter.info (Postfix) with ESMTP id 27BF2BE228 for <dnsop@ietf.org>; Thu, 1 Jun 2017 15:35:00 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yitter.info; s=default; t=1496331300; bh=MbFe0Us9e1CHm2Ju0hluc6dgGNTBN2bbE3GpKhSe6kI=; h=Date:From:To:Subject:References:In-Reply-To:From; b=D/uBPvDTTjTsgId2NuVh0M1e25ed2bQ3/fE7X9GadMlF+Gxkhm2Mx+ftutrw83mDW XPfT1MJHbsUFDgbuG3rORe7I6vEwvK77Lj7f5Nt4uh0pBwW0ZhZq9SUWYvdIVAXxou enmyxYzuY4IoULWIqhpU6T1aIfwuRosbiK6cUuks=
X-Virus-Scanned: Debian amavisd-new at crankycanuck.ca
Received: from mx4.yitter.info ([127.0.0.1]) by localhost (mx4.yitter.info [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4WqHUCQfTwDk for <dnsop@ietf.org>; Thu, 1 Jun 2017 15:34:58 +0000 (UTC)
Date: Thu, 1 Jun 2017 11:34:56 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yitter.info; s=default; t=1496331298; bh=MbFe0Us9e1CHm2Ju0hluc6dgGNTBN2bbE3GpKhSe6kI=; h=Date:From:To:Subject:References:In-Reply-To:From; b=RFnTlUVM+unnKl7e5sE0sriUPwKnIysP2s4RQQm8qgl57AkznBGLFbTgmk5xI8qSl JUawUN0DVX3uS2E2XXanA1U3He9Jq3fxy5hRBa56kaIsDLJge/pEy2A+EVHHSpBlMO OxHL/ebObGhctunCZ/TgHH5fG5g4rhGgBo6zViN8=
From: Andrew Sullivan <ajs@anvilwalrusden.com>
To: dnsop@ietf.org
Message-ID: <20170601153456.n3brxhimjrgq2kip@mx4.yitter.info>
References: <149560445570.28419.14767177653896917226@ietfa.amsl.com> <33126a41-8fb6-b2d9-8d1d-2d6a9a8cf0d5@comcast.net> <ybl60gq9bq2.fsf@wu.hardakers.net> <8AF24B97-BB51-4A1C-8FF2-C53B32552ACA@vpnc.org> <401caf02-5631-de42-489c-8ca3346456a4@nthpermutation.com> <20170526015222.C1FE979B8C4F@rock.dv.isc.org> <2e27b3d9-04f7-c063-1b3a-699a41fa32df@nthpermutation.com> <B5F083EA-D82F-4502-AF3B-46CF46089203@icann.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <B5F083EA-D82F-4502-AF3B-46CF46089203@icann.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/SlpEmr0rCCJp6Qzsj782y4EEtN4>
Subject: Re: [DNSOP] [Ext] Re: I-D Action: draft-ietf-dnsop-rfc5011-security-considerations-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Jun 2017 15:35:32 -0000

On Wed, May 31, 2017 at 07:44:46PM +0000, Edward Lewis wrote:
> I ask because of the issues raised in the thread regarding the number of keys assumed in the operation.  Automated Updates apparently (to me) was defined with more than one active secure entry point in mind, but in practice, the only operating example I've witnessed of Automated Updates relies on a single active secure entry point.
> 

Remember that when DNSEXT selected the TA rollover mechanism, many of
us believed that signing the root was a pipe dream akin to the single
trust anchor for the RPKI.

Best regards,

A

-- 
Andrew Sullivan
ajs@anvilwalrusden.com