Re: [DNSOP] Should root-servers.net be signed

bmanning@vacation.karoshi.com Sun, 07 March 2010 12:37 UTC

Return-Path: <bmanning@karoshi.com>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B61C83A89DD for <dnsop@core3.amsl.com>; Sun, 7 Mar 2010 04:37:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.007
X-Spam-Level:
X-Spam-Status: No, score=-6.007 tagged_above=-999 required=5 tests=[AWL=0.592, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fsqQVSajEgUc for <dnsop@core3.amsl.com>; Sun, 7 Mar 2010 04:37:16 -0800 (PST)
Received: from vacation.karoshi.com (vacation.karoshi.com [198.32.6.68]) by core3.amsl.com (Postfix) with ESMTP id 48C753A8AE2 for <dnsop@ietf.org>; Sun, 7 Mar 2010 04:37:16 -0800 (PST)
Received: from karoshi.com (localhost.localdomain [127.0.0.1]) by vacation.karoshi.com (8.12.8/8.12.8) with ESMTP id o27CbGrU009388; Sun, 7 Mar 2010 12:37:16 GMT
Received: (from bmanning@localhost) by karoshi.com (8.12.8/8.12.8/Submit) id o27CbCbM009387; Sun, 7 Mar 2010 12:37:12 GMT
Date: Sun, 07 Mar 2010 12:37:12 +0000
From: bmanning@vacation.karoshi.com
To: Jim Reid <jim@rfc1035.com>
Message-ID: <20100307123712.GA9325@vacation.karoshi.com.>
References: <2AA0F45200E147D1ADC86A4B373C3D46@localhost> <A76BB63E-F13B-4D90-BABB-89EB06C8E5F0@rfc1035.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <A76BB63E-F13B-4D90-BABB-89EB06C8E5F0@rfc1035.com>
User-Agent: Mutt/1.4.1i
Cc: George Barwood <george.barwood@blueyonder.co.uk>, dnsop@ietf.org
Subject: Re: [DNSOP] Should root-servers.net be signed
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Mar 2010 12:37:17 -0000

 ah come on Jim... folsk should sign their zones as soon
 as they see fit, regardless of parental buy in.  so the
 one true root or even .net being signed doesnt really matter
 if the root-servers.net zone gets signed tomorrow.

 how useful it will be, who knows... not sure how the value 
 proposition works for ay given second or third level delegation
 beign signed.

--bill



On Sun, Mar 07, 2010 at 10:20:17AM +0000, Jim Reid wrote:
> On 7 Mar 2010, at 08:06, George Barwood wrote:
> 
> >If root-servers.net is unsigned, it's not possible for the resolver  
> >to validate
> >the set of root IP addresses
> 
> So what? If the served zones are signed, it simply doesn't matter if  
> the address of a name server is spoofed or hijacked. The Bad Guy won't  
> have the private keys, so will be unable to return answers which  
> validate. In the context of a referral from the root, what matters is  
> the signature over the TLD's RRset (and its KSKs), not the IP address  
> of the root server or any signature that might or might not exist over  
> its name.
> 
> >(a) An attacker can control every unsigned zone.
> >
> >(b) An attacker can monitor every request to a signed zone ( no  
> >privacy ).
> >
> >(c) An attacker can deny service to any zone, on a selective basis.
> 
> It's not clear what point you're making or what your concerns are.  
> None of these things listed above are remotely relevant. Apart from  
> (a) which is hardly news: zones can be spoofed if they're not signed.  
> [What next? Can we expect revelations about what bears do in the  
> woods?] Privacy -- whatever that might mean -- has never been a design  
> goal of DNS. Or Secure DNS for that matter. An eavesdropper can  
> monitor *any* DNS request (signed or not) if they're close enough to  
> the client or server. DoS attacks can and are mounted on any zone,  
> whether or not they're signed. Meanwhile, in other news, water is  
> discovered to be wet and fire is proven to be hot.
> 
> >Apparently there are currently no plans to sign root-servers.net
> 
> There's no point doing that IMO until .net is signed and there's a  
> single chain of trust from root-servers.net to the One True Trust  
> Anchor, the signed root. If the zone was to be self-signed, that would  
> mean yet another TA would need to be embedded and maintained in  
> validator configurations. Which creates more failure modes and scope  
> for errors. And since validating the answers for root-servers.net will  
> rarely if ever matter, adding that TA would be a lot of risk for  
> almost no reward.
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop