Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

David Conrad <drc@virtualized.org> Sun, 15 March 2015 16:22 UTC

Return-Path: <drc@virtualized.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 50F201A1B3F for <dnsop@ietfa.amsl.com>; Sun, 15 Mar 2015 09:22:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a4dwVaHoWYen for <dnsop@ietfa.amsl.com>; Sun, 15 Mar 2015 09:22:07 -0700 (PDT)
Received: from mail-pd0-f172.google.com (mail-pd0-f172.google.com [209.85.192.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1CC571A1B3D for <dnsop@ietf.org>; Sun, 15 Mar 2015 09:22:06 -0700 (PDT)
Received: by pdbcz9 with SMTP id cz9so34139574pdb.3 for <dnsop@ietf.org>; Sun, 15 Mar 2015 09:22:05 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:mime-version:content-type:from :in-reply-to:date:cc:message-id:references:to; bh=fUPsdeAvuezL7tU+l7BcO+5PxQpTt3uXacyeBtGdcHs=; b=D6dyhBlOmiaoD1BXudk/j1C0ccn7sMkSrudAk9QLRQnq3C6yTx4waK3qaqwp8LjQSq giypvSwcwiCLFwixyNBKlkSimsrOk8F4esUvwAafekoi9WWdJMNM0BuFXC9Sxe5wvsbt 8ef7iyqknQdg8IfzxVIcC54dO4bSxodseYn8EnzzonMCchCwyrIjyanuue77XCaKMpwQ N1/GNUJgD8uXb8hfeh5mMaDZkytG1pxgjogsaJ/gkIt3/lw2NQv2nbMQqd+dcz8XPHz2 cAIoc+BwWGszAT/DVaBSbzFbitYuX8Vp7sFBXUmVijDEl5jhIcXMW3k1sNtAJxjZ1LN0 mzCg==
X-Gm-Message-State: ALoCoQnviKTjdy483GwBLlN/5lgOpKwV77oUIumlC5Rck+jdSOnyx75+qnCbSxprfdInR9cBBR+b
X-Received: by 10.70.125.232 with SMTP id mt8mr68310702pdb.112.1426436525621; Sun, 15 Mar 2015 09:22:05 -0700 (PDT)
Received: from [10.0.1.9] ([73.162.11.223]) by mx.google.com with ESMTPSA id fc3sm13030933pdb.22.2015.03.15.09.22.04 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 15 Mar 2015 09:22:04 -0700 (PDT)
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\))
Content-Type: multipart/signed; boundary="Apple-Mail=_10787FEF-47B7-4C6E-BF9E-E75C66535BD1"; protocol="application/pgp-signature"; micalg=pgp-sha512
X-Pgp-Agent: GPGMail 2.5b5
From: David Conrad <drc@virtualized.org>
In-Reply-To: <5505337B.9030608@redbarn.org>
Date: Sun, 15 Mar 2015 09:22:02 -0700
Message-Id: <1321C097-56F6-4A9F-8C22-B11185A47426@virtualized.org>
References: <20150312125913.20188.qmail@cr.yp.to> <3D558422-D5DA-4434-BDED-E752BA353358@flame.org> <m27fulry37.wl%randy@psg.com> <55030A28.8050707@necom830.hpcl.titech.ac.jp> <5503101F.9060205@redbarn.org> <968C470DAC25FB419E0159952F28F0C06DF659F0@MEM0200CP3XF04.ds.irsnet.gov> <00B5D36F-5DFA-46EE-B61B-F5307738A910@icsi.berkeley.edu> <5503A412.20602@redbarn.org> <64FF8B96-F823-41AD-80FD-0006A278F03F@icsi.berkeley.edu> <5505337B.9030608@redbarn.org>
To: Paul Vixie <paul@redbarn.org>
X-Mailer: Apple Mail (2.2070.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/UfYTQ3-WXihd2eTJ4yLL_vmlJns>
Cc: "dnsop@ietf.org" <dnsop@ietf.org>
Subject: Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Mar 2015 16:22:09 -0000

Hi,

>> "DNS is insecure, live with it" may be the best answer. Why keep throwing good effort after bad?
> it's not, though, the best answer. we have to secure the DNS resolution path.

Probably a terminology issue, but I think we need to secure the data, not the resolution path.

I'm not a particular fan of DNSSEC for a number of reasons, however what the Kaminsky thing demonstrated to me was that as long as the data is not protected, there are going to be path-based attacks that are going to allow for compromise. I see DNSSEC as a way of being able to stop playing whack-a-mole with those path-based attacks.

>  i'd rather see them turn off validation than see negative trust anchors added to the specification.

Simply: I believe without NTAs, DNSSEC will not get deployed except by a few 'true believers'.

Regards,
-drc