Re: [DNSOP] Should be signed

Masataka Ohta <> Mon, 08 March 2010 02:35 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C12D33A6852 for <>; Sun, 7 Mar 2010 18:35:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.053
X-Spam-Status: No, score=0.053 tagged_above=-999 required=5 tests=[AWL=0.143, BAYES_00=-2.599, HELO_EQ_JP=1.244, HOST_EQ_JP=1.265]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 4IY7CAgFdfKf for <>; Sun, 7 Mar 2010 18:35:44 -0800 (PST)
Received: from ( []) by (Postfix) with SMTP id ADF853A684E for <>; Sun, 7 Mar 2010 18:35:42 -0800 (PST)
Received: (qmail 54480 invoked from network); 8 Mar 2010 03:41:43 -0000
Received: from (HELO ( by with SMTP; 8 Mar 2010 03:41:43 -0000
Message-ID: <>
Date: Mon, 08 Mar 2010 11:34:42 +0900
From: Masataka Ohta <>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ja-JP; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)
X-Accept-Language: ja, en
MIME-Version: 1.0
To: Jay Daley <>
References: <2AA0F45200E147D1ADC86A4B373C3D46@localhost> <> <> <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Cc: Nicholas Weaver <nweaver@ICSI.Berkeley.EDU>, dnsop WG <>
Subject: Re: [DNSOP] Should be signed
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 08 Mar 2010 02:35:45 -0000

Jay Daley wrote:

> I think you are picking your own definition of security to suit
> your argument.

If you can deny the following reality:

>>The reality, however, is that ISPs are as secure/reliable/trustable
>>as zones, which means DNSSEC does not increase the level of security.

feel free to deny me. Otherwise, accept the reality.

> Are you suggesting that DNSSEC should have some how dealt with
> insecure/unreliable/untrustworthy ISPs?

DNS is dealt with zones as insecure/unreliable/untrustworthy as ISPs.

> DNS is largely asymmetric.  On the whole I produce, others consume.
> So why would I need to fate-share with any consumer of my DNS
> messages?


Fate sharing security is required for applicaitons running on
end hosts. DNS security itself is abstract and is no goal.

> If so then please explain how you can reliably get keys for my zones 
> 1.  without a relying on others in a chain of trust

I can't, which is why DNSSEC is as insecure as plain DNS.

> 2.  in a way that scales

It seems to me that cryptographic, end to end, or fate sharing
security is not scalable.

						Masataka Ohta