Re: [DNSOP] Should root-servers.net be signed

Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp> Mon, 08 March 2010 02:35 UTC

Return-Path: <mohta@necom830.hpcl.titech.ac.jp>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C12D33A6852 for <dnsop@core3.amsl.com>; Sun, 7 Mar 2010 18:35:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.053
X-Spam-Level:
X-Spam-Status: No, score=0.053 tagged_above=-999 required=5 tests=[AWL=0.143, BAYES_00=-2.599, HELO_EQ_JP=1.244, HOST_EQ_JP=1.265]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4IY7CAgFdfKf for <dnsop@core3.amsl.com>; Sun, 7 Mar 2010 18:35:44 -0800 (PST)
Received: from necom830.hpcl.titech.ac.jp (necom830.hpcl.titech.ac.jp [131.112.32.132]) by core3.amsl.com (Postfix) with SMTP id ADF853A684E for <dnsop@ietf.org>; Sun, 7 Mar 2010 18:35:42 -0800 (PST)
Received: (qmail 54480 invoked from network); 8 Mar 2010 03:41:43 -0000
Received: from bmdi3229.bmobile.ne.jp (HELO necom830.hpcl.titech.ac.jp) (202.221.175.229) by necom830.hpcl.titech.ac.jp with SMTP; 8 Mar 2010 03:41:43 -0000
Message-ID: <4B946242.7020407@necom830.hpcl.titech.ac.jp>
Date: Mon, 08 Mar 2010 11:34:42 +0900
From: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ja-JP; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)
X-Accept-Language: ja, en
MIME-Version: 1.0
To: Jay Daley <jay@nzrs.net.nz>
References: <2AA0F45200E147D1ADC86A4B373C3D46@localhost> <A76BB63E-F13B-4D90-BABB-89EB06C8E5F0@rfc1035.com> <4B93A046.4020209@necom830.hpcl.titech.ac.jp> <B98D66FF-E4EB-47BE-8302-D4C6D3E70238@icsi.berkeley.edu> <4B93F864.9090003@necom830.hpcl.titech.ac.jp> <7FDA3487-44F4-495F-94AC-1A18AC090DFB@nzrs.net.nz>
In-Reply-To: <7FDA3487-44F4-495F-94AC-1A18AC090DFB@nzrs.net.nz>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Cc: Nicholas Weaver <nweaver@ICSI.Berkeley.EDU>, dnsop WG <dnsop@ietf.org>
Subject: Re: [DNSOP] Should root-servers.net be signed
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Mar 2010 02:35:45 -0000

Jay Daley wrote:

> I think you are picking your own definition of security to suit
> your argument.

If you can deny the following reality:

>>The reality, however, is that ISPs are as secure/reliable/trustable
>>as zones, which means DNSSEC does not increase the level of security.

feel free to deny me. Otherwise, accept the reality.

> Are you suggesting that DNSSEC should have some how dealt with
> insecure/unreliable/untrustworthy ISPs?

DNS is dealt with zones as insecure/unreliable/untrustworthy as ISPs.

> DNS is largely asymmetric.  On the whole I produce, others consume.
> So why would I need to fate-share with any consumer of my DNS
> messages?

DNS?

Fate sharing security is required for applicaitons running on
end hosts. DNS security itself is abstract and is no goal.

> If so then please explain how you can reliably get keys for my zones 
> 1.  without a relying on others in a chain of trust

I can't, which is why DNSSEC is as insecure as plain DNS.

> 2.  in a way that scales

It seems to me that cryptographic, end to end, or fate sharing
security is not scalable.

						Masataka Ohta