IETF Logo Mail Archive

Re: [DNSOP] Fwd: NewVersion Notificationfor draft-mekking-dnsop-auto-cpsync-00

Wolfgang Nagele <wnagele@ripe.net> Tue, 29 June 2010 16:30 UTC

Return-Path: <wnagele@ripe.net>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2327A3A6AA9 for <dnsop@core3.amsl.com>; Tue, 29 Jun 2010 09:30:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.855
X-Spam-Level:
X-Spam-Status: No, score=-1.855 tagged_above=-999 required=5 tests=[AWL=0.745, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hg8sJZS+iZbm for <dnsop@core3.amsl.com>; Tue, 29 Jun 2010 09:30:24 -0700 (PDT)
Received: from postlady.ripe.net (postlady.ipv6.ripe.net [IPv6:2001:610:240:11::c100:1341]) by core3.amsl.com (Postfix) with ESMTP id 940D63A6A66 for <dnsop@ietf.org>; Tue, 29 Jun 2010 09:30:23 -0700 (PDT)
Received: from dodo.ripe.net ([193.0.1.102]) by postlady.ripe.net with esmtps (TLSv1:AES256-SHA:256) (Exim 4.63) (envelope-from <wnagele@ripe.net>) id 1OTdhb-0001WL-OG; Tue, 29 Jun 2010 18:30:33 +0200
Received: from vifa-1.office-lb-1.ripe.net ([193.0.1.5] helo=guest-66.ripe.net) by dodo.ripe.net with esmtp (Exim 4.63) (envelope-from <wnagele@ripe.net>) id 1OTdhb-00036Z-KD; Tue, 29 Jun 2010 18:30:27 +0200
Message-ID: <4C2A1FA3.8050604@ripe.net>
Date: Tue, 29 Jun 2010 18:30:27 +0200
From: Wolfgang Nagele <wnagele@ripe.net>
Organization: RIPE NCC
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.10) Gecko/20100512 Thunderbird/3.0.5
MIME-Version: 1.0
To: Stephan Lagerholm <stephan.lagerholm@secure64.com>
References: <4C29F2FA.1000907@nlnetlabs.nl> <4C29FE8F.6030002@nlnetlabs.nl><DD056A31A84CFC4AB501BD56D1E14BBB826B70@exchange.secure64.com> <4C2A0696.7080204@ripe.net> <DD056A31A84CFC4AB501BD56D1E14BBB826B87@exchange.secure64.com>
In-Reply-To: <DD056A31A84CFC4AB501BD56D1E14BBB826B87@exchange.secure64.com>
X-Enigmail-Version: 1.0.1
OpenPGP: id=7072CBC7; url=x-hkp://pgpkeys.pca.dfn.de
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-RIPE-Signature: 13a8e87b1b31202db532b29cd449ceb656effb23b7960e67df5a234c8b4189ef
X-RIPE-Spam-Level: ----
X-RIPE-Signature: 13a8e87b1b31202db532b29cd449ceb656effb23b7960e67df5a234c8b4189ef
Cc: dnsop@ietf.org, Matthijs Mekking <matthijs@NLnetLabs.nl>
Subject: Re: [DNSOP] Fwd: NewVersion Notificationfor draft-mekking-dnsop-auto-cpsync-00
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Jun 2010 16:30:26 -0000

Hi,

> My concern was not about the updates but rather about the gigantic
> number of keys a busy parent would have to create, revoke, store, renew,
> etc.
>
> It doesn't make sense to me to utilize symmetric encryption (such as
> TSIG) to solve this problem. A scheme that utilized an asymmetric key
> would be a much better fit. DNSSEC itself would be a strong candidate
> here.
The draft does not restrict which signature method is to be used. Anything that
DNS update messages support can be employed here. SIG(0) for example.

Also the draft has details about the up- and downside of using an additional
channel via DNS update messages in section 5 (Security Considerations).

Regards,
Wolfgang

v2.23.0 | Report a Bug | By Email