IETF Logo Mail Archive

Re: [DNSOP] I-D Action:draft-ietf-dnsop-rfc4641bis-01.txt

Edward Lewis <Ed.Lewis@neustar.biz> Tue, 21 April 2009 14:56 UTC

Return-Path: <Ed.Lewis@neustar.biz>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C08593A6C4F for <dnsop@core3.amsl.com>; Tue, 21 Apr 2009 07:56:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.805
X-Spam-Level:
X-Spam-Status: No, score=-1.805 tagged_above=-999 required=5 tests=[AWL=0.794, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m8u3x26Z3-Xl for <dnsop@core3.amsl.com>; Tue, 21 Apr 2009 07:56:40 -0700 (PDT)
Received: from stora.ogud.com (stora.ogud.com [66.92.146.20]) by core3.amsl.com (Postfix) with ESMTP id 173A028C2AB for <dnsop@ietf.org>; Tue, 21 Apr 2009 07:56:02 -0700 (PDT)
Received: from [10.31.200.142] (gatt.md.ogud.com [10.20.30.6]) by stora.ogud.com (8.14.3/8.14.3) with ESMTP id n3LEvHtH034154; Tue, 21 Apr 2009 10:57:17 -0400 (EDT) (envelope-from Ed.Lewis@neustar.biz)
Mime-Version: 1.0
Message-Id: <a06240805c6138a622949@[10.31.200.142]>
In-Reply-To: <49EDA81E.2000600@ca.afilias.info>
References: <20090306141501.4BA2F3A6B4B@core3.amsl.com> <49EDA81E.2000600@ca.afilias.info>
Date: Tue, 21 Apr 2009 10:51:52 -0400
To: dnsop@ietf.org
From: Edward Lewis <Ed.Lewis@neustar.biz>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-Scanned-By: MIMEDefang 2.64 on 66.92.146.20
Cc: ed.lewis@neustar.biz
Subject: Re: [DNSOP] I-D Action:draft-ietf-dnsop-rfc4641bis-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Apr 2009 14:56:40 -0000

At 13:03 +0200 4/21/09, Shane Kerr wrote:

>The whole idea of offline storage for the zone itself is so fantastical

An artifact in the DNSSEC concept stemming from the days when DNSSEC 
was discussed in the Security Area of the IETF.  Fantastical is a 
good word.

>It might be more useful to recommend HSM - or at least encryption - for
>private key data. I didn't see any references to this, and AFAIK
>everybody does it (or feels guilty for not doing it).

I can't rationalize a justification of HSMs for DNSSEC.  I mean, 
outside of "doing it because we can say we do it" I think it is 
overkill (in some environments), and feel more guilty spending money 
on something I see as window dressing.

This comes from the observation that the contents of the database 
sourcing the zone (whether a commercial-like database or a vi'd file) 
are more critical than the private key.  (If) They are sufficiently 
protected and I'll just keep the private key behind the same 
fortifications.  So, what does an HSM add?

(Really, I'd like to know...;))

-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis
NeuStar                    You can leave a voice message at +1-571-434-5468

Getting everything you want is easy if you don't want much.

v2.23.0 | Report a Bug | By Email