IETF Logo Mail Archive

Re: [DNSOP] DNSSEC as a Best Current Practice

Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp> Tue, 22 March 2022 08:20 UTC

Return-Path: <mohta@necom830.hpcl.titech.ac.jp>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 422243A0C68 for <dnsop@ietfa.amsl.com>; Tue, 22 Mar 2022 01:20:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6kvvgb4edBuj for <dnsop@ietfa.amsl.com>; Tue, 22 Mar 2022 01:20:00 -0700 (PDT)
Received: from necom830.hpcl.titech.ac.jp (necom830.hpcl.titech.ac.jp [131.112.32.132]) by ietfa.amsl.com (Postfix) with SMTP id C73533A0E5B for <DNSOP@ietf.org>; Tue, 22 Mar 2022 01:19:45 -0700 (PDT)
Received: (qmail 64622 invoked from network); 22 Mar 2022 08:15:55 -0000
Received: from necom830.hpcl.titech.ac.jp (HELO ?127.0.0.1?) (131.112.32.132) by necom830.hpcl.titech.ac.jp with SMTP; 22 Mar 2022 08:15:55 -0000
Message-ID: <4a33bbc9-b085-e8bc-4183-f55933e57786@necom830.hpcl.titech.ac.jp>
Date: Tue, 22 Mar 2022 17:19:42 +0900
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.7.0
Content-Language: en-US
To: "dnsop@ietf.org WG" <DNSOP@ietf.org>
References: <7aaed092-8877-ec15-9b7b-5d488e383d04@necom830.hpcl.titech.ac.jp> <7C43871E-60AF-485D-8AB3-65E72539F831@nohats.ca> <59fdc791-4482-141b-03b4-bc27e8824f31@necom830.hpcl.titech.ac.jp> <1cd37a4-2f80-5a8c-f377-d224a363d76@nohats.ca> <6d46abd6-60ca-d896-6408-fe83a83895cf@necom830.hpcl.titech.ac.jp> <CAH1iCir6OdMWZLFnP_=me+PFhYL+FxTjhEjKFO32+g61JgjnNg@mail.gmail.com>
From: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
In-Reply-To: <CAH1iCir6OdMWZLFnP_=me+PFhYL+FxTjhEjKFO32+g61JgjnNg@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/joSDjK_wXHTU7OEYz06nkjMAM2g>
Subject: Re: [DNSOP] DNSSEC as a Best Current Practice
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Mar 2022 08:20:04 -0000

Brian Dickson wrote:

>>>> If a resolver correctly knows an IP address of a nameserver of a
>>>> parent zone

>> The statement is not more demanding for resolvers to be configured
>> with correct certificates.

> I'm presuming you mean "DNSSEC ICANN/IANA Root Trust Anchor", which is a
> public key, not a certificate per se.

OK.

> I presume you're comparing two models, one using DNSSEC, and one where no
> DNSSEC validation is done ever (replaced with TLS,

No, TLS is overkill. Plain DNS with long enough message ID is
secure enough. Though it is vulnerable to active MitM attacks,
where packets are not only spoofed but also dropped, modified
and/or generated, such attacks are as likely/unlikely as
having a fake root trust anchor through social attacks
(including legal order by some government).

As for DoS, IMO, anycast is the only practical protection.

					Masataka Ohta

v2.23.0 | Report a Bug | By Email