IETF Logo Mail Archive

Re: [DNSOP] draft-ietf-dnsop-dnssec-trust-history - discussion

Paul Hoffman <paul.hoffman@vpnc.org> Fri, 17 September 2010 15:30 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EB79D3A6812 for <dnsop@core3.amsl.com>; Fri, 17 Sep 2010 08:30:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.137
X-Spam-Level:
X-Spam-Status: No, score=-100.137 tagged_above=-999 required=5 tests=[AWL=-0.391, BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, MANGLED_LOW=2.3, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0mzhQTVSfMTm for <dnsop@core3.amsl.com>; Fri, 17 Sep 2010 08:30:52 -0700 (PDT)
Received: from hoffman.proper.com (Hoffman.Proper.COM [207.182.41.81]) by core3.amsl.com (Postfix) with ESMTP id 9B9AC3A680C for <dnsop@ietf.org>; Fri, 17 Sep 2010 08:30:52 -0700 (PDT)
Received: from [10.20.30.158] (75-101-30-90.dsl.dynamic.sonic.net [75.101.30.90]) (authenticated bits=0) by hoffman.proper.com (8.14.4/8.14.3) with ESMTP id o8HFVEYv045304 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 17 Sep 2010 08:31:17 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
Mime-Version: 1.0
Message-Id: <p06240855c8b93727b62f@[10.20.30.158]>
In-Reply-To: <4C9342C1.309@nlnetlabs.nl>
References: <569C36E4-4F05-41B2-B0B8-A4B8228F13C9@googlemail.com> <p06240843c8b86ff53ffe@[10.20.30.158]> <4C9342C1.309@nlnetlabs.nl>
Date: Fri, 17 Sep 2010 08:31:12 -0700
To: "W.C.A. Wijngaards" <wouter@NLnetLabs.nl>, dnsop@ietf.org
From: Paul Hoffman <paul.hoffman@vpnc.org>
Content-Type: text/plain; charset="us-ascii"
Subject: Re: [DNSOP] draft-ietf-dnsop-dnssec-trust-history - discussion
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Sep 2010 15:30:54 -0000

At 12:28 PM +0200 9/17/10, W.C.A. Wijngaards wrote:
>Are you sure that we want to create a cross-dependency on the https
>security for the DNS security?

No, I am sure we don't want to create a forced cross-dependency on https. But that is far from the only choice.

We are talking about two different scenarios mixed as one, and I think we should differentiate them:

- The IANA trust anchor for the root

- All other trust anchors, both "alternate roots" and lower-in-the-tree fixed points

In the first case, we can rely on out-of-band fingerprints and so on being widely distributed in a reliable fashion. In the second case, we can make suggestions but we can't really rely on it.

I am only interested in the first case. I could care less about alternate DNSSEC roots, and the people I know who care about distribution of lower-in-the-tree trust anchors have enough control of the affected systems to deal with missed rollovers.

--Paul Hoffman, Director
--VPN Consortium

v2.23.0 | Report a Bug | By Email