Re: [DNSOP] DNSSEC as a Best Current Practice

Paul Wouters <paul@nohats.ca> Mon, 11 April 2022 14:33 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A98C33A184B for <dnsop@ietfa.amsl.com>; Mon, 11 Apr 2022 07:33:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zeisg_sYT9Ho for <dnsop@ietfa.amsl.com>; Mon, 11 Apr 2022 07:33:12 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9D0993A1855 for <dnsop@ietf.org>; Mon, 11 Apr 2022 07:33:12 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 4KcWYK2YcZzCWK; Mon, 11 Apr 2022 16:33:09 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1649687589; bh=mvtwyEX2wd0n0iXbDMymvCGtxRPycTDemMRJ7eHLwxM=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=aJHlnIHiOCSLXPEam1nFetdit4n+krnPF5zu3nRyKNJZiWUxLCWjKm2TAD+fTBHUC Ff4k2LJMwdviChgkOSWXFiu7gtU8KCxHA418x3xHZbXv9zijNZuS817z2E5r1ewDXb oIcdttqamnYS0TDk8AztnlK7DVdtXqKjSetBApLQ=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id Vsce6txkIHcN; Mon, 11 Apr 2022 16:33:08 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [193.110.157.194]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Mon, 11 Apr 2022 16:33:08 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 84B742DF309; Mon, 11 Apr 2022 10:33:07 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 81FDB2DF308; Mon, 11 Apr 2022 10:33:07 -0400 (EDT)
Date: Mon, 11 Apr 2022 10:33:07 -0400
From: Paul Wouters <paul@nohats.ca>
To: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
cc: "dnsop@ietf.org WG" <dnsop@ietf.org>
In-Reply-To: <dc4a21ee-cc4c-9cb1-9a56-b4992201378c@necom830.hpcl.titech.ac.jp>
Message-ID: <c47227f6-5556-1e75-3a48-8aa6bad498ac@nohats.ca>
References: <57f1c37b-497c-e1a0-329c-4b9c8b7e197b@necom830.hpcl.titech.ac.jp> <A9F689C9-4ABF-4947-AA6B-56E2F0C17D13@nohats.ca> <9732682e-78e7-f6bf-84fc-685de22d5e12@necom830.hpcl.titech.ac.jp> <350d8ab8-0477-b656-8b08-56f7561a7fda@necom830.hpcl.titech.ac.jp> <CAH1iCiqkAPHq1QBKdkbh86j8UhimjEMG9DU15O9Tkch4BedBjg@mail.gmail.com> <0e2dffab-6afc-b1b6-9028-175f89f0d29e@necom830.hpcl.titech.ac.jp> <b3bf6748-be6d-a287-27e4-87af36ab10@nohats.ca> <dc4a21ee-cc4c-9cb1-9a56-b4992201378c@necom830.hpcl.titech.ac.jp>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/mwgjygbc-Gr58NslMiRkbpQBilQ>
Subject: Re: [DNSOP] DNSSEC as a Best Current Practice
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Apr 2022 14:33:19 -0000

On Mon, 11 Apr 2022, Masataka Ohta wrote:

> I can't see any reason why you think the root zone is
> more secure than TLDs, especially because, as I wrote:

Because I am informed about their operational procedures and I
contributed to the technical design as one of the for the DNS Root Zone
Key-Signing-Key of the Root Zone Rollover advisory group.

I was also responsible for the design and implementation of a large TLD
fully implementation redundant DNSSEC signer solution.

I talked to a lot of TLD operators at ICANN during my term as the
IETF Liason to the ICANN Technical Expert Group.

> :  Third, all the CAs, including TLDs, pursuing commercial
> :  success have very good appearance using such words as
> :  "HSMs" or "four eyes minimum". That is, you can't
> :  compare actual operational/physical strength from
> :  their formal documents.

This is an anecdote, that a logical reasoned argument.

> :  A false sense of security that DNSSEC were
> :  cryptographically secure

This remains factually incorrect, no matter how many times you quote
yourself.

> : motivates the operators
> :  ignore DNSSEC operation rules, which are very
> :  complicated and hard to follow, for relatively
> :  strong physical security, which might be what
> :  happened in diginotar.

This is hearsay combined with personal opinion that is unsubstantiated
by facts.

As for your other mail to list, it seems we do not in fact have an
ongoing discussion. You keep repeating and quoting yourself as evidence
while people keep telling you they disagree with your quotes.

But to make it abundantly clear this is not a discussion, I shall
refrain from further messages so you cannot  miscatageorize my
correspondence as a "discussion of peers".

Paul