Re: [DNSOP] fragile dnssec, was Fwd: New Version

[Mark Andrews <marka@isc.org>]

In message <20170816230917.4475.qmail@ary.lan>, "John Levine" writes:
> In article <20170816071920.BA2C98287EA4@rock.dv.isc.org> you write:
> >> A colleague says "If TLDs allowed UPDATE messages to be processed most
> >> of the issues with DNSSEC would go away. At the moment we have a whole
> >> series of kludges because people are scared of signed update messages."
> 
> Someone is wildly overoptimistic.  
> 
> The problem I run into over and over again is that I run someone's DNS
> and other services, but I am not the registrant and I am not the
> registrar, I just run the DNS.  Either I have to walk the registrant
> through the process of installing DNSSEC keys, or she has to give me
> her registrar account password, neither of which scales.  Slightly
> more automatic processing of updates for which I do not have the
> credentials will not help.

Or you can have credentials to allow the hoster to update the DS
records alone.  UPDATE allows for fine grained credentials.  Named
has had fine grain update support for over a decade now.  You can
specify keys that can do everything and you can specify keys that
can just update a single type.  This isn't hard to do.

The DNS hoster gives the registrant the public key they use to
update DS records.  This is passed to the registrar which uses it
to verify UPDATE requests that change the DS records.  You can do
similar with TSIG but that is a shared secret between three parties.

This is like using master keys and more specific keys.  The only
reason this isn't done today is that we aren't using UPDATE and are
forcing all the transactions through a web interface.

Mark

> R's,
> John
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org