Re: [DNSOP] DNSSEC as a Best Current Practice

Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp> Mon, 11 April 2022 14:09 UTC

Return-Path: <mohta@necom830.hpcl.titech.ac.jp>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AEC4F3A1777 for <dnsop@ietfa.amsl.com>; Mon, 11 Apr 2022 07:09:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 813oCEgNXEc8 for <dnsop@ietfa.amsl.com>; Mon, 11 Apr 2022 07:09:24 -0700 (PDT)
Received: from necom830.hpcl.titech.ac.jp (necom830.hpcl.titech.ac.jp [131.112.32.132]) by ietfa.amsl.com (Postfix) with SMTP id BF7513A176E for <dnsop@ietf.org>; Mon, 11 Apr 2022 07:09:22 -0700 (PDT)
Received: (qmail 32799 invoked from network); 11 Apr 2022 14:05:10 -0000
Received: from necom830.hpcl.titech.ac.jp (HELO ?127.0.0.1?) (131.112.32.132) by necom830.hpcl.titech.ac.jp with SMTP; 11 Apr 2022 14:05:10 -0000
Message-ID: <dc4a21ee-cc4c-9cb1-9a56-b4992201378c@necom830.hpcl.titech.ac.jp>
Date: Mon, 11 Apr 2022 23:09:18 +0900
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.7.0
Content-Language: en-US
To: Paul Wouters <paul@nohats.ca>, "dnsop@ietf.org WG" <dnsop@ietf.org>
References: <57f1c37b-497c-e1a0-329c-4b9c8b7e197b@necom830.hpcl.titech.ac.jp> <A9F689C9-4ABF-4947-AA6B-56E2F0C17D13@nohats.ca> <9732682e-78e7-f6bf-84fc-685de22d5e12@necom830.hpcl.titech.ac.jp> <350d8ab8-0477-b656-8b08-56f7561a7fda@necom830.hpcl.titech.ac.jp> <CAH1iCiqkAPHq1QBKdkbh86j8UhimjEMG9DU15O9Tkch4BedBjg@mail.gmail.com> <0e2dffab-6afc-b1b6-9028-175f89f0d29e@necom830.hpcl.titech.ac.jp> <b3bf6748-be6d-a287-27e4-87af36ab10@nohats.ca>
From: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
In-Reply-To: <b3bf6748-be6d-a287-27e4-87af36ab10@nohats.ca>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/pHlQFzUqOKyGG1zp3WuWx6FPj8g>
Subject: Re: [DNSOP] DNSSEC as a Best Current Practice
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Apr 2022 14:09:27 -0000

Paul Wouters wrote:

> In your
> favourite terms, diginotar as DNSSEC entity would have only
> been able to mess up .nl and not any other TLD, if it had been
> a "DNSSEC CA" instead of a "webpki CA". The hierarchical space
> offers better security than the flat webpki.

I can't see any reason why you think the root zone is
more secure than TLDs, especially because, as I wrote:

: Third, all the CAs, including TLDs, pursuing commercial
: success have very good appearance using such words as
: "HSMs" or "four eyes minimum". That is, you can't
: compare actual operational/physical strength from
: their formal documents.

and

: A false sense of security that DNSSEC were
: cryptographically secure motivates the operators
: ignore DNSSEC operation rules, which are very
: complicated and hard to follow, for relatively
: strong physical security, which might be what
: happened in diginotar.

					Masataka Ohta