Re: [DNSOP] fragile dnssec, was Fwd: New Version

"John Levine" <johnl@taugh.com> Sun, 20 August 2017 01:49 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E41791321ED for <dnsop@ietfa.amsl.com>; Sat, 19 Aug 2017 18:49:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uBZstEbZJCZ1 for <dnsop@ietfa.amsl.com>; Sat, 19 Aug 2017 18:49:13 -0700 (PDT)
Received: from miucha.iecc.com (www.iecc.com [IPv6:2001:470:1f07:1126::4945:4343]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DFB0F1321A1 for <dnsop@ietf.org>; Sat, 19 Aug 2017 18:49:12 -0700 (PDT)
Received: (qmail 17181 invoked from network); 20 Aug 2017 01:49:12 -0000
Received: from unknown (64.57.183.18) by mail1.iecc.com with QMQP; 20 Aug 2017 01:49:12 -0000
Date: Sun, 20 Aug 2017 01:48:50 -0000
Message-ID: <20170820014850.1072.qmail@ary.lan>
From: John Levine <johnl@taugh.com>
To: dnsop@ietf.org
Cc: petr.spacek@nic.cz
In-Reply-To: <272dc071-c650-220c-3528-acb9467c706b@nic.cz>
Organization:
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset="utf-8"
Content-transfer-encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/uNSGHnYJHkUDZEWHF9kri1tiy4I>
Subject: Re: [DNSOP] fragile dnssec, was Fwd: New Version
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 20 Aug 2017 01:49:15 -0000

In article <272dc071-c650-220c-3528-acb9467c706b@nic.cz> you write:
>Yes, someone might try to attack a domain using this. To lower
>probability of this kind of attack CZ.NIC is nagging the technical
>contact for one week before the DS gets installed into the CZ zone.
>
>For further details please see
>https://en.blog.nic.cz/2017/06/21/lets-make-dns-great-again/
>
>We will see how it goes.

That's certainly one of the approaches that Olafur suggested, and it
would definitely be easy to implement.

Please let us know what you learn.

R's,
John