IETF Logo Mail Archive

Re: [DNSOP] draft-ietf-dnsop-dnssec-trust-history - discussion

Jim Reid <jim@rfc1035.com> Fri, 17 September 2010 11:01 UTC

Return-Path: <jim@rfc1035.com>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9A5C13A6AB2 for <dnsop@core3.amsl.com>; Fri, 17 Sep 2010 04:01:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wRltPXZ19+NH for <dnsop@core3.amsl.com>; Fri, 17 Sep 2010 04:01:04 -0700 (PDT)
Received: from hutch.rfc1035.com (router.rfc1035.com [195.54.233.65]) by core3.amsl.com (Postfix) with ESMTP id A58DC3A691B for <dnsop@ietf.org>; Fri, 17 Sep 2010 04:01:04 -0700 (PDT)
Received: from gromit.rfc1035.com (gromit.rfc1035.com [195.54.233.69]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: jim) by hutch.rfc1035.com (Postfix) with ESMTPSA id 19DE5154202E; Fri, 17 Sep 2010 12:01:28 +0100 (BST)
Message-Id: <57900F79-BD86-492A-8DBA-BC3CFFC66472@rfc1035.com>
From: Jim Reid <jim@rfc1035.com>
To: "W.C.A. Wijngaards" <wouter@NLnetLabs.nl>
In-Reply-To: <4C9342C1.309@nlnetlabs.nl>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v936)
Date: Fri, 17 Sep 2010 12:01:27 +0100
References: <569C36E4-4F05-41B2-B0B8-A4B8228F13C9@googlemail.com> <p06240843c8b86ff53ffe@[10.20.30.158]> <4C9342C1.309@nlnetlabs.nl>
X-Mailer: Apple Mail (2.936)
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] draft-ietf-dnsop-dnssec-trust-history - discussion
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Sep 2010 11:01:05 -0000

On 17 Sep 2010, at 11:28, W.C.A. Wijngaards wrote:

> Are you sure that we want to create a cross-dependency on the https
> security for the DNS security?

Depends...

> This means the DNS and cert paths are no longer different trust paths.

That might or might not be a bad thing. If the One True TA is lost and  
needs to be re-instantiated, some sort of out of band mechanism is  
going to be needed. That may have to be a manual intervention. What  
mechanism is used will depend on local policy. I'm not sure it's wise  
to limit our options to HTTPS.

v2.23.0 | Report a Bug | By Email