Re: [DNSOP] Should be signed

Jay Daley <> Sun, 07 March 2010 20:08 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E537B28C1D2 for <>; Sun, 7 Mar 2010 12:08:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.483
X-Spam-Status: No, score=-2.483 tagged_above=-999 required=5 tests=[AWL=0.116, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id M+vg7Tsc+3oU for <>; Sun, 7 Mar 2010 12:08:17 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id A6B583A9175 for <>; Sun, 7 Mar 2010 12:08:17 -0800 (PST)
Received: from localhost ( []) by (Postfix) with ESMTP id 60BC52DA5F3; Mon, 8 Mar 2010 09:08:19 +1300 (NZDT)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id CEbGmr8q8BYI; Mon, 8 Mar 2010 09:08:19 +1300 (NZDT)
Received: from [] (unknown []) (Authenticated sender: jay) by (Postfix) with ESMTPSA id 2711D2DA4DF; Mon, 8 Mar 2010 09:08:19 +1300 (NZDT)
Mime-Version: 1.0 (Apple Message framework v1077)
Content-Type: text/plain; charset="us-ascii"
From: Jay Daley <>
In-Reply-To: <>
Date: Mon, 08 Mar 2010 09:08:18 +1300
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <2AA0F45200E147D1ADC86A4B373C3D46@localhost> <> <> <> <>
To: Masataka Ohta <>
X-Mailer: Apple Mail (2.1077)
Cc: Nicholas Weaver <nweaver@ICSI.Berkeley.EDU>, dnsop WG <>
Subject: Re: [DNSOP] Should be signed
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 07 Mar 2010 20:08:19 -0000

On 8/03/2010, at 8:03 AM, Masataka Ohta wrote:

> The problem is that DNSSEC was wrongly advertised to increase
> the level of security.

I think you are picking your own definition of security to suit your argument.  Those promoting DNSSEC have only ever said that the "security" it provides is basic validation of a) message originator and b) message integrity.

> The reality, however, is that ISPs are as secure/reliable/trustable
> as zones, which means DNSSEC does not increase the level of security.

I don't understand what that means.  Are you suggesting that DNSSEC should have some how dealt with insecure/unreliable/untrustworthy ISPs?

>> it IS a PKI
> PKI is broken, of course. So?

That is a bit like saying that all cars are broken because of a few problems Toyota are having.  In other words it is a totally unsupported generalisation. 

>> Additionally, since it would be end-host application validating
>> those signatures, it can enforce that "there must exist a
>> signature path from the root" (aka, it is actually a PKI). [1]
> The meaningful security for end hosts is that the security is
> broken only if one of the end hosts is compromised, which means
> fate sharing, whereas, with DNSSEC, end hosts can do nothing if
> intermediate zones are compromised.

DNS is largely asymmetric.  On the whole I produce, others consume.  So why would I need to fate-share with any consumer of my DNS messages?  Your vision of security is for something quite different.

Is this the essence of your grievance - DNSSEC has a chain of trust so any zone operator is dependent on another, thereby making a zone operator vulnerable to bad actors amongst those they depend on?

If so then please explain how you can reliably get keys for my zones 
1.  without a relying on others in a chain of trust
2.  in a way that scales

kind regards

>> [1] Thus, you don't have to worry about also needing the name
>> path for the resolvers signed or the DOS attack by a MitM
>> stripping signatures as part of their changing DNS results.
> MitM of a zone chain can easily change DNS results.
> 						Masataka Ohta
> _______________________________________________
> DNSOP mailing list

Jay Daley
Chief Executive
.nz Registry Services (New Zealand Domain Name Registry Limited)
desk: +64 4 931 6977
mobile: +64 21 678840