Re: [DNSOP] Should root-servers.net be signed

Mark Andrews <marka@isc.org> Mon, 08 March 2010 02:50 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D118F3A6818 for <dnsop@core3.amsl.com>; Sun, 7 Mar 2010 18:50:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.449
X-Spam-Level:
X-Spam-Status: No, score=-2.449 tagged_above=-999 required=5 tests=[AWL=0.150, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PIexzNtyB8ry for <dnsop@core3.amsl.com>; Sun, 7 Mar 2010 18:50:53 -0800 (PST)
Received: from farside.isc.org (farside.isc.org [IPv6:2001:4f8:3:bb::5]) by core3.amsl.com (Postfix) with ESMTP id 5B2FC3A6817 for <dnsop@ietf.org>; Sun, 7 Mar 2010 18:50:52 -0800 (PST)
Received: from drugs.dv.isc.org (drugs.dv.isc.org [IPv6:2001:470:1f00:820:214:22ff:fed9:fbdc]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "drugs.dv.isc.org", Issuer "ISC CA" (not verified)) by farside.isc.org (Postfix) with ESMTP id 2BEABE60B7; Mon, 8 Mar 2010 02:50:50 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (8.14.3/8.14.3) with ESMTP id o282omhw051442; Mon, 8 Mar 2010 13:50:48 +1100 (EST) (envelope-from marka@drugs.dv.isc.org)
Message-Id: <201003080250.o282omhw051442@drugs.dv.isc.org>
To: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
From: Mark Andrews <marka@isc.org>
References: <2AA0F45200E147D1ADC86A4B373C3D46@localhost> <A76BB63E-F13B-4D90-BABB-89EB06C8E5F0@rfc1035.com> <4B93A046.4020209@necom830.hpcl.titech.ac.jp> <B98D66FF-E4EB-47BE-8302-D4C6D3E70238@icsi.berkeley.edu> <4B93F864.9090003@necom830.hpcl.titech.ac.jp> <7FDA3487-44F4-495F-94AC-1A18AC090DFB@nzrs.net.nz> <4B946242.7020407@necom830.hpcl.titech.ac.jp>
In-reply-to: Your message of "Mon, 08 Mar 2010 11:34:42 +0900." <4B946242.7020407@necom830.hpcl.titech.ac.jp>
Date: Mon, 08 Mar 2010 13:50:48 +1100
Sender: marka@isc.org
Cc: dnsop WG <dnsop@ietf.org>, Jay Daley <jay@nzrs.net.nz>, Nicholas Weaver <nweaver@ICSI.Berkeley.EDU>
Subject: Re: [DNSOP] Should root-servers.net be signed
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Mar 2010 02:50:53 -0000

In message <4B946242.7020407@necom830.hpcl.titech.ac.jp>, Masataka Ohta writes:
> Jay Daley wrote:
> 
> > I think you are picking your own definition of security to suit
> > your argument.
> 
> If you can deny the following reality:
> 
> >>The reality, however, is that ISPs are as secure/reliable/trustable
> >>as zones, which means DNSSEC does not increase the level of security.
> 
> feel free to deny me. Otherwise, accept the reality.
> 
> > Are you suggesting that DNSSEC should have some how dealt with
> > insecure/unreliable/untrustworthy ISPs?
> 
> DNS is dealt with zones as insecure/unreliable/untrustworthy as ISPs.

There is plenty of evidence for ISPs modifying DNS responses to
queries directed to their recursive servers without notifying the
client population before doing so.

There are also reports of ISPs modifying DNS responses not directed
to their recursive servers.  If you wish to include hotels in the
ISP category (which they are for the duration of your stay at the hotel)
then there is ample evidence of this happening.

So yes I don't trust ISPs.
 
> > DNS is largely asymmetric.  On the whole I produce, others consume.
> > So why would I need to fate-share with any consumer of my DNS
> > messages?
> 
> DNS?
> 
> Fate sharing security is required for applicaitons running on
> end hosts. DNS security itself is abstract and is no goal.
> 
> > If so then please explain how you can reliably get keys for my zones 
> > 1.  without a relying on others in a chain of trust
> 
> I can't, which is why DNSSEC is as insecure as plain DNS.
> 
> > 2.  in a way that scales
> 
> It seems to me that cryptographic, end to end, or fate sharing
> security is not scalable.
> 
> 						Masataka Ohta
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org