[DNSSEC-Bootstrapping] Trust model
Peter Thomassen <peter@desec.io> Mon, 19 September 2022 07:57 UTC
Return-Path: <peter@desec.io>
X-Original-To: dnssec-bootstrapping@ietfa.amsl.com
Delivered-To: dnssec-bootstrapping@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F35AC14F733 for <dnssec-bootstrapping@ietfa.amsl.com>; Mon, 19 Sep 2022 00:57:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.907
X-Spam-Level:
X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=a4a.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MQ9zKnXte-1Z for <dnssec-bootstrapping@ietfa.amsl.com>; Mon, 19 Sep 2022 00:57:40 -0700 (PDT)
Received: from mail.a4a.de (mail.a4a.de [IPv6:2a01:4f8:10a:1d5c:8000::8]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DAC9AC14CE25 for <dnssec-bootstrapping@ietf.org>; Mon, 19 Sep 2022 00:57:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=a4a.de; s=20170825; h=Content-Transfer-Encoding:Content-Type:Subject:From:To: MIME-Version:Date:Message-ID:Sender:Reply-To:Cc:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=E/EK4LE5B/0JRXrabyk9pVnkpJS8nX2WbIZvQ+Z5g9Q=; b=i2cwCkN2RAhdSJb9ZWUFka4a2p wQ5dWRqkUjWoBlmMwiRfEmjtCGeewqe9QE6JmWs1kBd8ZEcttbcEvp++1KfBnA8d6yJ/rsZuCRNLW oW+Yin5nHnQ93E8cxq+rH1gq5cQLEh7UR6WsLmHpJ9zeawskMAzEvoInqDDH0CJ7M9TVz9Oj6K/j5 BucMtK6SqLwk+je1/6LEriHS9fF+LYpyS33ma2rGWIsN3wc685qd9wmf5FxkIctSD+AgStd8zQ4A6 RGu1Ru56Wr37S4kXLMMqjCCC1QLBKHpV+GHqnoC6Mmvu0b/Zh0/dEKIgyG5KFi0oky+W6KwryDzZz 3w/zbpIA==;
Received: from [2620:f:8000:210:8ffa:cae:e795:b604] by mail.a4a.de with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from <peter@desec.io>) id 1oaBer-0006Eq-R0 for dnssec-bootstrapping@ietf.org; Mon, 19 Sep 2022 09:57:38 +0200
Message-ID: <5e64283c-983a-b8c9-4d1d-afb73d18ed19@desec.io>
Date: Mon, 19 Sep 2022 15:57:35 +0800
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.11.0
Content-Language: en-US
To: dnssec-bootstrapping@ietf.org
From: Peter Thomassen <peter@desec.io>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnssec-bootstrapping/kJCy9qgekAVbJrnyl1BRZlaFyz4>
Subject: [DNSSEC-Bootstrapping] Trust model
X-BeenThere: dnssec-bootstrapping@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Authenticated Bootstrapping of DNSSEC Delegations <dnssec-bootstrapping.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnssec-bootstrapping>, <mailto:dnssec-bootstrapping-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnssec-bootstrapping/>
List-Post: <mailto:dnssec-bootstrapping@ietf.org>
List-Help: <mailto:dnssec-bootstrapping-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnssec-bootstrapping>, <mailto:dnssec-bootstrapping-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Sep 2022 07:57:45 -0000
Hi, During my presentation today at ICANN 75 Tech Day, concerns were brought up in the chat about the trust model behind draft-ietf-dnsop-dnssec-bootstrapping. It was agreed to move the discussion here. In my mind, adding authentication to RFC 8078 can never be worse than insecure bootstrapping (vanilla RFC 8078). I don't recall where exactly the concerns were. If someone does, can you bring me up to speed? :-) For the record, the presentation slide deck is available here: https://75.schedule.icann.org/meetings/2QGk2M3LTno989XDe (under the "Files" tab) Thanks, Peter -- https://desec.io/
- [DNSSEC-Bootstrapping] Trust model Peter Thomassen