Re: DNSSEC architecture vs reality

Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp> Wed, 14 April 2021 09:07 UTC

Return-Path: <mohta@necom830.hpcl.titech.ac.jp>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 36D7F3A16E0 for <ietf@ietfa.amsl.com>; Wed, 14 Apr 2021 02:07:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NyUeqkeiqfWu for <ietf@ietfa.amsl.com>; Wed, 14 Apr 2021 02:07:38 -0700 (PDT)
Received: from necom830.hpcl.titech.ac.jp (necom830.hpcl.titech.ac.jp [131.112.32.132]) by ietfa.amsl.com (Postfix) with SMTP id 80A653A16B0 for <ietf@ietf.org>; Wed, 14 Apr 2021 02:07:38 -0700 (PDT)
Received: (qmail 85114 invoked from network); 14 Apr 2021 08:44:45 -0000
Received: from necom830.hpcl.titech.ac.jp (HELO ?127.0.0.1?) (131.112.32.132) by necom830.hpcl.titech.ac.jp with SMTP; 14 Apr 2021 08:44:45 -0000
Subject: Re: DNSSEC architecture vs reality
To: ietf@ietf.org
References: <YHN5ObR0eqea8Mrc@straasha.imrryr.org> <CABrd9SRdw9baHD5-j9nz4Zv5JjfL35TgaTvS787orEyGxZdKzA@mail.gmail.com> <YHOAzeOj1JaGdmsO@straasha.imrryr.org> <5e91c054-5935-df07-e8ba-09cc78f6c950@network-heretics.com> <YHPSP8Kij2K4v7qQ@straasha.imrryr.org> <82c5fcc6-b419-6efb-b682-b5dbb32905e2@network-heretics.com> <585D8590-472B-4CBC-8292-5BE85521DD76@gmail.com> <a6545baf-b15e-3690-d7b5-be33c4078e02@mtcc.com> <20210412221435.GV9612@localhost> <0755b70e-cc8e-3404-73cd-51950b3d7e53@mtcc.com> <20210412222748.GW9612@localhost> <26BBCA02-AC18-476B-926E-9AC37A7FBBE2@depht.com> <8C8A4B56-6B8C-4D53-965C-07CE636E3FB9@frobbit.se> <5DFC979A-7641-49B2-A2F4-81F737790C6D@cisco.com> <82AAE2BE-4286-4F0F-B122-E387577B54BA@frobbit.se>
From: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
Message-ID: <c782277e-028c-87fd-e360-d9b4f059faa4@necom830.hpcl.titech.ac.jp>
Date: Wed, 14 Apr 2021 18:07:33 +0900
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.9.1
MIME-Version: 1.0
In-Reply-To: <82AAE2BE-4286-4F0F-B122-E387577B54BA@frobbit.se>
Content-Type: text/plain; charset=iso-2022-jp; format=flowed; delsp=yes
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/4oc8P6hTN9bO1r5EGTgEtklH1aU>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Apr 2021 09:07:41 -0000

Patrik Faltstrom wrote:

> Because doing signing is viewed as a cost, and there must be a benefit in doing the signing.

True.

As PKIs, including TLS and DNSSEC, rely on CAs as untrustworthy
TTPs, they are, as was demonstrated by diginotar and google,
subject to MitM attacks on CAs.

That is, PKIs are only as secure as plain Internet with ISPs
as untrustworthy TTPs.

As such, there is no point to waste the signing cost.

 > This is why validation must come first. The cost is low,

But, there is no true security for the cost.

						Masataka Ohta

PS

It may still be a good idea to use Diffie Hellman key exchange,
because it is secure against passive attacks.