Re: Historic Moment - Root zone of the Internet was just signed minutes ago!!!

[Phillip Hallam-Baker <hallam@gmail.com>]

On Tue, Jul 20, 2010 at 12:12 AM, Mark Andrews <marka@isc.org> wrote:
>
> In message <AANLkTikni86AOABGKIB1_jOeQe0Ou4swpGrS8H1MbmrQ@mail.gmail.com>, Phil
> lip Hallam-Baker writes:
>> Being able to verify signatures is of no value.
>>
>> The system only has value when you can act differently according to
>> whether the signature verifies or not.
>>
>> I keep asking, but nobody will tell me how I get the keys for my
>> domains into the TLD.
>
> Firstly you get DS records into the TLD not DNSKEY records.  Secondly
> it is/will be by a mechanism similar to how you get NS records into
> the TLD.  In other words go ask your registrar when they are going
> to support adding DS records and stop complaining here.

I am not asking about the TLD keys, I am asking about my keys.

And I really hope that the mechanism for handling the name holder keys
recognizes that registering a million keys is different to
distributing a hundred where all the parties know each other
personally.

You would not be saying "go ask your registrar when they are going to
support adding DS records" if you didn't know that the answer was that
the registrars have made no commitment to deploy.

Holding a key signing ceremony is not a new technological achievement.
It is being held now with great fanfare in the hope that if everyone
makes enough noise about how much momentum DNSSEC has that the
opposition of the registrars will somehow disappear.

I don't see why that strategy would work. I have certainly never seen
it work in the past.


> This is not a technological problem.  It is a business problem
> between you, your registrar and the registry.

You are an engineer. If the technology does not meet the business
needs then you have failed.

If DNSSEC is not going to fail we need to re-engineer it to propose a
business model that actually works. Sitting on the sidelines and
shouting 'the technology is perfect damit, go make the business model
work', is not going to solve the problem. Nor is 'go away, my
technology is perfect, perfect I tell you'.

What has me very worried here are the comments to the effect 'the
registrars are behind'. What if the registrars are not 'behind', what
if they have no interest in deployment or are actively opposed but
unable to say so openly while Cerf and co are saying that DNSSEC is
the historic solution to solve the problem of Internet security?


>> This is not a trivial issue. There is a question of liability to be
>> addressed. So far ICANN and VeriSign Registry Services have addressed
>> the issue by booting it down the chain. But the system as a whole
>> cannot work until there is someone willing to accept the liability and
>> for that to happen they are going to require tools to manage their
>> litigation risk.
>
> How is the liability different from that of accepting NS records?
> DS records don't magically change the liability.  Stuffing up either
> NS or DS records will break the delegation.

Yes they do.

An NS record specifies the address of the DNS server

A DS record specifies an intermediate certificate in the chain of
trust for authenticating any entity that is attached to the domain.

In the case of an NS record it is established that the design does not
provide security in the DNS layer and this has to be provided
independently via an end to end mechanism such as SSL with DV or EV
certs.

In the case of a DS record the design is expressly designed to provide
for authentication of assertions relating to a domain name distributed
through the DNS.


-- 
Website: http://hallambaker.com/