IETF Logo Mail Archive

Re: OpenDNS today announced it has adopted DNSCurve to secure DNS

David Conrad <drc@virtualized.org> Thu, 25 February 2010 16:36 UTC

Return-Path: <drc@virtualized.org>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3D95828C385 for <ietf@core3.amsl.com>; Thu, 25 Feb 2010 08:36:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.194
X-Spam-Level:
X-Spam-Status: No, score=-6.194 tagged_above=-999 required=5 tests=[AWL=0.405, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ierGYSMgTASU for <ietf@core3.amsl.com>; Thu, 25 Feb 2010 08:36:58 -0800 (PST)
Received: from virtualized.org (trantor.virtualized.org [204.152.189.190]) by core3.amsl.com (Postfix) with ESMTP id 0C61428C17C for <ietf@ietf.org>; Thu, 25 Feb 2010 08:36:58 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by virtualized.org (Postfix) with ESMTP id 7D555ACFA1F; Thu, 25 Feb 2010 08:39:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at virtualized.org
Received: from virtualized.org ([127.0.0.1]) by localhost (trantor.virtualized.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RHsepuU4Dp5m; Thu, 25 Feb 2010 08:39:06 -0800 (PST)
Received: from [10.96.18.220] (wlan39-033.mdr.icann.org [192.0.39.33]) by virtualized.org (Postfix) with ESMTP id 7C937ACFA0C; Thu, 25 Feb 2010 08:39:06 -0800 (PST)
Subject: Re: OpenDNS today announced it has adopted DNSCurve to secure DNS
Mime-Version: 1.0 (Apple Message framework v1077)
Content-Type: text/plain; charset="us-ascii"
From: David Conrad <drc@virtualized.org>
In-Reply-To: <a123a5d61002241215r4710e63cn2e0594aefc1ce835@mail.gmail.com>
Date: Thu, 25 Feb 2010 08:38:37 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <3D239B26-E647-4FDC-AD0C-456C284ABFFF@virtualized.org>
References: <874c02a21002231826y613b9f97ya83740ba240f7bf9@mail.gmail.com> <ABE739C5ADAC9A41ACCC72DF366B719D02C29D87@GLKMS2100.GREENLNK.NET> <a123a5d61002240700i4a68367tf901b91265f79da1@mail.gmail.com> <alpine.LSU.2.00.1002241754550.16971@hermes-2.csi.cam.ac.uk> <a123a5d61002241215r4710e63cn2e0594aefc1ce835@mail.gmail.com>
To: Phillip Hallam-Baker <hallam@gmail.com>
X-Mailer: Apple Mail (2.1077)
Cc: IETF-Discussion list <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Feb 2010 16:36:59 -0000

[For some reason, I seem to receive Phillip's messages later than other people who are responding to his messages.  Odd.]

Hi,

> Signing the .com zone is irrelevant until we have a process for
> putting the key in.

Not really.  If VeriSign were to sign .COM tomorrow and publish their key somewhere well known, people who run validating resolvers could fetch that key, validating it however they see fit, and install it as a trust anchor in their resolver.

This is among the reasons ITAR was created.  To date, 12 TLDs have listed their keys in ITAR (see https://itar.iana.org/anchors/) using the same authentication mechanisms used to validate TLD update requests.

> Several people are aware that I am asking this
> question and will be speaking on DNSSEC at RSA next week. The fact
> that the answer has been invariably 'I will get back to you on that'
> and not 'here is the document you need to read' is itself rather
> significant.

Not really, other than in the sense that people are really, really busy and, having presented on the ITAR in numerous venues over the past year or two (I've forgotten when we stood up the ITAR and can't be bothered to go look it up), generally assume people who have need of ITAR services can find out about it.

> Instead of positioning DNSSEC as an alternative to SSL certificates,

Huh? Who is positioning DNSSEC that way? People have mentioned that DNSSEC could, maybe someday in the far future, perhaps provide an alternative PKI infrastructure but that generally is not how DNSSEC is being positioned, at least to my knowledge.  DNSSEC is primarily being positioned as protection against MITM DNS-based attack.

> Nobody can deploy or test standards based validation
> infrastructure until the root is signed and a lot more happens
> besides.

Sure they can, and in fact do.  ISPs in Sweden, for example, have (I'm told) been validating .SE domains for some time now.  For TLDs, there is ITAR.  For folks in islands of trust, there is DLV (if you trust ISC and are willing to accept the implications of using DLV).

Regards,
-drc

v2.23.0 | Report a Bug | By Email