Re: DNSSEC is hard to get right
Phillip Hallam-Baker <hallam@gmail.com> Tue, 31 August 2010 13:34 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CD3D93A690E for <ietf@core3.amsl.com>; Tue, 31 Aug 2010 06:34:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.983
X-Spam-Level:
X-Spam-Status: No, score=-1.983 tagged_above=-999 required=5 tests=[AWL=0.616, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EE0N-3bdCgvk for <ietf@core3.amsl.com>; Tue, 31 Aug 2010 06:34:10 -0700 (PDT)
Received: from mail-gw0-f44.google.com (mail-gw0-f44.google.com [74.125.83.44]) by core3.amsl.com (Postfix) with ESMTP id EBF813A6782 for <ietf@ietf.org>; Tue, 31 Aug 2010 06:34:09 -0700 (PDT)
Received: by gwb20 with SMTP id 20so3071040gwb.31 for <ietf@ietf.org>; Tue, 31 Aug 2010 06:34:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=5mPWdZkW+2WX1bCOIPCi3j+B3TahnOE6lIiys9OjuOk=; b=meQ9E3IWuJFN9ILuWnfzzGaMVxScPQZErwHQLMD7s45kcfRcP5RDgk7INbKPr12UDp NZIyFPW1PB4W00El5/OG4h06/KyUEo8BmwzkFHpNKFls8RaUSZs1rg0rJ90lqTs6MI9U Do8cqMZYUBUqz1NxXXj60sGkSseNmHT38jc0Y=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=TcBMQ5rZzoS4GQ8/84bo7ApeSnY8pkslhdv27BH2LPF6tbHapEbLwy5M7RXbirJ1Dx UAMLDmKzKQzmP8cN8PHmUDhW1mH0EYQ4cMwJ1q/bjxHMOce4Z5oA9V36uXs5UirPOh9p M6zm139KrF5So8g7msT8Ru+HMmV54l16SEgAA=
MIME-Version: 1.0
Received: by 10.151.144.11 with SMTP id w11mr2288877ybn.327.1283261680446; Tue, 31 Aug 2010 06:34:40 -0700 (PDT)
Received: by 10.231.35.70 with HTTP; Tue, 31 Aug 2010 06:34:40 -0700 (PDT)
In-Reply-To: <2ECFEE54-8D74-43BC-87F1-14DE97D4B840@bbn.com>
References: <20100831064140.GA28274@nic.fr> <2ECFEE54-8D74-43BC-87F1-14DE97D4B840@bbn.com>
Date: Tue, 31 Aug 2010 09:34:40 -0400
Message-ID: <AANLkTik4J0dhbqEJ-cePM_rzyswtY8UvYSaxxSaMG7sV@mail.gmail.com>
Subject: Re: DNSSEC is hard to get right
From: Phillip Hallam-Baker <hallam@gmail.com>
To: "Richard L. Barnes" <rbarnes@bbn.com>
Content-Type: text/plain; charset="ISO-8859-1"
X-Mailman-Approved-At: Tue, 31 Aug 2010 08:23:46 -0700
Cc: ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Aug 2010 13:34:12 -0000
DNSSEC is a PKI and running a PKI is never a trivial matter. One of the reasons I have serious concern about the prospects for deployment of DNSSEC is that the answer to many of my questions is either a blank stare, an off the cuff answer clearly made up on the spot or the claim that it is something for the market to decide on. As things stand we have an excellent architecture for securing distribution of DNS A and AAAA records. We are thus confident of our ability to transfer attacks from the DNS system where the effect of attacks is pretty much localized to the BGP system whose fragility was demonstrated only last Friday by RIPE. Is this really progress? Out in Iraq, there is a water treatment plant that cost $110 million to build. So far it has delivered absolutely no clean water to any homes because nobody considered the need to build a pipe to connect the water treatment plant to the city water mains. There is a metaphor there if people want to see it. On Tue, Aug 31, 2010 at 7:07 AM, Richard L. Barnes <rbarnes@bbn.com> wrote: > Another view, for the visually inclined: > <http://dnsviz.net/d/iab.org/dnssec/> > > > On Aug 31, 2010, at 2:41 AM, Stephane Bortzmeyer wrote: > >> % check-sig iab.org >> Name iab.org has an expired signature (20100829223019) >> >> :-( >> _______________________________________________ >> Ietf mailing list >> Ietf@ietf.org >> https://www.ietf.org/mailman/listinfo/ietf > > _______________________________________________ > Ietf mailing list > Ietf@ietf.org > https://www.ietf.org/mailman/listinfo/ietf > -- Website: http://hallambaker.com/
- DNSSEC is hard to get right Stephane Bortzmeyer
- Re: DNSSEC is hard to get right Richard L. Barnes
- Re: DNSSEC is hard to get right Jiankang YAO
- Re: DNSSEC is hard to get right Phillip Hallam-Baker
- MSIG proposal (on-the-fly sigs for ordinary recor… Stephane Bortzmeyer
- Re: MSIG proposal (on-the-fly sigs for ordinary r… Jiankang YAO