IETF Logo Mail Archive

Re: [DNSOP] Practical issues deploying DNSSEC into the home.

Eliot Lear <lear@cisco.com> Fri, 13 September 2013 08:28 UTC

Return-Path: <lear@cisco.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 58ED611E81D0; Fri, 13 Sep 2013 01:28:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.187
X-Spam-Level:
X-Spam-Status: No, score=-110.187 tagged_above=-999 required=5 tests=[AWL=-0.189, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_21=0.6, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8v-C3QKf5hXn; Fri, 13 Sep 2013 01:28:02 -0700 (PDT)
Received: from ams-iport-2.cisco.com (ams-iport-2.cisco.com [144.254.224.141]) by ietfa.amsl.com (Postfix) with ESMTP id BDAD411E8199; Fri, 13 Sep 2013 01:28:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2625; q=dns/txt; s=iport; t=1379060881; x=1380270481; h=message-id:date:from:mime-version:to:cc:subject: references:in-reply-to; bh=4gxEJ1OWuyjovSbz0mBPBSBE7pOJmCIeyuqnvCWJxUg=; b=DCs+5q90yCBlvhZNIjWPH9mF7pDb2mkkByUL15LIa8gL3wtZOXRxmoXY O2wXO4YsXcXat+0FkAx905rd1x+yq6OF3TAFzGGw7e0rGIH1gnY47+idd zxdgHOLCT800nfDh7wK0w0NfZvpT1Xn4VWt+Ic/ToezqQGRShVm2Q3CdJ w=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AiMFAKrLMlKQ/khL/2dsb2JhbABbDoJ5OIN8hV23bIEbFnSCJQEBAQQjVQEQCwQBEwkWCwICCQMCAQIBKxoGDQEHAQGHf6gGkguPbAeCaYE1A5d6kXOCZEE6
X-IronPort-AV: E=Sophos; i="4.90,896,1371081600"; d="scan'208,217"; a="86632584"
Received: from ams-core-2.cisco.com ([144.254.72.75]) by ams-iport-2.cisco.com with ESMTP; 13 Sep 2013 08:27:57 +0000
Received: from mctiny.local ([10.61.219.58]) by ams-core-2.cisco.com (8.14.5/8.14.5) with ESMTP id r8D8Rs6F002288 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 13 Sep 2013 08:27:55 GMT
Message-ID: <5232CC8A.4070202@cisco.com>
Date: Fri, 13 Sep 2013 10:27:54 +0200
From: Eliot Lear <lear@cisco.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:17.0) Gecko/20130801 Thunderbird/17.0.8
MIME-Version: 1.0
To: Theodore Ts'o <tytso@mit.edu>
Subject: Re: [DNSOP] Practical issues deploying DNSSEC into the home.
References: <CAMm+LwjkOEO6t5v6qMjc036JGaoFi=3jFPNDp=xM=zK5R8_k7A@mail.gmail.com> <D9B745AC-8FCE-4742-AAE1-CC1AC4293F0E@hopcount.ca> <alpine.LFD.2.10.1309111202350.13632@bofh.nohats.ca> <CAMm+LwieYmZNUybCgpdkytb9EfmiraTVNJdTUS6aeNJE5=8PEQ@mail.gmail.com> <F4F9D8B4-57BF-4CB4-A200-3B77A3966A2B@icsi.berkeley.edu> <CAMm+LwjTGZz9BrE1EcuQb9abv+MvOPVTjWHiSBCj774drnF15A@mail.gmail.com> <20130912112400.GB12918@thunk.org> <alpine.LFD.2.10.1309121012030.9471@bofh.nohats.ca> <20130912150733.GF12918@thunk.org> <C393EF03-E1CF-4695-8AC8-722AE104BBD7@nominum.com> <20130912172140.GA5985@thunk.org>
In-Reply-To: <20130912172140.GA5985@thunk.org>
X-Enigmail-Version: 1.5.2
Content-Type: multipart/alternative; boundary="------------000609040301020000010809"
Cc: Patrick Fältström <paf@netnod.se>, "dnsop@ietf.org WG" <dnsop@ietf.org>, Paul Wouters <paul@nohats.ca>, "ietf@ietf.org TF" <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Sep 2013 08:28:07 -0000

Ted,

What I like about this message is that you have demonstrated the
*potential* severability of these issues.  Things are set up as they are
for a matter of scaling.  Clearly it ain't perfect, and as one of my
mentors would say, that represents an opportunity.  It's also pretty
clear that we should be reviewing this stuff in consultation with
ICANN's SSAC committee.

Eliot

On 9/12/13 7:21 PM, Theodore Ts'o wrote:
> Fair enough, but if the goal is to prevent pervasive surveillance,
> simply using a key exchange which provides perfect forward secrecy
> will do that, even given the pathetic state of https security given
> the realities of the web and the CA's out there.
>
> Still, I agree with the general precept that perfect should not enemy
> of the better, and DNSSEC certainly adds value.  I just get worried
> about people who seem to think that DNSSEC is a panacea.
>
>    		      		    	       - Ted
>
>

v2.29.0 | Report a Bug | By Email | System Status