MSIG proposal (on-the-fly sigs for ordinary records) Was: DNSSEC is hard to get right
Stephane Bortzmeyer <bortzmeyer@nic.fr> Tue, 07 September 2010 07:22 UTC
Return-Path: <bortzmeyer@nic.fr>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0F1203A686A for <ietf@core3.amsl.com>; Tue, 7 Sep 2010 00:22:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.228
X-Spam-Level:
X-Spam-Status: No, score=-106.228 tagged_above=-999 required=5 tests=[AWL=0.021, BAYES_00=-2.599, HELO_EQ_FR=0.35, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KIQKSnZTqzr6 for <ietf@core3.amsl.com>; Tue, 7 Sep 2010 00:21:59 -0700 (PDT)
Received: from mx2.nic.fr (mx2.nic.fr [192.134.4.11]) by core3.amsl.com (Postfix) with ESMTP id 088073A6900 for <ietf@ietf.org>; Tue, 7 Sep 2010 00:21:59 -0700 (PDT)
Received: from mx2.nic.fr (localhost [127.0.0.1]) by mx2.nic.fr (Postfix) with SMTP id DD3E71C002A; Tue, 7 Sep 2010 09:17:23 +0200 (CEST)
Received: from relay2.nic.fr (relay2.nic.fr [192.134.4.163]) by mx2.nic.fr (Postfix) with ESMTP id D8CDE1C0021; Tue, 7 Sep 2010 09:17:23 +0200 (CEST)
Received: from bortzmeyer.nic.fr (batilda.nic.fr [192.134.4.69]) by relay2.nic.fr (Postfix) with ESMTP id D64D47B0037; Tue, 7 Sep 2010 09:17:23 +0200 (CEST)
Date: Tue, 07 Sep 2010 09:17:23 +0200
From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
To: Jiankang YAO <yaojk@cnnic.cn>
Subject: MSIG proposal (on-the-fly sigs for ordinary records) Was: DNSSEC is hard to get right
Message-ID: <20100907071723.GA11448@nic.fr>
References: <20100831064140.GA28274@nic.fr> <52179E56F3E9473188B7BF79024F6457@LENOVO47E041CF>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <52179E56F3E9473188B7BF79024F6457@LENOVO47E041CF>
X-Operating-System: Debian GNU/Linux 5.0.5
X-Kernel: Linux 2.6.26-2-686 i686
Organization: NIC France
X-URL: http://www.nic.fr/
User-Agent: Mutt/1.5.18 (2008-05-17)
Cc: namedroppers@ops.ietf.org, ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: namedroppers@ops.ietf.org
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Sep 2010 07:22:01 -0000
On Tue, Aug 31, 2010 at 02:55:08PM +0800, Jiankang YAO <yaojk@cnnic.cn> wrote a message of 11 lines which said: > I propose a lightweight DNSSEC. > > http://www.ietf.org/id/draft-yao-dnsext-msig-00.txt I've just read the draft and I'm not sure of the problem it intends to solve. There are two parts where DNSSEC could be regarded as "too heavy": 1) Administrative procedures, key management, resigning, etc. 2) Work for the name servers (loading large zones, sending large packets, validating, etc). MSIG addresses only the second. The first one, which was the cause of the failure for iab.org, is exactly the same as with the current DNSSEC. Even for the second, MSIG addresses a problem that we do not feel (for the signing of .FR, which will be on line next week, the size of the zone was the smallest problem) and creates a new problem: the authoritative name server now must generate a signature for every request! You will eat less RAM but use much more CPU. Also, if I understood the draft correctly: * Every authoritative name server, even a slave, will require a copy of the private key (since it will have to sign the responses on-the-fly). Bad for manageability and security. * MSIG secures the link from the authoritative name server to the resolver but cannot help if there are chained resolvers, or cannot be used for the last mile. (I'm not sure about this last point, it is not clear in the draft.)
- DNSSEC is hard to get right Stephane Bortzmeyer
- Re: DNSSEC is hard to get right Richard L. Barnes
- Re: DNSSEC is hard to get right Jiankang YAO
- Re: DNSSEC is hard to get right Phillip Hallam-Baker
- MSIG proposal (on-the-fly sigs for ordinary recor… Stephane Bortzmeyer
- Re: MSIG proposal (on-the-fly sigs for ordinary r… Jiankang YAO