Re: MSIG proposal (on-the-fly sigs for ordinary records) Was: DNSSECis hard to get right
"Jiankang YAO" <yaojk@cnnic.cn> Tue, 07 September 2010 08:03 UTC
Return-Path: <yaojk@cnnic.cn>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 04F583A682D for <ietf@core3.amsl.com>; Tue, 7 Sep 2010 01:03:21 -0700 (PDT)
X-Quarantine-ID: <uaijhHqhkrdG>
X-Virus-Scanned: amavisd-new at amsl.com
X-Amavis-Alert: BAD HEADER, Duplicate header field: "Message-ID"
X-Spam-Flag: NO
X-Spam-Score: -98.6
X-Spam-Level:
X-Spam-Status: No, score=-98.6 tagged_above=-999 required=5 tests=[AWL=0.243, BAYES_00=-2.599, HTML_FONT_FACE_BAD=0.884, HTML_MESSAGE=0.001, MIME_BASE64_TEXT=1.753, MSGID_FROM_MTA_HEADER=0.803, SARE_MILLIONSOF=0.315, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uaijhHqhkrdG for <ietf@core3.amsl.com>; Tue, 7 Sep 2010 01:03:19 -0700 (PDT)
Received: from cnnic.cn (smtp.cnnic.cn [159.226.7.146]) by core3.amsl.com (Postfix) with SMTP id 688543A63EB for <ietf@ietf.org>; Tue, 7 Sep 2010 01:03:17 -0700 (PDT)
Received: (eyou send program); Tue, 07 Sep 2010 16:03:45 +0800
Message-ID: <483846625.16392@cnnic.cn>
X-EYOUMAIL-SMTPAUTH: yaojk@cnnic.cn
Received: from unknown (HELO lenovo47e041cf) (127.0.0.1) by 127.0.0.1 with SMTP; Tue, 07 Sep 2010 16:03:45 +0800
Message-ID: <DA5CA9B0CE014097A98583D4A9200B4E@LENOVO47E041CF>
From: Jiankang YAO <yaojk@cnnic.cn>
To: namedroppers@ops.ietf.org
References: <20100831064140.GA28274@nic.fr> <52179E56F3E9473188B7BF79024F6457@LENOVO47E041CF> <483843851.09398@cnnic.cn>
Subject: Re: MSIG proposal (on-the-fly sigs for ordinary records) Was: DNSSECis hard to get right
Date: Tue, 07 Sep 2010 16:03:53 +0800
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_00C3_01CB4EA6.447D2160"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5931
X-Mailman-Approved-At: Tue, 07 Sep 2010 08:47:27 -0700
Cc: ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Sep 2010 08:03:21 -0000
----- Original Message ----- From: "Stephane Bortzmeyer" <bortzmeyer@nic.fr> To: "Jiankang YAO" <yaojk@cnnic.cn> Cc: <namedroppers@ops.ietf.org>; <ietf@ietf.org> Sent: Tuesday, September 07, 2010 3:17 PM Subject: MSIG proposal (on-the-fly sigs for ordinary records) Was: DNSSECis hard to get right > On Tue, Aug 31, 2010 at 02:55:08PM +0800, > Jiankang YAO <yaojk@cnnic.cn> wrote > a message of 11 lines which said: > >> I propose a lightweight DNSSEC. >> >> http://www.ietf.org/id/draft-yao-dnsext-msig-00.txt > > I've just read the draft and I'm not sure of the problem it intends to > solve. There are two parts where DNSSEC could be regarded as "too > heavy": > > 1) Administrative procedures, key management, resigning, etc. > > 2) Work for the name servers (loading large zones, sending large > packets, validating, etc). > > MSIG addresses only the second. The first one, which was the cause of > the failure for iab.org, is exactly the same as with the current > DNSSEC. > > Even for the second, MSIG addresses a problem that we do not feel (for > the signing of .FR, which will be on line next week, the size of the > zone was the smallest problem) and creates a new problem: the > authoritative name server now must generate a signature for every > request! You will eat less RAM but use much more CPU. > frankly said, I got the inspiration from the DNScurv draft draft-dempsky-dnscurve-01 - DNSCurve, which uses the similar mechanism, but changed the dns packet format. The MSIG proposal does not change the basic rules of dns. MSIG is very useful for the registries or the DNS zone which has the millions of domain names since it will reduce the size of the zone dramatically. on the other hand, the outgoing DNS packages are too large for the heavy dnssec. sometimes, we have to use the TCP connections to transfer the big package. MSIG will reduce the dns outgoing package too. > > Also, if I understood the draft correctly: > > * Every authoritative name server, even a slave, will require a copy > of the private key (since it will have to sign the responses > on-the-fly). Bad for manageability and security. > > * MSIG secures the link from the authoritative name server to the > resolver but cannot help if there are chained resolvers, or cannot be > used for the last mile. (I'm not sure about this last point, it is not > clear in the draft.) > for the last mile problem, I also proposed http://tools.ietf.org/html/draft-yao-dnsop-resolverkey-00 thanks a lot for your taking a look at my draft. Jiankang Yao > >
- DNSSEC is hard to get right Stephane Bortzmeyer
- Re: DNSSEC is hard to get right Richard L. Barnes
- Re: DNSSEC is hard to get right Jiankang YAO
- Re: DNSSEC is hard to get right Phillip Hallam-Baker
- MSIG proposal (on-the-fly sigs for ordinary recor… Stephane Bortzmeyer
- Re: MSIG proposal (on-the-fly sigs for ordinary r… Jiankang YAO