Re: [dnsext] draft-diao-aip-dns
Nicholas Weaver <nweaver@icsi.berkeley.edu> Wed, 20 June 2012 15:31 UTC
Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6BD2D21F85E5; Wed, 20 Jun 2012 08:31:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1340206309; bh=5eJqhoAP/kI/Ke3D8pz5rMIb+4YRMm0f0WN/ezO6NNg=; h=Mime-Version:From:In-Reply-To:Date:Message-Id:References:To:Cc: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Type:Content-Transfer-Encoding:Sender; b=bb74l2/5kegk/i/+g2deUiS4zKFmwS5k5AyqqinUGCrK19DnWn3kkeN2gq7X9AJfh LZTZUw8RTfkLV4mtlXYtj9Ap6fOZDK7PIQQN/6s8TvtuC0iWQ0pMGUTbO+UReLMwrj 75RQ68WVq1VjzMbpn03gNSa1Ws2MzZfZauoxuHmc=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 41F6421F8552 for <dnsext@ietfa.amsl.com>; Wed, 20 Jun 2012 08:31:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QSJoCKbRZmER for <dnsext@ietfa.amsl.com>; Wed, 20 Jun 2012 08:31:47 -0700 (PDT)
Received: from rock.ICSI.Berkeley.EDU (rock.ICSI.Berkeley.EDU [192.150.186.19]) by ietfa.amsl.com (Postfix) with ESMTP id 8D97521F8592 for <dnsext@ietf.org>; Wed, 20 Jun 2012 08:31:45 -0700 (PDT)
Received: from localhost (localhost.localdomain [127.0.0.1]) by rock.ICSI.Berkeley.EDU (Postfix) with ESMTP id 568962C401D; Wed, 20 Jun 2012 08:31:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ICSI.Berkeley.EDU
Received: from rock.ICSI.Berkeley.EDU ([127.0.0.1]) by localhost (maihub.ICSI.Berkeley.EDU [127.0.0.1]) (amavisd-new, port 10024) with LMTP id KjawrMmU+kpH; Wed, 20 Jun 2012 08:31:45 -0700 (PDT)
Received: from gala.icir.org (gala [192.150.187.49]) (Authenticated sender: nweaver) by rock.ICSI.Berkeley.EDU (Postfix) with ESMTP id 0FB832C4006; Wed, 20 Jun 2012 08:31:45 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1278)
From: Nicholas Weaver <nweaver@icsi.berkeley.edu>
In-Reply-To: <C239EA2E-41E9-4719-A3C7-AE0B8A9A1FE9@cisco.com>
Date: Wed, 20 Jun 2012 08:31:44 -0700
Message-Id: <6FF8F3B1-D2B7-4C6B-B90D-245892D400EC@icsi.berkeley.edu>
References: <C239EA2E-41E9-4719-A3C7-AE0B8A9A1FE9@cisco.com>
To: draft-diao-aip-dns@tools.ietf.org
X-Mailer: Apple Mail (2.1278)
Cc: dnsext List <dnsext@ietf.org>
Subject: Re: [dnsext] draft-diao-aip-dns
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org
My own $.02 as well, on just one little piece... > 5. Security Considerations > > There is no additional security requirement than current domain name > system. Security issues are not discussed in this memo. To put this succinctly, Hu?!? The point of this is to allow a country to "override the root": provide its own DNS hierarchy which it controls to create an "Autonomous Internet", namely, a namespace which deliberately excludes "undesirable" names. Because unless you are excluding "undesirable" names, what is the benefit of having two separate namespaces for the same name in different countries? [1] This goes strictly contrary to DNSSEC, where, out of operational concerns, all validators know the same universal root signing key. Each "Autonomous Internet" would require its own root key, and any client which may move between multiple AIPs would need to either a-proiri know all distinct AIP root keys or somehow securely discover the individual AIP's root key (HOW?!) There is also the namespace confusion problem, which is a security problem: www.example.com in AIP A ?= www.example.com in AIP B. This is a huge concern, even if you solve the DNSSEC key problem, since subverting either AIP will affect all clients in that AIP, and any client who goes between AIPs. Fragmenting the namespace IS a security problem. [1] And if you want to block undesirable names, the existing infrastructure does a good job of it. _______________________________________________ dnsext mailing list dnsext@ietf.org https://www.ietf.org/mailman/listinfo/dnsext
- [dnsext] draft-diao-aip-dns Tony Finch
- Re: [dnsext] draft-diao-aip-dns Ondřej Surý
- Re: [dnsext] draft-diao-aip-dns Stephane Bortzmeyer
- Re: [dnsext] draft-diao-aip-dns Eric Brunner-Williams
- Re: [dnsext] draft-diao-aip-dns Ondřej Surý
- [dnsext] draft-diao-aip-dns Fred Baker
- Re: [dnsext] draft-diao-aip-dns Donald Eastlake
- Re: [dnsext] draft-diao-aip-dns Ralph Droms
- Re: [dnsext] draft-diao-aip-dns Mark Andrews
- Re: [dnsext] draft-diao-aip-dns Warren Kumari
- Re: [dnsext] draft-diao-aip-dns Andrew Sullivan
- Re: [dnsext] draft-diao-aip-dns Stephane Bortzmeyer
- Re: [dnsext] draft-diao-aip-dns Ralph Droms
- Re: [dnsext] draft-diao-aip-dns Mark Andrews
- Re: [dnsext] draft-diao-aip-dns SM
- Re: [dnsext] draft-diao-aip-dns Nicholas Weaver
- Re: [dnsext] draft-diao-aip-dns Doug Barton
- Re: [dnsext] draft-diao-aip-dns Ralph Droms
- Re: [dnsext] draft-diao-aip-dns Eric Brunner-Williams
- Re: [dnsext] draft-diao-aip-dns Jiankang YAO
- Re: [dnsext] draft-diao-aip-dns Jiankang YAO
- Re: [dnsext] draft-diao-aip-dns YP Diao
- Re: [dnsext] draft-diao-aip-dns Paul Hoffman
- Re: [dnsext] draft-diao-aip-dns Phil Regnauld
- Re: [dnsext] draft-diao-aip-dns Paul Hoffman
- Re: [dnsext] draft-diao-aip-dns Phillip Hallam-Baker
- Re: [dnsext] draft-diao-aip-dns Dmitry Burkov
- Re: [dnsext] draft-diao-aip-dns Jim Reid
- Re: [dnsext] draft-diao-aip-dns Ralph Droms
- Re: [dnsext] draft-diao-aip-dns Nicholas Weaver
- Re: [dnsext] draft-diao-aip-dns Jim Reid
- Re: [dnsext] draft-diao-aip-dns YP Diao
- [dnsext] "knowing A root key" was Re: draft-diao-… Edward Lewis