IETF Logo Mail Archive

Re: [dnsext] draft-diao-aip-dns

Nicholas Weaver <nweaver@icsi.berkeley.edu> Wed, 20 June 2012 15:31 UTC

Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6BD2D21F85E5; Wed, 20 Jun 2012 08:31:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1340206309; bh=5eJqhoAP/kI/Ke3D8pz5rMIb+4YRMm0f0WN/ezO6NNg=; h=Mime-Version:From:In-Reply-To:Date:Message-Id:References:To:Cc: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Type:Content-Transfer-Encoding:Sender; b=bb74l2/5kegk/i/+g2deUiS4zKFmwS5k5AyqqinUGCrK19DnWn3kkeN2gq7X9AJfh LZTZUw8RTfkLV4mtlXYtj9Ap6fOZDK7PIQQN/6s8TvtuC0iWQ0pMGUTbO+UReLMwrj 75RQ68WVq1VjzMbpn03gNSa1Ws2MzZfZauoxuHmc=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 41F6421F8552 for <dnsext@ietfa.amsl.com>; Wed, 20 Jun 2012 08:31:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QSJoCKbRZmER for <dnsext@ietfa.amsl.com>; Wed, 20 Jun 2012 08:31:47 -0700 (PDT)
Received: from rock.ICSI.Berkeley.EDU (rock.ICSI.Berkeley.EDU [192.150.186.19]) by ietfa.amsl.com (Postfix) with ESMTP id 8D97521F8592 for <dnsext@ietf.org>; Wed, 20 Jun 2012 08:31:45 -0700 (PDT)
Received: from localhost (localhost.localdomain [127.0.0.1]) by rock.ICSI.Berkeley.EDU (Postfix) with ESMTP id 568962C401D; Wed, 20 Jun 2012 08:31:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ICSI.Berkeley.EDU
Received: from rock.ICSI.Berkeley.EDU ([127.0.0.1]) by localhost (maihub.ICSI.Berkeley.EDU [127.0.0.1]) (amavisd-new, port 10024) with LMTP id KjawrMmU+kpH; Wed, 20 Jun 2012 08:31:45 -0700 (PDT)
Received: from gala.icir.org (gala [192.150.187.49]) (Authenticated sender: nweaver) by rock.ICSI.Berkeley.EDU (Postfix) with ESMTP id 0FB832C4006; Wed, 20 Jun 2012 08:31:45 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1278)
From: Nicholas Weaver <nweaver@icsi.berkeley.edu>
In-Reply-To: <C239EA2E-41E9-4719-A3C7-AE0B8A9A1FE9@cisco.com>
Date: Wed, 20 Jun 2012 08:31:44 -0700
Message-Id: <6FF8F3B1-D2B7-4C6B-B90D-245892D400EC@icsi.berkeley.edu>
References: <C239EA2E-41E9-4719-A3C7-AE0B8A9A1FE9@cisco.com>
To: draft-diao-aip-dns@tools.ietf.org
X-Mailer: Apple Mail (2.1278)
Cc: dnsext List <dnsext@ietf.org>
Subject: Re: [dnsext] draft-diao-aip-dns
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org

My own $.02 as well, on just one little piece...

> 5.  Security Considerations
> 
>    There is no additional security requirement than current domain name
>    system. Security issues are not discussed in this memo.

To put this succinctly, Hu?!?


The point of this is to allow a country to "override the root": provide its own DNS hierarchy which it controls to create an "Autonomous Internet", namely, a namespace which deliberately excludes "undesirable" names.  Because unless you are excluding "undesirable" names, what is the benefit of having two separate namespaces for the same name in different countries? [1]



This goes strictly contrary to DNSSEC, where, out of operational concerns, all validators know the same universal root signing key.  

Each "Autonomous Internet" would require its own root key, and any client which may move between multiple AIPs would need to either a-proiri know all distinct AIP root keys or somehow securely discover the individual AIP's root key (HOW?!)



There is also the namespace confusion problem, which is a security problem:  www.example.com in AIP A ?= www.example.com in AIP B.

This is a huge concern, even if you solve the DNSSEC key problem, since subverting either AIP will affect all clients in that AIP, and any client who goes between AIPs.

Fragmenting the namespace IS a security problem.


[1] And if you want to block undesirable names, the existing infrastructure does a good job of it.

_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext

v2.23.0 | Report a Bug | By Email