Re: [dnsext] [dane] Trustworthiness of DNSSEC data
"Richard L. Barnes" <rbarnes@bbn.com> Mon, 27 June 2011 12:56 UTC
Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7373C11E80F7; Mon, 27 Jun 2011 05:56:26 -0700 (PDT)
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 125B021F8568; Sun, 26 Jun 2011 20:33:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.599
X-Spam-Level:
X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id csYXwd7OHSoj; Sun, 26 Jun 2011 20:33:24 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by ietfa.amsl.com (Postfix) with ESMTP id 8361921F856C; Sun, 26 Jun 2011 20:33:21 -0700 (PDT)
Received: from [128.89.253.249] (port=51349 helo=[192.168.1.10]) by smtp.bbn.com with esmtps (TLSv1:AES128-SHA:128) (Exim 4.74 (FreeBSD)) (envelope-from <rbarnes@bbn.com>) id 1Qb2Zc-000GrW-Ez; Sun, 26 Jun 2011 23:33:21 -0400
Mime-Version: 1.0 (Apple Message framework v1082)
From: "Richard L. Barnes" <rbarnes@bbn.com>
In-Reply-To: <4E07CB7C.9000009@KingsMountain.com>
Date: Sun, 26 Jun 2011 23:33:17 -0400
Message-Id: <6FF98695-B8C2-4C90-AEC2-86680CAE0B4D@bbn.com>
References: <4E07CB7C.9000009@KingsMountain.com>
To: =JeffH <Jeff.Hodges@KingsMountain.com>
X-Mailer: Apple Mail (2.1082)
X-Mailman-Approved-At: Mon, 27 Jun 2011 05:52:48 -0700
Cc: dnsext@ietf.org, dane <dane@ietf.org>
Subject: Re: [dnsext] [dane] Trustworthiness of DNSSEC data
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org
For example: <https://www.iana.org/dnssec/icann-dps.txt> On Jun 26, 2011, at 8:14 PM, =JeffH wrote: > > More generally, DNSSEC holds > > enormous potential utility as a repository of integrity-protected > > authoritative information about DNS names, including configuration for > > new opt-in security schemes. However, each of these schemes may > > increase the degree of exposure to malfeasance by the DNS operator (who > > may not be the same entity as the authoritative holder of the domain) in > > some or all cases, compared to traditional practice. > > Not to say that having these concerns is misplaced, but the DNSop WG, as well as various DNS operators, have been thinking along these lines... > > http://tools.ietf.org/wg/dnsop/ > > "DPS" = DNSSEC Practice Statement > > ..perhaps further discussion should go to the dnsop@ietf.org list? > > There's also: Dnssec-deployment@dnssec-deployment.org > > HTH, > > =JeffH > > --- > > DNSSEC Operational Practices, Version 2 > http://tools.ietf.org/html/draft-ietf-dnsop-rfc4641bis > > Abstract > > This document describes a set of practices for operating the DNS with > security extensions (DNSSEC). The target audience is zone > administrators deploying DNSSEC. > > The document discusses operational aspects of using keys and > signatures in the DNS. It discusses issues of key generation, key > storage, signature generation, key rollover, and related policies. > > This document obsoletes RFC 4641 as it covers more operational ground > and gives more up-to-date requirements with respect to key sizes and > the DNSSEC operations. > > > --- > > DNSSEC Policy & Practice Statement Framework > http://tools.ietf.org/html/draft-ietf-dnsop-dnssec-dps-framework > > Abstract > > This document presents a framework to assist writers of DNSSEC Policy > and Practice Statements such as Domain Managers and Zone Operators on > both the top-level and secondary level, who is managing and operating > a DNS zone with Security Extensions (DNSSEC) implemented. > > In particular, the framework provides a comprehensive list of topics > that should be considered for inclusion into a DNSSEC Policy > definition and Practice Statement. > > -- > > DPS framework (slides) > <http://brussels38.icann.org/meetings/brussels2010/presentation-dnssec-dps-framework-ljunggren-23jun10-en.pdf> > > DNSSEC in Sweden: Five Years of Practical Experience (slides) > <http://www.gc-sec.org/Events/Documents/AnneMarie%20Amel-2010-06-Rome-DNSSEC-workshop.pdf> > > > Root DNSSEC docs > ---------------- > > Root DNSSEC - documentation (many documents) > http://www.root-dnssec.org/documentation/ > > IANA DNSSEC Information > https://www.iana.org/dnssec/ > > > Individual DPSs > --------------- > > DNSSEC Practice Statement for the Root Zone KSK Operator > https://www.iana.org/dnssec/icann-dps.txt > > Verisign DNSSEC Practice Statements > (.net, .edu, Signing Services, root zone ZSK operator) > https://verisigninc.com/en_US/repository/index.xhtml > > RIPE DNSSEC Policy and Practice Statement > http://www.ripe.net/rs/reverse/dnssec/dps.html > > DNSSEC Practice Statement (DPS) -- .se > http://www.iis.se/docs/se-dnssec-dps-eng.pdf > > DNSSEC Practice Statement for the JP Zone (JP DPS) > https://jprs.jp/doc/dnssec/jp-dps-eng.html > > > > --- > end > > _______________________________________________ > dane mailing list > dane@ietf.org > https://www.ietf.org/mailman/listinfo/dane _______________________________________________ dnsext mailing list dnsext@ietf.org https://www.ietf.org/mailman/listinfo/dnsext
- Re: [dnsext] Trustworthiness of DNSSEC data Matt McCutchen
- [dnsext] Trustworthiness of DNSSEC data Matt McCutchen
- Re: [dnsext] Trustworthiness of DNSSEC data John Levine
- Re: [dnsext] Trustworthiness of DNSSEC data Phil Regnauld
- Re: [dnsext] Trustworthiness of DNSSEC data Matt McCutchen
- Re: [dnsext] Trustworthiness of DNSSEC data Matt McCutchen
- Re: [dnsext] Trustworthiness of DNSSEC data Matt McCutchen
- Re: [dnsext] Trustworthiness of DNSSEC data John R. Levine
- Re: [dnsext] Trustworthiness of DNSSEC data John R. Levine
- Re: [dnsext] Trustworthiness of DNSSEC data =JeffH
- Re: [dnsext] Trustworthiness of DNSSEC data Patrik Fältström
- Re: [dnsext] Trustworthiness of DNSSEC data Patrik Fältström
- Re: [dnsext] Trustworthiness of DNSSEC data Paul Vixie
- Re: [dnsext] Trustworthiness of DNSSEC data John Levine
- Re: [dnsext] Trustworthiness of DNSSEC data Patrik Fältström
- Re: [dnsext] Trustworthiness of DNSSEC data Florian Weimer
- Re: [dnsext] Trustworthiness of DNSSEC data Florian Weimer
- [dnsext] (Client deployment of DANE positive asse… Matt McCutchen
- Re: [dnsext] [dane] Trustworthiness of DNSSEC data Richard L. Barnes
- Re: [dnsext] (Client deployment of DANE positive … Phillip Hallam-Baker
- Re: [dnsext] Trustworthiness of DNSSEC data Masataka Ohta
- Re: [dnsext] [dane] Trustworthiness of DNSSEC data Peter Gutmann
- Re: [dnsext] Trustworthiness of DNSSEC data Phillip Hallam-Baker
- Re: [dnsext] Trustworthiness of DNSSEC data Masataka Ohta