Re: Transition from 2535 to opt-in

[Derek Atkins <warlord@MIT.EDU>]

Paul A Vixie <vixie@vix.com> writes:

> >       3. there is real value in securing only the RRsets that
> > 	 matter (KEYs, APPKEYs, CERT, www.bank.tld, etc.);
> >       so, secure only what needs to be secured, and forget the rest.
> 
> i challenge this.  SSL is non-universal and even so depends on
> trusting small numbers of signing authorities.  DNS is universal and
> depends only on getting one's key signed by the parent domain's
> administrator, of whom there can be an unlimited number (though only
> one per domain).

It's even worse that you say, Paul...  First, SSL only protects
TCP-based protocols.  That limits it to a subset of existing protocols
(a rather large subset, mind you, but a subset nonetheless).  Second,
using SSL doesn't help you at all when you try to use DNS indirection
pointers (CNAME, SRV, AFSDB, etc.)  Only 2535+ DNSSec can protect
blind[1] DNS "delegations" in this manner.

-derek

[1] by "blind" I mean that the end-host doesn't know about all the
potential delegations that may point to it.  In the SSL sense, what
this means is that I may have a CNAME from hostX.foo.com pointing to
hostY.bar.net; for SSL to work, hostY would need to have a certificate
for "hostX.foo.com" whereas with DNSSec it would not need to know
about this delegation.

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available


to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.