[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Transition from 2535 to opt-in

To: namedroppers@ops.ietf.org
Subject: Re: Transition from 2535 to opt-in
From: Olaf Kolkman <olaf@ripe.net>
Date: Thu, 06 Dec 2001 10:57:46 +0100
In-Reply-To: Message from Edward Lewis <lewis@tislabs.com> of "Wed, 05 Dec 2001 09:24:38 EST." <v03130300b833dbcb1468@[199.171.39.21]>



Ed wrote:
 * The question of whether "authenticated denial is desired" has been answered
 * "yes" a number of times over the past year or so  The question has been
 * raised by the WG chair on the list and in person at London.  So it appears
 * that there is a desire to provide the service.  (Why?  I don't know.)
 * 
 * Opt-In allows those who want authenticated denial to have that service.
 *
 * (... technical bit skipped ...)


To me this is almost a paradox :-) 

I am still trying to get to a opinion about opt-in. A few thoughts on
the subject;

If you say "Opt-In allows those who want authenticated denial to have
that service" you only refer to the "server" side of the problem. As a
client or as a user of the system I have little choice.

If opt-in is adapted the zone owner will decide to which granularity
authenticated denial of existence is in place:
  - In a verifiable insecure zone  there is no such thing as authenticated
    denial.
  - In a RFC2535 zone authenticated denial is available for all records 
    in the zone.
  - In an OPT-IN zone the authenticated denial is granular.

IMHO DNSSEC can only be a success if it is widely deployed over the
DNS tree and it easy for end users to understand they are in a secure
zone or not. Adding granularity makes understanding the security in
the tree much harder for end users (i.e. troubleshooting sysadmins). I
am concerned about OPT-IN becoming a widely deployed mechanism because
it adds complexity to the secure DNS tree that is expensive for the
end-user. In other words, I understand that opt-in allows for
reasonable (and billable) costs on the server side. I am worried about
the costs of opt-in on the client side prohibiting deployment.

AFAIK .com is one of the few (and maybe the only) zone(s) that has
scaling problems when using a non granular (rfc2535) approach. What I
understand from the NLnet Labs folk is that it is technically possible
to sign and serve relatively big TLDs such as .de (on a desktop PC)
and even .com (on a $5000 alpha).

Since I think the opt-in is only useful for HUGE delegation zones I
would like the to see the last line of the security section changed
from:

"Thus, it is recommended to use RFC 2535 [4] where possible and to use
Opt-In where necessary."

into:
"opt-in increases the complexity of the secure DNS tree, therefore
it's use should be very carefully considered. RFC 2535 NXT records
SHOULD be used in almost all zones. The use of opt-in SHOULD only be
considered in zones that mainly consist of delegation records and for
which inclusion of NXT for the whole zone is prohibitively
expensive."


--Olaf 

PS. One technical argument for authenticated denial of existence is a
counter measure against DOS attacks; I query for a RR in a secured
domain and I get a NXDOMAIN or NOANSWER back from a man in the
middle. Without authenticated denial of existence I will be lost.


to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.

References:
- Re: Transition from 2535 to opt-in
  - From: Edward Lewis <lewis@tislabs.com>

Prev by Date: Re: Transition from 2535 to opt-in
Next by Date: Re: Transition from 2535 to opt-in
Prev by thread: Re: Transition from 2535 to opt-in
Next by thread: Re: Transition from 2535 to opt-in
Index(es):
- Date
- Thread