[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DS and Opt-in - a proposal

To: namedroppers@ops.ietf.org
Subject: Re: DS and Opt-in - a proposal
From: "Olaf M. Kolkman" <olaf@ripe.net>
Date: Fri, 28 Dec 2001 09:33:35 +0100
In-reply-to: <Pine.LNX.4.33.0112272222050.17797-100000@spratly.nominum.com>
References: <20011227101446.284405ec.olaf@ripe.net><Pine.LNX.4.33.0112272222050.17797-100000@spratly.nominum.com>

On Thu, 27 Dec 2001 22:25:59 -0800 (PST)
Brian Wellington <bwelling@xbill.org> wrote:

> If the goal is to restrict the use of opt-in, this would do it, but I
> don't know if that's the goal.

I am for restricting the use of opt-in; if we allow the use of OPT-IN in
end nodes of the DNS tree I fear that DNSSEC has lost is usefulness for
protecting the DNS infrastructure. 

The reason is that securing the DNS as a whole is IMHO the whole
purpose of the game. If we allow administrators to sign only a few RRs
in a zone (which we do with non restricted OPT-IN) then we might end
up in a situation where only the records that might be useful in a PKI
context are signed.

If we want to secure the DNS then security should not be optional on
RR level because then the path of least resistance will be chosen and
we end up with only a few RRs signed in each zone.

Second argument is, again, from the view of the resolver
administrator. Who would set up a verifying cache if the cost of
trouble shooting is to high. Troubleshooting costs would be high if
authenticated denial of existence is lost at end node zones. Mind you
that the first use of DNSSEC would be securing large caches. (That is
one of of our major goals within the DISI project, getting zones
secured and getting ISPs to verify them).

I realize these are not a purely technical argument but zone and
resolver operators are humans. Humans tend to tale the path of least
resistance. 

As you know I am not pro OPT-IN but I understand it's need. As argued
long ago I think that OPT-IN should be used only in a few (g|t)LD
zones and as a transition mechanism, any other use would not help
securing the DNS. Designing the protocol in such a way that it can
only be used for delegating zones and as a transition mechanism is I
thing a Good Thing (TM).

Pheww... Happy  new year all.

--Olaf

--Olaf

---------------------------------------------------------------------
  Olaf M. Kolkman      |  RIPE NCC DISI Project     
     -----------       |      ---------------	     ----------------
  RIPE NCC             |  Phone:   +31 20 535 4444   | 
  Singel 258           |  Fax:     +31 20 535 4445   | 
  1016 AB Amsterdam    |  http://www.ripe.net/disi   | 
  The Netherlands      |  OKolkman@ripe.net          | 

to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.

Follow-Ups:
- Re: DS and Opt-in - a proposal
  - From: Paul Vixie <paul@vix.com>
- Re: DS and Opt-in - a proposal
  - From: Roy Arends <Roy.Arends@nominum.com>

References:
- Re: DS and Opt-in - a proposal
  - From: "Olaf M. Kolkman" <olaf@ripe.net>
- Re: DS and Opt-in - a proposal
  - From: Brian Wellington <bwelling@xbill.org>

Prev by Date: Re: DS and Opt-in - a proposal
Next by Date: Re: DS and Opt-in - a proposal
Previous by thread: Re: DS and Opt-in - a proposal
Next by thread: Re: DS and Opt-in - a proposal
Index(es):
- Date
- Thread