[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DS and Opt-in - a proposal

To: "Olaf M. Kolkman" <olaf@ripe.net>
Subject: Re: DS and Opt-in - a proposal
From: Roy Arends <Roy.Arends@nominum.com>
Date: Fri, 28 Dec 2001 12:59:23 +0100 (CET)
Cc: Roy Arends <Roy.Arends@nominum.com>, <namedroppers@ops.ietf.org>
In-reply-to: <20011228115746.080acab6.olaf@ripe.net>

On Fri, 28 Dec 2001, Olaf M. Kolkman wrote:

> On Fri, 28 Dec 2001 11:14:01 +0100 (CET)
> Roy Arends <Roy.Arends@nominum.com> wrote:
>
> >
> > Restricting the use would be possible, but is, in reality, useless. If I
> > could not leave a single name (end node) unsigned, I might delegate it
> > away as an unsigned zone.
> >
>
> That is indeed possible, just as it is possible in RFC 2535. But, it
> is clear what the status of the delegated zone is. All records are
> verifiable unsecure.

That status is also very clear with opt-in. It signals unambiguously if a
record is signed or not.

> If we want to secure the infrastructure we should build a protocol
> that goes for maximum effect. My argument is that OPT-IN in
> non-delegating zones will help in building a PKI but not secure the
> infrastructure.

Only signing records will help to secure the infrastructure, regardless of
Opt-in or 2535.

> Administrators of large caches will not turn verification on if only a
> few records in a few zones are signed;  It is to expensive to
> troubleshoot and there is little to gain.  I think we are far from
> having the applications or their host os-es doing their own
> verification, so if administrators do not turn their caches into
> verifying caches then DNSSEC has failed to secure the infrastructure.

I hear so many stories about the future of DNSSEC, I'll refrain from
making statements. I'm not worried though.

> The other interest group, users that want to use the DNS as a PKI, will
> not suffer from OPT-IN.

Okay.

> I can live with OPT-IN if it is designed to be a transition mechanism
> for g|tLDs. If it is designed to be used throughout the whole tree
> DNSSEC will loose.

I'm afraid that it is very difficult (if not impossible) to restrict the
domain holder like that.

Restricting opt-in to delegations only is merely a psychological
restriction. The domain holder can legally "route" around that restriction
easily.

Roy

to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.

Follow-Ups:
- Re: DS and Opt-in - a proposal
  - From: Randy Bush <randy@psg.com>

References:
- Re: DS and Opt-in - a proposal
  - From: "Olaf M. Kolkman" <olaf@ripe.net>

Prev by Date: Re: DS and Opt-in - a proposal
Next by Date: Re: DS and Opt-in - a proposal
Previous by thread: Re: DS and Opt-in - a proposal
Next by thread: Re: DS and Opt-in - a proposal
Index(es):
- Date
- Thread