[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DS and Opt-in - a proposal

To: Jaap Akkerhuis <jaap@sidn.nl>
Subject: Re: DS and Opt-in - a proposal
From: Roy Arends <Roy.Arends@nominum.com>
Date: Mon, 31 Dec 2001 17:54:30 +0100 (CET)
Cc: Randy Bush <randy@psg.com>, Roy Arends <Roy.Arends@nominum.com>,<namedroppers@ops.ietf.org>
In-reply-to: <200112291913.fBTJDXi33137@bartok.sidn.nl>

On Sat, 29 Dec 2001, Jaap Akkerhuis wrote:

> Folks,
>
>     though i am still personally a bit uncomfortable with opt-in for
>     reasons related to this, the likely harm of unneeded uses seems low, and
>     the verisign gang whine soooo pathetically :-).
>
> What me personally disturbs about this discussion is that there is
> so little technical or operational content in the whining.

I was glad that in SLC we've put the layer 8/9 arguements aside and could
finally focus on the protocol itself. Anyway:

Optin improves the protocol because:

  o it gives a choice between 2535 or opt-in. (the domain-holder can make
    that choice)
  o opt-in gets rid of unwanted/unnecessary crypto. (the domain-holder
    decides what is necessary and what not).

Conclusion, a smaller zone to manage, a smaller zone to service, a smaller
zone to handle. And still, the signed data will be as secure as with 2535,
the unsigned data will be as secure as with 1035. There is no ambiguity
anymore as in "this unsigned data might be spoofed[1035], but
exists[2535]". Everyone gets what they want. If one is "a bit
uncomfortable with" or is "personally disturbed" by opt-in, sign the zone
2535-style. You have that choice :-)

> Apart from the somewhat dogmatic statement ``my XX-million customers
> will complain'', I have been told that ``Yes, we can sign but the
> current technology cannot provide the footprint we need to service a
> secure com. zone''. (Statements like these were made in Salt Lake
> City). Up to now, I haven't seeen any numbers supporting this
> statement.

I find it very reasonable to accept/believe that serving a zone 2535 style
is more costly then serving an opt-in style zone.

> I would really like to see some numbers, hard facts or at least
> some data to support why an opt-in is needed.
>
> 	jaap
>
> PS. Why do I want to see this? About two years ago (around that
> 	time anyway) arguments were floating around that it would
> 	be impossible to do DNSSEC because signing big zones was
> 	close to be impossible.  These arguments turned about to
> 	be hearsay.  Yes, signing big zones is hard but doable.
>
> 	Now convince me that an opt-in DNSSEC solution is really
> 	needed.

Should large investments in operational hardware be made for a protocol
requirement that is unwanted by some, just because we can ? Since a
domain-holder will be confronted with the extra costs, without having a
choice, it will be calculated through to the sub-domain-holder. If that is
going to happen, we're even further away from deployment.

Now convince me that an opt-in DNSSEC solution really will hurt,
security-wise.

to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.

References:
- Re: DS and Opt-in - a proposal
  - From: Jaap Akkerhuis <jaap@sidn.nl>

Prev by Date: RE: DS and Opt-in - a proposal
Next by Date: Re: DS and Opt-in - a proposal
Previous by thread: Re: DS and Opt-in - a proposal
Next by thread: Re: DS and Opt-in - a proposal
Index(es):
- Date
- Thread