On Sat, Nov 23, 2002 at 05:28:16PM -0000, D. J. Bernstein wrote: > PGP 2048-bit ElGamal signatures are probably the best choice for > root-zone distribution today: the signature format is reasonably simple > and reasonably well documented, and free signature-checking software is > already widely deployed. Of course, the root-zone protocol can support > multiple signatures on the same file. Let me see if I understand your proposal. You want to turn the root zone into a signed "hosts.txt" (RFC 952, 953), and how, exactly does that scale this time around when it did not scale the last time? More distribution methods make for more attack vectors and more opportunities for DOS against different groups. Maybe it's time to review section 2.1 of RFC 1034 to see the problems with that model. Your previous message said: > The root-zone protocol should promise that every piece of data will > last for a month. That data should be guaranteed to last a month from when, exactly? From the time it was signed, or from when it downloaded? The former will mean that *everyone* will be attempting to grab this at the same time (every thirty days from whenever this process starts), the latter will mean that the data can *never* change. The current situation is that data is valid for a shorter period of time (1 TTL) and systems can grab it at any time, meaning that an attack has to last for the current (1/2 TTL) to create an outage that will effect most systems. If we go to a set of static data, valid for a fixed time frame we narrow the "window of opportunity" for attack/DOS to a much smaller period (the first [time period] at the beginning of a 30 day cycle when everyone is grabbing the root zone, thus putting heavy loading on servers that are distributing the new information.) How, exactly does this provide for a system that is more resistant to attack? It actually makes a well planned attack (around the first [time period] of the update cycle) more likely to create an effective DOS. And, of course, this still ignores most of the reasons for DNSSEC. Being able to get trustworthy data from entities with unknown motives is not possible when the data comes to you without its covering signatures. The provider of my DNS service being able to check signatures which they do not pass along with the data does not do anything to provide me with usable data. Nym-based names and bookmarks do not fix the problem. Each time a key is compromised, the name changes (the key changes and therefore the fingerprint of the key which makes up the nym changes). If there is no method for a chain of trust check on DNS signature keys, owners of hosts end up making a choice between invalidating all of the "bookmarks" that other people have stored for their host, or continuing to use the compromised key. -rob
Attachment:
pgp00003.pgp
Description: PGP signature