[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Remarks on draft-stjohns-dnssec-sigonly

To: Andrew Sullivan <andrew@ca.afilias.info>,namedroppers@ops.ietf.org
Subject: Re: Remarks on draft-stjohns-dnssec-sigonly
From: Mike StJohns <Mike.StJohns@nominum.com>
Date: Wed, 20 Dec 2006 17:01:28 -0500
Delivery-date: Wed, 20 Dec 2006 22:04:25 +0000
Envelope-to: namedroppers-data@psg.com

Hi Andrew -

Thanks for the thoughtful analysis.

With respect to off-tree signatures - a zone admin could add anoff-tree pointer at any point in a hierarchy and then you could relyupon the pointer if the validator actually got it. The problem isthat without some external flag (in PNE - that's the set of trustanchors) - the resolver doesn't even know the hierarchy should besigned; a simple deletion of the off-tree pointer would put the zoneback into unsecure status. If you added this, you'd be basicallycreating something about half way between PNE and SO - maybe areasonable idea, but my guess is that it makes the PNE validator evenmore complex. :-) It would definitely change the security model atleast as much as SO does.

With respect to the item below anddraft-ietf-dnsext-dnssec-opt-in-09.txt: If I'm reading this documentcorrectly, I think my statement still stands (for 4033-4045 for sureand for this document maybe). What the document does is replace achain of NSEC (delegation here, but no DS) records with a single NSEC(no DS records in the span). The entire namespace of the zone doescontinue to be signed, but in a summary way. (Of course, you can putother things in the span besides delegations, but as I read thedocument - that's not the intent. The document is silent on thetreatment of other records in the "opt in span". It would beinteresting to try and figure out what the proper behavior for anormal, non-delegation (e.g. not NS, not DS, not glue A) record inthat space would be - my guess is that anything in the span issubject to a deletion attack.

What I meant by partial signing was the ability to sign only one or afew RRSets (e.g. the MX records plus the referred to A records plusthe DNSKEY records) - the ones I really might want people to careabout - and still have a validly signed zone. I *think* if you didopt in, and did an opt nsec record "zonename nsec zonename" - you*might* get the same behavior? Again, hard to tell as the documentreally doesn't talk about non-delegation records.


Mike


At 04:09 PM 12/20/2006, Andrew Sullivan wrote:

I also don't buy the following claim, in signonly:

   o  Zones must be signed on an "all or nothing" basis.  It's
      impossible to sign just a portion of the data in the zone.

DNSSEC-bis could have been made to work this way, as the opt-in
proposal (now being advanced as experimental) shows.  Since opt-in is
included in NSEC3, it is certainly possible to sign just a portion of
the data in the zone, at least for some meaning of "sign just a
portion."  Perhaps I have misunderstood the intent or import of this
claim.



--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

Prev by Date: Remarks on draft-stjohns-dnssec-sigonly
Next by Date: Re: Remarks on draft-stjohns-dnssec-sigonly
Previous by thread: Remarks on draft-stjohns-dnssec-sigonly
Next by thread: Re: Remarks on draft-stjohns-dnssec-sigonly
Index(es):
- Date
- Thread