[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [dnsext] Trust Anchors

To: "namedroppers@ops.ietf.org" <namedroppers@ops.ietf.org>
Subject: Re: [dnsext] Trust Anchors
From: Paul Vixie <vixie@isc.org>
Date: Sun, 25 Oct 2009 16:30:12 +0000
In-reply-to: Your message of "Sun, 25 Oct 2009 06:05:21 MST." <B23BFD68-D7E4-47AA-932E-87FED98D4892@nominum.com>
References: <B23BFD68-D7E4-47AA-932E-87FED98D4892@nominum.com>

if CLOSEST does not match but ANY does, then a system capture in an ancestor
can introduce trustworthy data about my zones without changing my zone's NS.

for example if the operators of COM were to sign (offline) some data about
SPELLING-ERROR.VIX.COM and sell these signatures to OpenDNS, it would be seen
as authentic.  never mind that the operators of COM, and the OpenDNS people,
are all good people and would not do this.  if it's BANK-OF-AMERICA.COM rather
than VIX.COM then we're giving some financial institutions a solid theoretical
basis on which to never (ever) allow DNSSEC to be used to authenticate their
online presence.

ANY would be a disasterous mistake.  CLOSEST is what we can go out and sell.
if somebody publishes one key and signs with another and complaint that their
parent key should have been allowed to work, we'll tell them, "all power
tools can kill, so please don't wrap the cord around your legs like that."

given the number of ways in which DNSSEC is hard to deploy, let's not add more.

so, i'm +1 on message-id <B23BFD68-D7E4-47AA-932E-87FED98D4892@nominum.com>
by bob halley.

Follow-Ups:
- Re: [dnsext] Trust Anchors
  - From: Bob Halley <Bob.Halley@nominum.com>

References:
- [dnsext] Trust Anchors
  - From: Bob Halley <Bob.Halley@nominum.com>

Prev by Date: [dnsext] Trust Anchors
Next by Date: Re: [dnsext] Trust Anchors
Previous by thread: [dnsext] Trust Anchors
Next by thread: Re: [dnsext] Trust Anchors
Index(es):
- Date
- Thread