[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [dnsext] Trust Anchors

To: Paul Vixie <vixie@isc.org>
Subject: Re: [dnsext] Trust Anchors
From: "W.C.A. Wijngaards" <wouter@NLnetLabs.nl>
Date: Mon, 26 Oct 2009 14:41:39 +0100
Cc: "namedroppers@ops.ietf.org" <namedroppers@ops.ietf.org>
In-reply-to: <72644.1256523528@nsa.vix.com>
References: <B23BFD68-D7E4-47AA-932E-87FED98D4892@nominum.com> <49737.1256488212@nsa.vix.com> <985637DA-318C-4D0F-8F42-D5E8D61E1E7B@nominum.com> <72644.1256523528@nsa.vix.com>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.4pre) Gecko/20091014 Fedora/3.0-2.8.b4.fc11 Thunderbird/3.0b4

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Bob,

+1 for CLOSEST.  (But I already voiced that before).

Bob Halley wrote:
>> Supporters of CLOSEST argue that the detection of a compromise or other
>> problem in the parent is good security.
Paul Vixie wrote:
> enclosing static trust anchors are a bad idea, and if they are configured
> then the software should syslog a warning about it, early and often.

There is even a worse problem than Paul mentions, use two layers
of trust anchor, ANY, and the following happens:

example.com: signed by local company, trust anchor.
com: signed but example.com is not signed, trust anchor.
(fairly regular case where the company uses a domain internally,
and .com is using, say, opt-out NSEC3)

In this case, the people from verisign and local IT are good,
and the anchors may be up to date, but some (spoofed) response
makes the validator to up from the valid example.com dnskey to
the securely-insecure-delegation from .com.

It can be fixed, 'MOSTLY-ANY', where the chain of trust MUST
extend securely to the lowest trust-anchor available.  Thus,
an invalid trust anchor is then not a no-op but instead it
states 'must be secure at this domain'.  If ANY is adopted
I suggest this so as to make it secure.

I think it is getting complicated for little benefit, hence CLOSEST.

Best regards,
   Wouter

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkrlpxMACgkQkDLqNwOhpPho3gCgqfCUyKCF2z/DIZaSoIX35zcY
fzoAniLYU/LaiI4DB3TYWCy500yO6Ojc
=ZK8K
-----END PGP SIGNATURE-----

References:
- [dnsext] Trust Anchors
  - From: Bob Halley <Bob.Halley@nominum.com>
- Re: [dnsext] Trust Anchors
  - From: Paul Vixie <vixie@isc.org>
- Re: [dnsext] Trust Anchors
  - From: Bob Halley <Bob.Halley@nominum.com>
- Re: [dnsext] Trust Anchors
  - From: Paul Vixie <vixie@isc.org>

Prev by Date: Re: [dnsext] I-D Action:draft-ietf-dnsext-dns-tcp-requirements-01.txt
Next by Date: Re: [dnsext] Trust Anchors
Previous by thread: Re: [dnsext] Trust Anchors
Next by thread: Re: [dnsext] Trust Anchors
Index(es):
- Date
- Thread