[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: opt-in and large zones

To: "Mark Kosters" <markk@verisignlabs.com>,"Jaap Akkerhuis" <jaap@sidn.nl>
Subject: RE: opt-in and large zones
From: "Jason Coombs" <jasonc@science.org>
Date: Wed, 18 Sep 2002 12:19:20 -1000
Cc: <namedroppers@ops.ietf.org>
In-reply-to: <20020918205607.GF6566@slam.admin.cto.netsol.com>
Reply-to: <jasonc@science.org>

Okay, here's my devil's advocate viewpoint.

It wouldn't be hard to muster an army of volunteers who would gladly spend
many man-years signing zones on behalf of domain registrants who think they
don't want/need DNSSEC enough to pay for it if registrars who think they
can't afford to deploy DNSSEC agree to let volunteers do all of the work for
free that the registrars would otherwise have to do without additional
compensation from registrants.

Likewise, volunteers would gladly manage all extra burdens placed on TLD
zone managers other than hardware, bandwidth, and electricity costs. All
manpower costs are irrelevant when it comes to deploying DNSSEC because if
the people who read this list really need manpower help to get the job done
and really can't afford to pay for it all they need to do is explain the
predicament in a public plea for help and give volunteers appropriate access
permissions and software tools that enable them to shoulder the burden
instead.

Even with potential threats of key theft caused by the probable necessity of
distributing many copies of the TLD zone signing private key to various
volunteer coordinators and the possibility of cryptanalysis by way of chosen
plaintext oracle attacks where a lazy volunteer coordinator fails to detect
and prevent such a thing, the security improvement provided by signed DNS
zones is critically-important to the integrity of Internet infrastructure
and less-than-perfect is better than what we've got today with DNS.

Considering that deployment and operations are the crux of the issue here,
hasn't anyone drafted detailed business scenario and security scenario
analysis documents that frame this debate?

The technical issues are minor and somewhat philosophical. We're not talking
about updating end-user client resolver libraries any time soon, that will
always be optional... Either the client node wants DNSSEC and therefore
updates its resolver or it is satisfied with IPSec-protected DNS where the
DNS server does support DNSSEC otherwise the client node doesn't benefit
from signed zones. However, automated DNSSEC crawlers can and should be
implemented that verify signatures obtained from authoritative DNSSEC
servers and then query every DNS server looking for poisoned RRs. Poisoned
DNS servers can quickly be taken offline and daily security alerts could be
issued by ICANN or CERT detailing known-poisoned DNS servers. With such a
system in place we could deploy a good-enough initial protection simply by
coordinating authentic communications from registrants to a single DNSSEC
server that never gets queried by anything but the crawler and is managed
entirely by volunteer staff.

The nameservice protocol would still be DNSSEC and we would still need each
TLD to have a key pair but the deployment could actually succeed in the
near-term without convincing everyone that they need and want DNSSEC badly
enough to invest money in it. And the initial population of the
authoritative DNSSEC server would still be complete and automatic based on
the current (perceived) contents of the authoritative nameservers for each
domain. This way "opt-in" is unnecessary and those domains that are already
compromised remain so in the DNSSEC until we receive authentic
communications from the domain registrant offering corrections.

Sincerely,

Jason Coombs
jasonc@science.org

-----Original Message-----
From: owner-namedroppers@ops.ietf.org
[mailto:owner-namedroppers@ops.ietf.org]On Behalf Of Mark Kosters
Sent: Wednesday, September 18, 2002 10:56 AM
To: Jaap Akkerhuis
Cc: namedroppers@ops.ietf.org
Subject: Re: opt-in and large zones

On Wed, Sep 18, 2002 at 11:17:02AM +0200, Jaap Akkerhuis wrote:
> That was my point. There are zones out there which are bigger then
> .net & .org, and thus far I haven't noticed that folks
> maintaining these zones want OPT-IN.

Devil's advocate time. Have these zone maintainers taken the time to
understand what it takes to deploy dnssec? I surmise that interest may not
be there since there is no immediate demand from their customers to deploy
dnssec. I base my assertion on that fact that I have yet to hear any
interest
either directly or indirectly from any registrar that deals with com/net/org
that they want dnssec.

Mark

--

Mark Kosters          markk@verisignlabs.com       Verisign Applied Research

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

References:
- Re: opt-in and large zones
  - From: Mark Kosters <markk@verisignlabs.com>

Prev by Date: Protocol Action: Limiting the Scope of the KEY Resource Record to Proposed Standard
Next by Date: Re: opt-in and large zones
Previous by thread: Re: opt-in and large zones
Next by thread: Re: opt-in and large zones
Index(es):
- Date
- Thread