[dnssec-deployment] DKIM and DNSSEC -- a representative added value from DNSSEC

Edward Lewis Ed.Lewis at neustar.biz
Fri Feb 10 11:20:31 EST 2006 

At 11:06 -0500 2/10/06, Stuart E. Schechter wrote:
>>>>  The DNSSEC signatures over SSHFPs or IPSECKEYs or others are no
>>>>  certificates.
>>>>  They are helpful in that they provide for the usual data origin
>>>>  authentication, but no more.
>>>
>>>     I don't see the difference.  Certificates indicate that the public key
>>>  data originated from the owner of a domain name.  It's 
>>>functionally the same
>>>  thing.
>>
>>  your asserting that the domain name holder is functionally identical
>>  to the sysadmin of a machine.
>
>    No, I'm not.  I'm simply saying that the domain name holder is the one
>who is in charge of identifying which machine has that domain name.  This is
>what certificates do.  The question was whether SSHFPs stored in DNSSEC are
>less authoritative than certificates, as Peter suggested.
>
>>  emperically we know this is not the
>>  case. in the case of MIT, what assurances do i have that you have
>>  given Jeff your computers ssh keys to put into the DNS?
>
>    If I want a certificate for my machine, I need to go through Jeff.
>
>    Furthermore, the bulk of users are happy to have Jeff manage their
>fingerprint entries in order to have a directory.  The few that want to be
>their own fingerprint directory or certificate authority can ignore signed
>via DNSSEC.
>
>    Why don't think I think many want to take security into their own hands?
>The majority (62% in my NDSS study) of SSH users who use identity keys don't
>bother to encrypt their keys with a pass phrase.  Do you really think that
>many are checking all 32 characters of a fingerprint the first time they
>connect to a host?  Those who do are welcome to keep doing so.

Peace!

We can go spend a lot of time going down this rat hole by splitting hairs.

The fact is that DNSSEC applies a signature over data in one place 
and the signature is checked elsewhere.  From generation of the data 
to the signer there is no guarantee of any operational handling. 
Post check the same too.

Whether or not users behave one way or another, DNSSEC is defined 
only to cover a portion of the end-to-end data flow.  As such, DNSSEC 
is not able to say the data is "correct" or "fresh" - just that it 
arrived from the signer/authoritative server to the verifier/cache 
server unchanged and intact.  No more than that.

As to whether there is a certificate - you need to define what a 
certificate is - and the connotation.  An RRSIG certifies something, 
but not the same that a compliant X.509 certificate certifies.
-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis                                                +1-571-434-5468
NeuStar

Nothin' more exciting than going to the printer to watch the toner drain...

More information about the Dnssec-deployment mailing list