[dnssec-deployment] Comments on the TAR paper
Ed.Lewis at neustar.biz
Fri Jun 20 14:48:29 EDT 2008
At 13:46 -0400 6/20/08, Paul Wouters wrote:
>> Encouraging more "copies of data" is a step in the wrong direction. ...
>But not encouraging anything will cause "rogue TAR's" to appear, similar to
>how we had alternative root/tld operators for a while.
1) But first you would need deployment of DNSSEC to happen (before an
absence of encouragement to do something opens the door for "rogue").
2) What is rogue?
>> This scheme violates a fundamental principle of DNSSEC....
>Yes, it is a "leap of faith" done by the TAR. Though the TAR could be
>pro-actively told by the zone itself, instead of hunting and gathering
>zones via one of the dnssec spiders.
My comment was that hunting and gathering is a poor choice compared
to being "pro-actively" told. I was commenting only on the single
section in parens.
>"leap of faith" is better then nothing?
Think about that. How is "well, I think it is secure" better than "I
am not sure if this is secure?" It's in the ballpark of a comment
about Chernobyl - safety engineers shouldn't be optimists.
>The TAR's could have a one month grace period where they kick out childs when
>its parent because fully DNSSEC capable. So no incoherent or stale data around
>in the TAR/DLV/list.
Yeah, they "*could*."
>> 4) TAR registration policy (4.1)
>Tell that to the Registry and the Registrars. If they "did their job",
>we could already by supplying DS records to them (regardless of whether
>those would live only in non-operational DNSSEC, whois OPT-IN, shadow zones,
>experimental zones or TAR's)
"Their job?" Maybe this is a problem with the deployment effort, I
don't think there is group acceptance of how registries and
registrars operate. Registries and registrars live under two
influences. One is regulations. The other profit driven. Neither
influence says "do DNSSEC."
DNSSEC may do a fine job and there maybe a bunch of tools to
accomplish it. But that doesn't make DNSSEC something desirable
enough for most regulators to push it forward nor for there to be
enough demand to sustain it. Registries and registrars are not in
existence to push technology forward.
Do you think the registries and registrars should pour money into
technologies for which there is no payoff? And I don't mean just a
financial payoff. I don't hear many people screaming for an IRIS
roll out to help stop WhoIs abuse.
>>I understand that there is a feeling that the SEPs will be the
>>responsibility of the DNS operator. But the DNS operator may be an
>>illegitimate representative of the domain name user.
>If your technical guy on the inside is not to trusted, you call in
>not the IETF squad.
Most domain name holders (I won't say owners for a reason) out source
their web presence - they don't have a "technical guy". For a better
description of what I am trying to say:
>Exactly. "whoever can add DS records to the zone is our contact". It's the
>model NLnetlabs used with the .nl.nl SECREG, and it is what ISC's DLV Registry
>model is. You can't start secoond guessing.
See the above article. Many times a domain name user enters a
relationship without being an expert in the ways of the domain name
industry. BTW, yes, you can second guess.
>> I don't think the TAR can assume that the relationship between the
>>domain name user (customer) and operator is always amicable.
>They can not otherwise assume, without being drawn into the conflict.
What I should have said was "TAR can not assume that the relationship
is amicable when designing the TAR's policies."
I don't want to get into a flame war over whether there is demand for
DNSSEC or not, so I'll just not respond to any claims that there is
demand leading us to "need" a TAR.
Edward Lewis +1-571-434-5468
Never confuse activity with progress. Activity pays more.
More information about the Dnssec-deployment