[dnssec-deployment] Comments on the TAR paper
paul at xelerance.com
Fri Jun 20 16:08:24 EDT 2008
On Fri, 20 Jun 2008, Edward Lewis wrote:
> 1) But first you would need deployment of DNSSEC to happen (before an absence
> of encouragement to do something opens the door for "rogue").
There is. Some people are sitting on piles of domains, waiting to be able to
have the world use the DNSSEC deployed within them. And from there on to
extend its use with SSHFP, IPSECKEY, etc.
> 2) What is rogue?
In this context, multiple disjoint sets.
>> "leap of faith" is better then nothing?
> Think about that. How is "well, I think it is secure" better than "I am not
> sure if this is secure?" It's in the ballpark of a comment about Chernobyl -
> safety engineers shouldn't be optimists.
Leap of faith protects you against all passive attacks and some active attacks.
For example, the new Swedish mass surveillance laws passed (oh the irony of
.se being DNSSEC secured)
> Yeah, they "*could*."
So let's make sure "they" are us, the people on the forefront with the most
experienve and knowledge on these matters.
> Registries and registrars are not in existence to push technology forward.
Neither are browsers :)
> Do you think the registries and registrars should pour money into
> technologies for which there is no payoff?
That market will create itself. I am not too worried about that segment. We'll
see .com people move to .eu if that would be secured sooner. In fact, I have
been very tempted to redirect openswan.org to openswan.se, and make that the
new default contact point :)
The problem we need to address is not how to get 1 registry on board. What we
need to address is how to facilitate those registries that want to offer this
to their registrants. There are a few non-profits involved here, that have
nothing to do with making profits.
> payoff. I don't hear many people screaming for an IRIS roll out to help stop
> WhoIs abuse.
whois abuse gives the enduser more spam. That's a drop in the ocean. It does
not compare to DNSSEC at all.
> Most domain name holders (I won't say owners for a reason) out source their
> web presence - they don't have a "technical guy". For a better description
> of what I am trying to say:
If you have no control over your domain, DNSSEC is not going to make a difference
either way. It almost seems you're arguing we shouldn't install improved breaks
on leased cars, cause it isn't our car.
>> Exactly. "whoever can add DS records to the zone is our contact". It's the
>> model NLnetlabs used with the .nl.nl SECREG, and it is what ISC's DLV
>> model is. You can't start secoond guessing.
> See the above article. Many times a domain name user enters a relationship
> without being an expert in the ways of the domain name industry. BTW, yes,
> you can second guess.
Ask your layers. You cannot second guess without becoming a party.
>>> I don't think the TAR can assume that the relationship between the domain
>>> name user (customer) and operator is always amicable.
>> They can not otherwise assume, without being drawn into the conflict.
> What I should have said was "TAR can not assume that the relationship is
> amicable when designing the TAR's policies."
On the contrary. They MUST assume that.
> I don't want to get into a flame war over whether there is demand for DNSSEC
> or not, so I'll just not respond to any claims that there is demand leading
> us to "need" a TAR.
I have 500+ domains ready with DNSSEC, and all that's preventing the world
to use it, because they're not in .se, is a TAR. I'm currently putting my
bets on ISC's DLV, in combination with distro's starting to roll out TLD
keys in resolver configurations as add-on.
More information about the Dnssec-deployment