[dnssec-deployment] Fwd: [IP] Good Always Comes Out of Bad

Steve Crocker steve at shinkuro.com
Mon Jun 30 08:26:32 EDT 2008


Peter,

I agree.  There are two quite different situations. If the registrar  
is maintaining the zone content and providing name service, which is  
indeed very common for small businesses and individuals, then this  
discussion about using DNSSEC to protect the changes is irrelevant,  
or, at the very least, depends on what controls the registrar has in  
place within its own operation.

For businesses which run their own name servers, if they sign their  
records, then it seems to me it would indeed be feasible for the  
registry to check that new records have valid signatures.  Or, to put  
this the other way around, if the registry checks signatures on new  
records, and if the business uses DNSSEC, then errors at the  
registrar level would be caught.

On the question of numbers, here's an interesting dichotomy: Yes, I  
suspect the majority of registered names are managed by the  
registrar.  On the other hand, if we look at names which are more  
likely to be the targets of attacks, it seems to me the majority of  
those are likely to be managed by their owners.

Steve


On Jun 30, 2008, at 8:15 AM, Peter Koch wrote:

> On Mon, Jun 30, 2008 at 02:08:03PM +1000, Mark Andrews wrote:
>
>> True, but only in exceptional circumstances.  Under normal operating
>> procedures you have control of both new and old servers.  Failure
>> to have such control should trigger red flag and extra vetting of
>> requested changes.
>
> that's not how this kind of change looks like from my, admittedly  
> constrained,
> perspective in the presence of mass-webhosting and provider  
> changes. Many
> people have little to no direct control over the zone content, let  
> alone
> would they be able to edit the NS RRSet or make the old server(s)  
> slave(s)
> of the new one(s).
> The case was likely different for the couple of domains that initiated
> this thread, but what you call the exception might well be the rule --
> number wise.
>
> While the problem of "domain napping" might be real and is often  
> easier
> associated with "DNS Security" than the response forgery addressed  
> by DNSSEC,
> we should resist the temptation to make promises that DNSSEC just  
> can't hold.
>
> -Peter
>
> #############################################################
> This message is sent to you because you are subscribed to
>   the mailing list <dnssec-deployment at shinkuro.com>.
> To unsubscribe, E-mail to: <dnssec-deployment-off at shinkuro.com>
> A public archive is available here: <http://mail.shinkuro.com:8100/ 
> Lists/dnssec-deployment/>
> and older material is at
> <http://mail.shinkuro.com:8100/Lists/dnssec-deployment-archive/>




More information about the Dnssec-deployment mailing list