[dnssec-deployment] Fwd: [IP] Good Always Comes Out of Bad
paul at xelerance.com
Mon Jun 30 11:25:39 EDT 2008
On Mon, 30 Jun 2008, Paul Vixie wrote:
> joao's solution to the similar problem we had in DLV may be instructive. when
> a DLV RRset is submitted to ISC's DLV registry, the registrant is given a TXT
> RR to add to the zone in question, which must be signed with a key that's
> referred to by one of the DLV RRs. we check from several IP sources at
> random intervals over a 24 hour period to effectively rule out the possibility
> of time-predictive spoofing, though as we know, we're not completely
> disproving that possibility at a theoretical level.
But you do this only because you have no strong authentication to anyone you
are talking to, unlike the registry/registrar/domain holder model, where they
do have that and can leverage that.
> since none of us want DLV to be better than real DNSSEC, perhaps some
> variation of this key validation scheme could be adapted by the registrar /
> registry community. note that it would have to be first codified in an RFC,
> which means a lot of debate and delay and terrible gnashing of teeth; and then
> it would have to be amended into ICANN's contracts with registry operators,
> which means more debate and delay and so on. but it could be done.
But this does not address a new problem?
- If the Registrar or their customer accounts are hacked, nothing can save us.
- If the Registrar offers a GUI for DS on top of their GUI for NS records,
then there is no need for any additional authentication or anti-spoof
More information about the Dnssec-deployment