[Dnssec-deployment] Root Zone DNSSEC Deployment Technical Status Update

Ondřej Surý ondrej.sury at nic.cz
Mon Jul 19 08:02:57 EDT 2010

Hi Anand,

On 19.7.2010 12:03, Anand Kumria wrote:
> Hi Bill,
> On Mon, Jul 19, 2010 at 5:43 AM,<bmanning at vacation.karoshi.com>  wrote:
>> On Sun, Jul 18, 2010 at 06:18:56PM -0400, Paul Wouters wrote:
>>> On Sun, 18 Jul 2010, Tony Finch wrote:
>>>>> indeed.  and let's give credit where due -- because there are still no
>>>>> external applications that add value in the face of this metadata, the
>>>>> biggest reason we finally have a signed root and growing cadre of signed
>>>>> tld's and sld's is because of... dan kaminsky's bug.
>>>> Yes, but "no apps that add value" is an exaggeration - ssh is one
>>>> counterexample.
>>> And the current thinking/revival of moving SSL certs out of the (broken)
>>> CA infrastructure and into the DNSSEC infrastructure. Another example
>>> could be the browers querying for the existence of an "SSL" cert in DNS, and
>>> automatically starting out using https instead of http. (I wonder if that
>>> could be done with a new edns option or additional data to reduce this to
>>> one query)
>>         thats a horiffic idea.  application level certs in the DNS
>>         is right up there with HINFO ... with one minor (critical) error
>>         that was not present for HINFO.  There is zero plausable denyability
>>         for a node running an app.
> You mean, like having a SRV record indicating where a protocol is best used?
> Or an MX record indicating the best mail servers for a domain?
> Could you elaborate some more.
>>         last I checked Trust was NOT transitive.  Trust in the DNS heirarchy
>>         does not equate to trust in the sysadmin of a node.  Your example
>>         above presumes that such will be the case.  What am I missing here?
> You are missing that for some sites, trust is transitive. And that,
> really, DNSSEC + CERT records (with a signed DNS root) is a good way
> to validate self-signed certificates.

I had a presentation on this topic on .SE/AFNIC R&D workshop in 
Stockholm last month.  And we are also proponents of this technology 
(see my TLSFP RRTYPE proposal) and I am also in contact with Simon 
Jossefson (the author of CERT RRTYPE RFC).

The greatest concert about chaining DNSSEC->TLS is that by doing that 
you are changing little bit the semantics of the certificate.  You go 
from "proof of identity" to "secure the channel".  But we see that this 
already happened with domain-validated certificates - ie. if you can 
break into the DNS, you can also change the MX records and then it's 
piece of cake to convince the certification authority to issue it's 
domain-validate certificate.

So there is a movement for DNSSEC-validated certs, but it needs some 
work before it's put into the place.  IETF seems to be best place to do 
that - either in dnsext or in new WG (I know Jay Daley has asked for one).

  Ondřej Surý
  vedoucí výzkumu/Head of R&D department
  CZ.NIC, z.s.p.o.    --    Laboratoře CZ.NIC
  Americka 23, 120 00 Praha 2, Czech Republic
  mailto:ondrej.sury at nic.cz    http://nic.cz/
  tel:+420.222745110       fax:+420.222745112

More information about the Dnssec-deployment mailing list