ah come on Jim... folsk should sign their zones as soon as they see fit, regardless of parental buy in. so the one true root or even .net being signed doesnt really matter if the root-servers.net zone gets signed tomorrow.
how useful it will be, who knows... not sure how the value proposition works for ay given second or third level delegation beign signed. --bill On Sun, Mar 07, 2010 at 10:20:17AM +0000, Jim Reid wrote: > On 7 Mar 2010, at 08:06, George Barwood wrote: > > >If root-servers.net is unsigned, it's not possible for the resolver > >to validate > >the set of root IP addresses > > So what? If the served zones are signed, it simply doesn't matter if > the address of a name server is spoofed or hijacked. The Bad Guy won't > have the private keys, so will be unable to return answers which > validate. In the context of a referral from the root, what matters is > the signature over the TLD's RRset (and its KSKs), not the IP address > of the root server or any signature that might or might not exist over > its name. > > >(a) An attacker can control every unsigned zone. > > > >(b) An attacker can monitor every request to a signed zone ( no > >privacy ). > > > >(c) An attacker can deny service to any zone, on a selective basis. > > It's not clear what point you're making or what your concerns are. > None of these things listed above are remotely relevant. Apart from > (a) which is hardly news: zones can be spoofed if they're not signed. > [What next? Can we expect revelations about what bears do in the > woods?] Privacy -- whatever that might mean -- has never been a design > goal of DNS. Or Secure DNS for that matter. An eavesdropper can > monitor *any* DNS request (signed or not) if they're close enough to > the client or server. DoS attacks can and are mounted on any zone, > whether or not they're signed. Meanwhile, in other news, water is > discovered to be wet and fire is proven to be hot. > > >Apparently there are currently no plans to sign root-servers.net > > There's no point doing that IMO until .net is signed and there's a > single chain of trust from root-servers.net to the One True Trust > Anchor, the signed root. If the zone was to be self-signed, that would > mean yet another TA would need to be embedded and maintained in > validator configurations. Which creates more failure modes and scope > for errors. And since validating the answers for root-servers.net will > rarely if ever matter, adding that TA would be a lot of risk for > almost no reward. > _______________________________________________ > DNSOP mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dnsop _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
