----- Original Message ----- From: "Wolfgang Nagele" <[email protected]> To: "George Barwood" <[email protected]> Cc: "Mark Andrews" <[email protected]>; <[email protected]> Sent: Friday, July 02, 2010 8:13 AM Subject: Re: [DNSOP] Fwd: New Version Notificationfordraft-mekking-dnsop-auto-cpsync-00
>> This implies extra infrastructure to generate and securely transmit <secret> >> between >> the parent and child, and administrative activity to set this up somehow. >> >> The publication method does not imply any administrative action other than >> updating >> the DNS software and activating the DNSSEC feature. > Maybe i am missing something here, but with the publication method you also > have > the bootstrap that has to happen out-of-band. Meaning i as a child will always > have to provide my parent in a secure way (which is not established by then) > with my initial (C)DS record. Why not use that step to perform above mentioned > exchange? There doesn't have to be any secure initial exchange. Looking at the process from the domain owner point of view, DNSSEC is enabled. The signing software produces the CDS record. He checks the DS record in the parent, and is now assured that all is well, the zone is secure, and will be secure from this point. The situation is not so good from the consumer point of view though. The consumer has to assume that the domain owner has followed the above steps. So there is a trade off between getting as many domains signed as possible with minimal administrative overhead, and an assurance that signed domains really have been signed by the domain owner ( rather than say an attacker who has inserted the DS in the parent zone by attacking the insecure initial transfer ). That's why I say in the draft "If the authentication succeeds, or yields Insecure, extra security checks MAY be performed." I think the standard should allow parent zones to make the above trade-off as they see fit. My inclination is to push the responsibility onto the domain owner. It's an incentive to actually deploy DNSSEC. The consumer is always in a weak position, in that he can never be sure whether the domain owner is operating securely, so this assumption is unavoidable. I would hope that at some point in the future, it will be implicit that any large/trusted company will have created and verified it's DS RRset. Regards, George > Regards, > Wolfgang _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
