DNSSEC indeed violates the end to end principle.  It's simply that simple.
And it asks us to put our trust in the root a.k.a. ICANN.  I don't think
governments world wide are going to put their trust and faith in ICANN.  The
U.S. Government is the only government that has been bamboozled into
adopting DNSSEC into .gov infrastructure.

I wonder how President Obama would feel about handing over the keys to U.S.
Government infrastructure to a U.S. contractor.  I'd have trouble sleeping
at night if that was the case.

I've addressed this at length in my comments to the NTIA.

http://www.ntia.doc.gov/DNS/comments/comment034.pdf

If the U.S. government wants DNSSEC today then it must nationalize the
roots.  I don't even trust Vixie with the root.  I remember when he hijacked
the root with Postel.  Or as they put it "we were only running an
experiment".

In any case the new infrastructure campaign demands U.S. government roots be
set up to exclusively serve U.S. network infrastructure.

regards
joe baptista

p.s. If you want to secure the DNS end to end - think DNSCurve - not DNSSEC.

http://dnscurve.org/


On Sat, May 30, 2009 at 7:27 PM, Masataka Ohta <
mo...@necom830.hpcl.titech.ac.jp> wrote:

> Francis Dupont wrote:
>
> > => not only this is very arguable (for instance about the resource
> > exhaustion) but no hop-by-hop/channel security, even something as
> > strong as TSIG, can provide what we need, i.e., end-to-end/object
> > security (*).
>
> Unless your meaning of end-to-end differs from that of David Clark,
> the following argument of his paper is applicable to DNSSEC.
>
>        http://portal.acm.org/citation.cfm?doid=383034.383037
>        Rethinking the design of the Internet:
>        The end to end arguments vs. the brave new world
>
>        The certificate is an assertion by that (presumably
>        trustworthy) third party that the indicated public key
>        actually goes with the particular user.
>
>        These certificates are principal components of essentially
>        all public key schemes,
>
> That is, security of DNSSEC involves third parties and is not end
> to end.
>
> > PS (*): I use the common meaning of end-to-end, not Masataka Ohta's one.
>
> I'm afraid you don't know who David Clark is and how he is related
> to the end to end argument.
>
> However, all the people who are qualified to discuss end to end do
> know him and his argument.
>
>                                                        Masataka Ohta
>
> _______________________________________________
> Ietf mailing list
> Ietf@ietf.org
> https://www.ietf.org/mailman/listinfo/ietf
>



-- 
Joe Baptista

www.publicroot.org
PublicRoot Consortium
----------------------------------------------------------------
The future of the Internet is Open, Transparent, Inclusive, Representative &
Accountable to the Internet community @large.
----------------------------------------------------------------
 Office: +1 (360) 526-6077 (extension 052)
    Fax: +1 (509) 479-0084

Personal: www.joebaptista.wordpress.com



-- 
Joe Baptista

www.publicroot.org
PublicRoot Consortium
----------------------------------------------------------------
The future of the Internet is Open, Transparent, Inclusive, Representative &
Accountable to the Internet community @large.
----------------------------------------------------------------
 Office: +1 (360) 526-6077 (extension 052)
    Fax: +1 (509) 479-0084

Personal: www.joebaptista.wordpress.com
_______________________________________________
Ietf mailing list
Ietf@ietf.org
https://www.ietf.org/mailman/listinfo/ietf

Reply via email to