Re: [EURO-Discuss] ALAC-WG on DNSSEC
On Mon, Sep 01, 2008 at 03:24:25PM +0200, JFC Morfin wrote:
I blame no one. I just infer from your semantic (and side echoes from ccNSO) that the actual purpose is not technical validation but production, while production implies much more than technical validation.
I like to use the existing testbed for a two week production grade test over the Cairo meeting. Consider it as a testbed, too. This does not mean, that all root servers out there got be signed in those days, but the recursive server at the meeting do the validation with the testbed servers.
DNSSEC is one of the current activities of ICANN and therefore a current matter for ALAC. One might ask if DNSSEC is too urgent for AtLarge, the ALSes, and the users out there. Because AtLarge should guide the process, the ALSes should think about this subject. That's why I like to have a track on the summit.
This is correct. However, my question is for the ALAC (on behalf of the users) to decide first that DNSSEC / EDNS0 and NSEC3 is the way to go, technically, strategically and politically wise.
Yes, that should be discussed.
The role of an advisory committee is to just that, not to copy others' positions. In the process ALAC should also come with additional DNSSEC deployment advises about the user side and the global consistency.
Ack.
For example, I raised the question at the IETF/WG-IDNABIS of the DNSSEC + IDN + IDNccTLD datagram size. When you consider the real status of the Internet (http://www.caida.org/workshops/wide/0801/slides/castro-ditl_comparison.pdf) you see that the EDNS0 proportion decreases.
The reason might be simple: DNS servers does not use EDNS0 by default anymore, only when needed. And they turn off EDNS0 per server, if any error occured. I would not claim that EDNS0 support decreased.
Of course. Unbound is sponsored by Verisign and the code was written by the big, bad, and ugly NSA agents. ... Sorry, please let keep us on safe grounds.
If this is your position I leave it to you. If it is supposed to a joke at mine, I afraid you are totally out target :-)
I forgot to add an irony ascii-art, sorry.
That's why the introduction of DNSSEC is much easier than any IPv6 rollout.
As Euralo we have no Chinese user online. It would be interesting to know from them. Or from Comcast.
Why do you look far away? Why do you not accept experience from others? What do you expect? http://www.ipv6council.de/events/german_ipv6_summit/programme.html http://www.guug.de/veranstaltungen/ecai6-2007/abstracts.html
Dear European @larges, During the past days we had a few exchanges over the DNSSEC issue as seen from an @large Internet lead user point of view and what should then be reported to the BoD. I do not think this ccNSO document is perfect for us, but it could be a DNSSEC oriented good basis for an @large debate as it is not that far from our preoccupations. http://ccnso.icann.org/workinggroups/ccnso-iana-wg-dnssec-paper-04feb08.pdf An @large debate should first : 1. understand the problem from a user point of view, i.e. (1) get a complete picture of the DNS vulnerability as being evaluated today, and the areas of increasing risk. (2) to be sure the IP address obtained from a DNS resolution is correct. This can be done in three manners : - in making sure that the data we receive are the authoritative data - in making sure that the data we receive come from the authority - in making sure no one can tamper with them. There is no 100% secure solution today, mostly because the DNS as a system was not designed to be attacked, and to be attacked by computers having the processing capacity we have today and we will have in the future. (3) to know what to do if the IP address is not declared secure. So far there is no work carried in that direction. 2. evaluate the advantages and the limits of each manner and decide if the principles of their constraints are acceptable from a usage point of view. The most difficult issue in this kind of accuracy computation is the considered basis. What may lead to a very great technical local accuracy may also lead to a very great practical global inaccuracy. Technicians are interested in the best technical local accuracy. This is the case with DNSSEC. Politicians are interested in the best precision control (signing the root can give them that). Users are interested in the best practical global accuracy (practical including their own practice of the proposed solution). 3. Today there are three main propositions. - IETF DNSSEC which signs the data and is extremely complex. The DNS and the world becomes centralized by the IANA - DJB's DNSCurve which signs the nameserver access and which is very simple. The DNS is much more secure. - Internet Plus france@large emerging proposition which includes the suggestion to organise one's DNS system around one's own local root obtained from one's trusted referential system. There is no other change than a full possible support of the virtual root, quicker service, better adequation to Web.2.0 behavior. 4. Each of them may need refining. - Neither IETF and DJB's proposition document how users/applications should react to a non-positive. Internet Plus has not this problem since it considers an "as-is Internet". - There is no technical objection to use two solutions or even the three solutions at the same time. - DNSSEC is a traffic amplifier, depend on two unique parameters (root hierarchy and root time), has single point of global failure and (even with NSEC3 added cost to the attacker) permits to obtain an AXFR of every zone. - Impact of IPv6 and IDNA has not been tested. 5. There should be some ALAC liaison with SSAC, ccTLDs (ccNSO only represent a fragment of them), GNSO constituencies over the general DNS vulnerability issues. jfc
participants (2)
-
JFC Morfin -
Lutz Donnerhacke