This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/dns-wg@ripe.net/
[dns-wg] DNSSEC trust anchors for unsigned zones
- Previous message (by thread): [dns-wg] DNSSEC trust anchors for unsigned zones
- Next message (by thread): [dns-wg] DNSSEC trust anchors for unsigned zones
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Alexander Gall
gall at switch.ch
Wed Jan 30 16:24:34 CET 2008
On Wed, 30 Jan 2008 13:10:56 +0100, Joao Damas <Joao_Damas at isc.org> said: > On 30 Jan 2008, at 12:00, Jim Reid wrote: >> On Jan 30, 2008, at 10:34, Alexander Gall wrote: >> >>> The current set of trust anchors distributed by RIPE NCC includes >>> the domains >>> >>> disi.nl example.net pwei.net >>> >>> None of these currently have any DNSSEC resource records (i.e. they >>> are insecure), which effectively brakes those zones for everybody who >>> uses that particular set of trust anchors. >> >> Doesn't everyone check any third party's trust anchors before >> configuring them into their secure resolvers? > Sometimes. At other times I place trust in registries that do this for > me (eg a DLV registry that I find I can trust). It's the same with SSL > certificates, I have to trust the CA to do its job Yes. The subtle point I was trying to make was that once you've decided to trust a particular source of DNSSEC keys, you shouldn't throw away any of them based on your perceived status of a zone through plain DNS queries. If RIPE NCC would have chosen to use DLV, it would have put all keys that are now in the text file into the DLV zone and only hand out the public key of that zone. In that case, my validator would mark the three zones above as bogus - there would be no other choice except not to use this DLV registry at all. The way it is done now, I *technically* have the choice to exclude the keys for these zones from the set of trusted keys in my validator (this is what Jim suggests). The result would be that the zones are marked as insecure, which is a big difference. The question I'm rising is how I should handle this situation. I believe the answer (at least for the paranoid :-) is that I must install *all* keys and attribute the fact that, say, disi.nl is now bogus to malicious activity until either the zone gets properly signed or someone I trust tells me that the zone really is insecure. Before this happens, all I know is that someone I trust tells me the zone is secure but I can't verify it with the key this person is giving me. This ain't easy, I know. Security never is. Of course, people tend to be very pragmatic in a time where the root is not signed and everybody has to rely on some sort of out-of-band validation (we're all happy DNSSEC works on the protocol level, right?), but then I find the value of DNSSEC rather questionable. What a surprise ;-) -- Alex
- Previous message (by thread): [dns-wg] DNSSEC trust anchors for unsigned zones
- Next message (by thread): [dns-wg] DNSSEC trust anchors for unsigned zones
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]