On Jul 18, 2012, at 4:17 PM, Daniel Kalchev wrote: > Obviously, e-mail authentication is not appropriate, as is any in-band > authentication as well. > > Proper DNSSEC implementations should use end-to-end electronic signatures. > > For example, while implementing DNSSEC back in 2007, we have made it > mandatory in the BG registry to use qualified electronic signatures in order > to manipulate DNSSEC. About the only operation you can do without it is "turn > DNSSEC off" and for this to work you need other than e-mail authentication.
If you talk about registrant registrar interaction then your DNSSEC authentication mechanism should be as strong as your non-DNSSEC authentication mechanism. The fact that you are sending public key information around doesn't really change the security properties from passing NS resource records. The registrar will have to validate that the blob of operational data being passed around is from the registrant. (and registrars and registries should have a similar level of authenticity and integrity checking). As for the severity of the consequences after mistakes when passing DNSSEC material, that is indeed an issue. The DNS is forgiving when you mistype NS resources, as long as 1 NS is reachable that is, it is not forgiving in mistakes with DNSKEYs and DSes. But I believe that to be a question of automation and validation (a Registrar could for instance check whether the DNSKEY is already in the DNS). Just my 0.02 € --Olaf NLnet Labs Olaf M. Kolkman www.NLnetLabs.nl [email protected] Science Park 400, 1098 XH Amsterdam, The Netherlands
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
