On Wed, Nov 16, 2016 at 02:18:17PM +0100, Mikael Abrahamsson wrote:
Ok, so what I see right now is DNSSEC punting the problem somewhere else. NTP is punting it somewhere else. TLS is punting it somehere else.
I don't think this is what people are saying. The issue of trust anchor updates is one that is not unique to DNSSEC, so it makes sense to look at some of the solutions other systems which rely on chains of trust use. What happens, for example, when a Certificate Authority needs to replace its root certificate?
Oh, your DNSSEC key material is too old, use TLS. Oh, your time is not accurate, use NTP. Oh you don't have time, use DNSSEC, or TLS, or magic. Or just throw away your box, you were stupid to put it on the shelf for the wrong 9 months.
Again this isn't the exact point that was being made. I believe the answer you are referring to is that of consensus. When deciding which DNSSEC anchor to trust, if you have multiple sources using a variety of different trust anchors, this adds a bit of credibility. Eg if both the TLS secured IANA site includes a KSK which has also been signed by ICANN's root x509 cert and this has been endorsed by a bunch of trusted people with PGP signatures, for example, that becomes a relatively difficult thing for an attacker to spoof.
As a whole, nobody seems to be interested in actually coming up with a viable solution that actually fixes peoples problems. Everybody's just punting the problem elsewhere or waving their hands and says "not our problem".
Did you see my original response? Proposals for automatic DNSSEC trust anchor updating *do* exist.
Emily -- Emily Shepherd Computer Science Graduate, MEng (Hons) W: https://emilyshepherd.me/ M: +44(0)7575 721 231
signature.asc
Description: PGP signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
