MSIG proposal (on-the-fly sigs for ordinary records) Was: DNSSEC is hard to get right

2010-09-07 Thread Stephane Bortzmeyer 
On Tue, Aug 31, 2010 at 02:55:08PM +0800,
 Jiankang YAO  wrote 
 a message of 11 lines which said:

> I propose a lightweight DNSSEC.
> 
> http://www.ietf.org/id/draft-yao-dnsext-msig-00.txt

I've just read the draft and I'm not sure of the problem it intends to
solve. There are two parts where DNSSEC could be regarded as "too
heavy":

1) Administrative procedures, key management, resigning, etc.

2) Work for the name servers (loading large zones, sending large
packets, validating, etc).

MSIG addresses only the second. The first one, which was the cause of
the failure for iab.org, is exactly the same as with the current
DNSSEC.

Even for the second, MSIG addresses a problem that we do not feel (for
the signing of .FR, which will be on line next week, the size of the
zone was the smallest problem) and creates a new problem: the
authoritative name server now must generate a signature for every
request! You will eat less RAM but use much more CPU.

Also, if I understood the draft correctly:

* Every authoritative name server, even a slave, will require a copy
of the private key (since it will have to sign the responses
on-the-fly). Bad for manageability and security.

* MSIG secures the link from the authoritative name server to the
resolver but cannot help if there are chained resolvers, or cannot be
used for the last mile. (I'm not sure about this last point, it is not
clear in the draft.)


___
Ietf mailing list
Ietf@ietf.org
https://www.ietf.org/mailman/listinfo/ietf

Re: DNSSEC is hard to get right

2010-08-31 Thread Phillip Hallam-Baker 
DNSSEC is a PKI and running a PKI is never a trivial matter.

One of the reasons I have serious concern about the prospects for
deployment of DNSSEC is that the answer to many of my questions is
either a blank stare, an off the cuff answer clearly made up on the
spot or the claim that it is something for the market to decide on.

As things stand we have an excellent architecture for securing
distribution of DNS A and  records. We are thus confident of our
ability to transfer attacks from the DNS system where the effect of
attacks is pretty much localized to the BGP system whose fragility was
demonstrated only last Friday by RIPE. Is this really progress?


Out in Iraq, there is a water treatment plant that cost $110 million
to build. So far it has delivered absolutely no clean water to any
homes because nobody considered the need to build a pipe to connect
the water treatment plant to the city water mains.

There is a metaphor there if people want to see it.


On Tue, Aug 31, 2010 at 7:07 AM, Richard L. Barnes  wrote:
> Another view, for the visually inclined:
> 
>
>
> On Aug 31, 2010, at 2:41 AM, Stephane Bortzmeyer wrote:
>
>> % check-sig iab.org
>> Name iab.org has an expired signature (20100829223019)
>>
>> :-(
>> ___
>> Ietf mailing list
>> Ietf@ietf.org
>> https://www.ietf.org/mailman/listinfo/ietf
>
> ___
> Ietf mailing list
> Ietf@ietf.org
> https://www.ietf.org/mailman/listinfo/ietf
>



-- 
Website: http://hallambaker.com/
___
Ietf mailing list
Ietf@ietf.org
https://www.ietf.org/mailman/listinfo/ietf

Re: DNSSEC is hard to get right

2010-08-31 Thread Jiankang YAO 
I propose a lightweight DNSSEC.

http://www.ietf.org/id/draft-yao-dnsext-msig-00.txt

which may push the dnssec to be deployed easily.

:)


Jiankang Yao


- Original Message - 
From: "Stephane Bortzmeyer" 
To: 
Sent: Tuesday, August 31, 2010 2:41 PM
Subject: DNSSEC is hard to get right


>% check-sig iab.org
> Name iab.org has an expired signature (20100829223019)
> 
> :-(
> ___
> Ietf mailing list
> Ietf@ietf.org
> https://www.ietf.org/mailman/listinfo/ietf
___
Ietf mailing list
Ietf@ietf.org
https://www.ietf.org/mailman/listinfo/ietf

Re: DNSSEC is hard to get right

2010-08-31 Thread Richard L. Barnes 

Another view, for the visually inclined:



On Aug 31, 2010, at 2:41 AM, Stephane Bortzmeyer wrote:


% check-sig iab.org
Name iab.org has an expired signature (20100829223019)

:-(
___
Ietf mailing list
Ietf@ietf.org
https://www.ietf.org/mailman/listinfo/ietf


___
Ietf mailing list
Ietf@ietf.org
https://www.ietf.org/mailman/listinfo/ietf

DNSSEC is hard to get right

2010-08-30 Thread Stephane Bortzmeyer 
% check-sig iab.org
Name iab.org has an expired signature (20100829223019)

:-(
___
Ietf mailing list
Ietf@ietf.org
https://www.ietf.org/mailman/listinfo/ietf