[EURO-Discuss] ALAC-WG on DNSSEC

Lutz Donnerhacke lutz at thur.de
Sat Aug 30 17:57:10 EDT 2008


On Sat, Aug 30, 2008 at 02:30:32PM +0200, JFC Morfin wrote:
> IMHO the situation today could eventually badly hurt ICANN (depending 
> on what ICANN wants to be). Questions are:
> - is the root server system a good system or not from a user perspective.

Yes, it's good. It provide a consistent view of the Internet and prevents
large scale censorship by regional gouvnerments.

> - is DNSSEC a good solution or not in a root/non root server system 
> from a user perspective.

Yes, it#s good. It offers the users to secure their communication for free
and prevents any DNS based censorship (even from local ISPs).

> - who should be the concerned operators from a user perspective.

>From the SSAC (my other hat) point of view, the current operators do a very
good job and are trustworthy.

>From the AtLarge point of view, I prefer a multiple signing key concept: You
can trust the key holders you like. So if the DOD has one set of root keys,
the company Verisign has a second, and other organisations has even other
keys, no single party is able to modify the relevant entries without asking
for signing all other parties. In the case of short term modifications, the
missing signatures from the other parties will detect the modifications as
an attack to the system.

> - who is endangering the capacity of these operators to develop, why and how.

A multi signing key concept vanishs the need for this question, doesn't it?

> Yes. But we need to have the @large users to be aware enough of the 
> root of the root management situation. This is why they must have a 
> full command of the technical, commercial, strategic, societal and 
> normative interests involved. This documentation does not exist if I 
> am correct?

There is documentation for all these issues out. If you are interested, I
can compile a list, but I'm short of time at the moment.

> TLDs) not the old "intlfile", now the NTIA root file (4) because the 
> largest part of the Internet is now using TLDs and topzone name 
> servers that are not in the root (China, ISPs, etc.) and if I 
> understand you well your 15000 users.

You might confuse something. An alternative root does not mean, that they
are using complete different data. My signed root is derived from the IANA
files. So there is mostly no difference.

> So the real question are : who is really controlling the IANA, who is 
> in position to control it in the coming months/years. Is DNSSEC 
> something of real interest or not depending the way the users use it? 
> What will be its political consequences on the stability and 
> interoperability of the Internet. How the semantic addressing and its 
> hundred of thousands of top zones will be impacted/impact all this. etc.

Large questions which should be discussed in detail individually, but not
yet ... sorry.

> The US position over DNSSEC
> will have the first advantage to teach DNSSEC to civil servants and 
> militairies.

That's FUD. Please do not distribute that bullshit. DNSSEC advantage existes
in Sweden, Puerto Rico, Brasil, Bulgaria, RIPE, and NLNetlabs. (My company
does not count.) US is far behind.

> >I fear
> >that Atlarge organization is not able to offer this in the full broad sense.
> 
> Let not confuse ALAC and the ALSes.

ALS will not able to provide the full chain of documents and support. It's
too specific knowlegde.

> >That's part of my proposal. I'd like to see the signed root (of IANA)
> >productive on the validating resolvers during the whole sumit and meeting.
> 
> Question: what will be the situation of the topzone nameservers which 
> are not in the root but which are documented in through the TLD nameservers?

They will not be asked anymore from the ICANN meeting place. The validation
resolvers only ask a set of nameservers with hold the IANA signed zone.

> >I run a signed root since more than two years in production environments
> >(for ~15000 people) and one of the largest DLVs.
> 
> You mean a signed root Down Loadable Version :-)?

;; QUESTION SECTION:
;.				IN	DNSKEY
;; ANSWER SECTION:
.			36000	IN	DNSKEY	256 3 5 BQEAAAABy8CjFJC4LKj+TE7U2h8eqQJ47GjH2JKCqf9X5Di3V8cNbTV0 aDRRbXOAILSjC2mgoLOokPp2YjaVFWYQF7ePFBgvk0rKydnF606jpFW5 3TDmG2qnLwxeFPMwMtTOxT6teGoTWm1t1jxCMWazZUt4qq0ykcgAzd7Q o7z+7gq0vZfZwf6tYMcukrYFdkQUqjh1ewpvjfrhqHpEHP3bM2I+8yzA xBby1vWUO8q9yzSZ7mpezlTyA6j3pV6iE2AAKd2q5kMdzOc8OLiywkef 5i5AswYSZZHcFdEuODQsz6MDxp2RbOwkZf87k8yajzZpgpVUgT38E/fP oAR5rEDC+K83cw==
.			36000	IN	DNSKEY	257 3 5 BQEAAAABu13HdYlS35tf+wtpDlwkfPhz9sCqYHMPUDXfNUt8ePPrBPQx ZvZIx7tere9mX3u1tC8Ooxr5IMQa7D2yn2ZfomVk9rF+7Rtxtlu9LmNS DcqCa7JwrJyhg3eDyQ/+2fOwb+XhVEsjoMFY09DglZSWHroKOieFw4X1 sZLvmmXczYv2yzd/uP5xIxxofh++vfQ4505oYlkymLehWXfT1lqqpszH 9d/A7GHGmgdS8uyXq5LJC+PPJjdndcas4DH/Ja24NrIvzzX8ZXNimO13 +YMnKQdDSxS3yQWztSVgcY2GwRLWM9fiCX+e351OnIhYE+FjhHdg6M71 6Jf8ZDGoBO5Qrn3HMejItFBekBo9Rf2ZYzukSbu06CfFBpX/HQuAOYfp 2/7D56cG8SRH2d0sF3KAygSwAs3XvDv/dXcKMMqKftw5nxvv50o9OOUH gIR9kGVAax90oz1ZgtygQMMTHe2QuAaLwqso19Y2jb3qHIvyi+N94rwQ DzUrnMR3RFbL8P4XF4yzrYIEXkx6U9X8myHYQxbHdZ3N4rBoBvjjACX1 Vpl7bdDnKC/bITW34xpmNRZl+3K80zx5r0t9O9Csdylgach0CCNsu1I9 ERHYk/rEdzvSOiwSDYpMB3MlgYARjjWfx8YfSp1QV4fwo3i6ZZ3yFtlY Kcw23zD5Qe/YtLQ5H+8=
;; AUTHORITY SECTION:
.			72000	IN	NS	a.dnssec-root.iks-jena.de.
.			72000	IN	NS	a.dnssec.thur.de.
.			72000	IN	NS	b.dnssec-root.iks-jena.de.


> Where can we get and test it?

Simply do it. Documentation can be found on my companies website. Please
search yourself. I'll not promote it.

> >  It's technically and
> >operationally possible. AtLarge can show, that ICANN is able to handle the
> >political issues (at least for the Cairo meeting) too.
> 
> I am sure ALAC can handle it.
> ICANN if I am correct has announced its intent to do it two years ago 
> in its strategic plan and has not moved upon it. My concern is that 
> the first thing the USG people will do will be to sign the root they
> will use. They do not need ICANN for that. Then what shall Europe 
> and China do?

That's FUD, too. The root zone is signed by IANA. I'll see this version
procutive on the meeting in Cairo. That's all.

> Additional remarks on the @large, ALAC + Europe + users aspects :
> 
> 1) on the Unbound mailing list:  (the DNS software by NLnet Labs, 
> sponsored by Nominet and Verisign):

That's FUD. NLNetlab is not sponsored by Nominet nor Verisign.
NLNetlab produces the leading DNSSEC software and testbeds.

> "the U.S. has been dragging its 
> feet, but will now encourage itself and others to get on board. This 
> is a great opportunity for DNSSEC-by-design Unbound, which appears to 
> both work well as a DNSSEC resolver AND is leading the pack with 
> important new security features (e.g. scrubbers), that both 
> enterprise and users are beginning to value". IMHO this is something 
> we need to evaluate, confirm, document in layman words, etc. in the 
> best interest of the European publics and entreprises.

I do not see any need for your request. US gouvnerment urges their suborgs
to sign their zones. That's great. That's all. Brasil had done this two
years earlier.

> 2) I went on the http://DNSSEC.org to see if there is something user 
> oriented. I tried to the "How-to". The first sentence is "This part 
> deals with securing data in zone les. We describe how to generate and 
> manage keys, how to set up a recursive name server to validate signed 
> zone data and how to sign and serve zones." Hardly something people 
> can understand the meaning at first glance.

I voluteered to provide a DNSSEC track for the summit. User oriented
material has to produced for this event. Currently the documentation is most
readable in the RFCs. The websites out there are wracky.

> 3) from your knowledge of the DNSSEC, what is the current pertinence
> of RFC 3833? Would it be interesting to update it and present it in a 
> more readable/practical way to users ?

This RFC is obsoleted. Time has moved on.




More information about the EURO-Discuss mailing list