[dns-operations] .TH signed

Edward Lewis Ed.Lewis at neustar.biz
Wed Apr 8 18:36:53 UTC 2009 

At 11:01 -0700 4/8/09, Kim Davies wrote:
>On 4/8/09 10:52 AM, "Chris Thompson" <cet1 at cam.ac.uk> wrote:

>>  There's something rotten in the ITAR about TH.
...
>Yes, we noticed this the day it got listed. Our methodology for checking the
>trust anchor was to grab the DNSKEY(s), compute their key tag and digests,
>and see if they matched. It appears we need to be checking algorithm types
>too. Regrettably this was neither caught at our verification stage, or at
>the TLD operator's manual inspection when they were asked to verify and
>approve the listing.

Maybe the problem here is a bit deeper than I thought.

When Scott Hollenbeck put together RFC 4310, I did some testing to 
support it.  We discussed the issue of "submit a key or submit a DS." 
We sided on submitting a DS as the right way to go because (and this 
is the point), a registry ought to be explicitly be told to 
"associate/register this resource (attributes) with this identity." 
(DNSKEY is also in RFC 4310 to achieve wider consensus.)  We came to 
this informal, undocumented "theorem:"

A registry shouldn't be trying to infer something, anything, about 
registrants.  A registry should take what a registrant (or the agent 
of/registrar) explicitly says to register and record the association 
- modulo authentication, authorization, etc.

The documented rationale (in the Security section of RFC 4310) was to 
minimize the processing load on the registry server - limiting 
computation.  In retrospect, this isn't as big a concern because 
generally EPP servers are otherwise protected from DoS attempts.

The theorem is where I started "demanding" that a TAR (DLV, iTAR, 
crawler, whatever) only take "explicit" registrations from SEP 
producers.  To the TARs - please don't cause problems because of 
TAR-made assumptions about SEPs.  Please.

PS - By some definitions, TARs (DLV, iTAR, crawler, whatever) are 
registries themselves, by associating a DNSKEY/DS with a domain name.
-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis
NeuStar                    You can leave a voice message at +1-571-434-5468

Getting everything you want is easy if you don't want much.

More information about the dns-operations mailing list