[dns-operations] DNS trust dependencies for TLDs
Antoin.Verschuren at sidn.nl
Mon Jun 15 08:28:10 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
> -----Original Message-----
> From: Matthew Dempsky [mailto:matthew at dempsky.org]
> Subject: Re: [dns-operations] DNS trust dependencies for TLDs
> You deliberately chose to give private companies like via.net and
> oleane.net authority over the entire .nl zone, and you trust them not
> to be vulnerable to security holes or social engineering? If so, then
> don't worry about my graphs, but I'd honestly be a little surprised if
> this was the case. :)
Yes, this is basicaly what I'm saying.
We trust that our partners like AFNIC, ISC, and Autonomica run a good operation, and that the partners they chose are trustworthy too.
How they chose them is not our concern, as that would mean they would use the same operational considerations in choosing them as we would, and there could be a vulnerability in that consideration.
I don't want to say I don't like the graphs, as I do, and it helps us to identify if the dependencies are not too big.
I just want to say that a small as possible dependency graph has its own risks.
Like all security considerations, it's a tradeoff between complexity and redundancy.
So instead of saying .se is good, .nl is bad, I would say the truth is somewhere in the middle.
Perhaps it is good to read the graphs not only in the light of cache poisoning, as seems to be the trend at the moment, but also consider governance and data escrow as a consideration as to why you don't want to have one single point of control for a TLD. It prevents us (or anyone controlling us in some situation, like government or bankruptcy lawyers) from doing stupid unrecoverable things.
Once DNSSEC has been deployed, the cache poisoning goes away as well, and we really need to think about escrow and governance for our keys the same way as we do distributing our zone.
Technical Policy Advisor
PO Box 5022
6802 EA Arnhem
T +31 26 3525500
F +31 26 3525505
M +31 6 23368970
E antoin.verschuren at sidn.nl
-----BEGIN PGP SIGNATURE-----
Version: 9.6.3 (Build 3017)
-----END PGP SIGNATURE-----
More information about the dns-operations