[dns-operations] Outdated RIPE NCC Trust Anchors in Fedora Linux Repositories

bmanning at vacation.karoshi.com bmanning at vacation.karoshi.com
Mon Feb 8 10:44:36 UTC 2010


On Mon, Feb 08, 2010 at 09:34:23AM +0100, Joco Damas wrote:
> 
> I do agree that for the DNS, it would be good to have a single entry point to the secure tree and we are closer now than ever before, but the signature on the root is not going to be the end of multiple-key problem. The vast majority of TLDs are not signed, further down the tree an even smaller part of the tree is signed, and of that only a small percentage has been able to link it's data to the parent zone. Still a long way to go.
> 	

	pragmatically, if there is ever a configuration with a single SEP, that is going to 
	be a very weak/brittle system.  Folks who use the root signing as the "holy grail"
	of a secure DNS - the one true SEP - are going to be disillusioned quickly.

> I will disagree with Randy that DLV provides "authority with no corresponding responsibility." DLV is merely a publishing mechanism where the data is controlled directly by the source, unlike in the Fedora packages for instance, and with clear rules to play. Perhaps it could use a mechanism where a consumer could check that the real source had been the one introducing the data, that there is a record of the checks applied, rather than having to rely on a third party to tell you they did (perhaps this is where, right now, the delegation of trust to the DLV operators conveys some sense of authority).

	DLV is still a proxy, just like Fedora, or Microsoft, or Oracle, or Google.
	Lots of people pay their proxies to be right and are willing to settle for 
	SLA recovery when it is broken. Others don't like proxies and try very hard
	not to use them.

> Overall, for duration of this period where the secure DNS tree is highly fragmented, DLV does make a lot of sense. This does not contradict the fact that a signed root is a significant step forward and a very welcome one and, in this context, I will always trust something I can trace from the root down more than something I get from a third party.

	perhaps - i perfer to think of it as I have a higher confidence in verifiable chains
	of trust from known SEP's... be it root, or 193.in-addr.arpa, or doi.gov. or 
	any others that are useful to me and I can verify.

	I remain leary of DLV for the reason that I can't verify the trust relationship btwn
	the key owner and the key publisher without going through more steps than just verification
	of the SEP with the owner. YMMV of course.

> 
> Joao
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations



More information about the dns-operations mailing list