[dns-operations] Outdated RIPE NCC Trust Anchors in Fedora Linux Repositories

[João Damas]

On 8 Feb 2010, at 11:44, bmanning at vacation.karoshi.com wrote:

> On Mon, Feb 08, 2010 at 09:34:23AM +0100, Joco Damas wrote:
>> 
>> I do agree that for the DNS, it would be good to have a single entry point to the secure tree and we are closer now than ever before, but the signature on the root is not going to be the end of multiple-key problem. The vast majority of TLDs are not signed, further down the tree an even smaller part of the tree is signed, and of that only a small percentage has been able to link it's data to the parent zone. Still a long way to go.
>> 	
> 
> 	pragmatically, if there is ever a configuration with a single SEP, that is going to 
> 	be a very weak/brittle system.  Folks who use the root signing as the "holy grail"
> 	of a secure DNS - the one true SEP - are going to be disillusioned quickly.
> 
>> I will disagree with Randy that DLV provides "authority with no corresponding responsibility." DLV is merely a publishing mechanism where the data is controlled directly by the source, unlike in the Fedora packages for instance, and with clear rules to play. Perhaps it could use a mechanism where a consumer could check that the real source had been the one introducing the data, that there is a record of the checks applied, rather than having to rely on a third party to tell you they did (perhaps this is where, right now, the delegation of trust to the DLV operators conveys some sense of authority).
> 
> 	DLV is still a proxy, just like Fedora, or Microsoft, or Oracle, or Google.

it is a proxy, but in that one the source of the information is the one directly in charge of what is published and can update/kill/create data without intermediaries. That is a huge difference, at least to me.

> 	Lots of people pay their proxies to be right and are willing to settle for 
> 	SLA recovery when it is broken. Others don't like proxies and try very hard
> 	not to use them.

I guess that's why people refer to DLV as a local policy issue...

> 
>> Overall, for duration of this period where the secure DNS tree is highly fragmented, DLV does make a lot of sense. This does not contradict the fact that a signed root is a significant step forward and a very welcome one and, in this context, I will always trust something I can trace from the root down more than something I get from a third party.
> 
> 	perhaps - i perfer to think of it as I have a higher confidence in verifiable chains
> 	of trust from known SEP's... be it root, or 193.in-addr.arpa, or doi.gov. or 
> 	any others that are useful to me and I can verify.
> 
> 	I remain leary of DLV for the reason that I can't verify the trust relationship btwn
> 	the key owner and the key publisher without going through more steps than just verification
> 	of the SEP with the owner. YMMV of course.

Yes, as I said in my previous mail, exposing the audit records for the creation/modification of the record could be a useful feature.

Joao