[dns-operations] Outdated RIPE NCC Trust Anchors in Fedora Linux Repositories
joao at bondis.org
Mon Feb 8 11:03:45 UTC 2010
On 8 Feb 2010, at 11:44, bmanning at vacation.karoshi.com wrote:
> On Mon, Feb 08, 2010 at 09:34:23AM +0100, Joco Damas wrote:
>> I do agree that for the DNS, it would be good to have a single entry point to the secure tree and we are closer now than ever before, but the signature on the root is not going to be the end of multiple-key problem. The vast majority of TLDs are not signed, further down the tree an even smaller part of the tree is signed, and of that only a small percentage has been able to link it's data to the parent zone. Still a long way to go.
> pragmatically, if there is ever a configuration with a single SEP, that is going to
> be a very weak/brittle system. Folks who use the root signing as the "holy grail"
> of a secure DNS - the one true SEP - are going to be disillusioned quickly.
>> I will disagree with Randy that DLV provides "authority with no corresponding responsibility." DLV is merely a publishing mechanism where the data is controlled directly by the source, unlike in the Fedora packages for instance, and with clear rules to play. Perhaps it could use a mechanism where a consumer could check that the real source had been the one introducing the data, that there is a record of the checks applied, rather than having to rely on a third party to tell you they did (perhaps this is where, right now, the delegation of trust to the DLV operators conveys some sense of authority).
> DLV is still a proxy, just like Fedora, or Microsoft, or Oracle, or Google.
it is a proxy, but in that one the source of the information is the one directly in charge of what is published and can update/kill/create data without intermediaries. That is a huge difference, at least to me.
> Lots of people pay their proxies to be right and are willing to settle for
> SLA recovery when it is broken. Others don't like proxies and try very hard
> not to use them.
I guess that's why people refer to DLV as a local policy issue...
>> Overall, for duration of this period where the secure DNS tree is highly fragmented, DLV does make a lot of sense. This does not contradict the fact that a signed root is a significant step forward and a very welcome one and, in this context, I will always trust something I can trace from the root down more than something I get from a third party.
> perhaps - i perfer to think of it as I have a higher confidence in verifiable chains
> of trust from known SEP's... be it root, or 193.in-addr.arpa, or doi.gov. or
> any others that are useful to me and I can verify.
> I remain leary of DLV for the reason that I can't verify the trust relationship btwn
> the key owner and the key publisher without going through more steps than just verification
> of the SEP with the owner. YMMV of course.
Yes, as I said in my previous mail, exposing the audit records for the creation/modification of the record could be a useful feature.
More information about the dns-operations