[dns-operations] thoughts on DNSSEC

Olaf Kolkman olaf at NLnetLabs.nl
Wed Jul 18 15:32:06 UTC 2012

On Jul 18, 2012, at 4:17 PM, Daniel Kalchev wrote:

> Obviously, e-mail authentication is not appropriate, as is any in-band authentication as well.
> Proper DNSSEC implementations should use end-to-end electronic signatures.
> For example, while implementing DNSSEC back in 2007, we have made it mandatory in the BG registry to use qualified electronic signatures in order to manipulate DNSSEC. About the only operation you can do without it is "turn DNSSEC off" and for this to work you need other than e-mail authentication.

If you talk about registrant registrar interaction then your DNSSEC authentication mechanism should be as strong as your non-DNSSEC authentication mechanism.

The fact that you are sending public key information around doesn't really change the security properties from passing NS resource records. The registrar will have to validate that the blob of operational data being passed around is from the registrant. (and registrars and registries should have a similar level of authenticity and integrity checking).

As for the severity of the consequences after mistakes when passing DNSSEC material, that is indeed an issue. The DNS is forgiving when you mistype NS resources, as long as 1 NS is reachable that is, it is not forgiving in mistakes with DNSKEYs and DSes. But I believe that to be a question of automation and validation (a Registrar could for instance check whether the DNSKEY is already in the DNS).

Just my 0.02 €


Olaf M. Kolkman

olaf at NLnetLabs.nl

Science Park 400, 1098 XH Amsterdam, The Netherlands

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20120718/97e1b80a/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20120718/97e1b80a/attachment.sig>

More information about the dns-operations mailing list