AW: [governance] US Congrerss & JPA

Karl Auerbach karl at cavebear.com
Sun Aug 9 22:51:37 EDT 2009 

On 08/09/2009 03:06 PM, Milton L Mueller wrote:

> Do you agree with me and with Philip Hallam-Baker that implementation
> of DNSSEC makes it much more difficult, if not impossible for
> multiple, consistent roots to be maintained?

I personally have not dredged into DNSSEC to make my own assessment. 
(Although in preparing this reply I have lightly dug into the DNSSEC RFCs.)

A few months ago I asked this question of someone I trust who is deeply 
involved with DNSSEC.  His answer was that DNSSEC would not have the 
effect of blocking competing roots.  (He may have changed his opinion 
since then, but I have not heard to the contrary.)

His rationale was to the effect that since DNSSEC is really, just like 
DNS, a hierarchy of keys, what matters is that there is a downwards 
looking chain of keys (via signed DS/DNSKEY records) from whatever one 
accepts as "the root" (or "trust anchor".)

 From my reading of DNSSEC RFC's a DNSSEC capable competing root would 
need to provide DS records for all of the TLDs that have a zone key 
(DNSKEY) record.  That, I believe (but I can be wrong) can be done by 
the competing root, as part of its root zone generation process, going 
to each of the TLDs that are in its zone and asking for the DNSKEY 
record and then computing an appropriate DS record for inclusion into 
the competing root zone.

It seems to me that given that we today can run DNSSEC child zones under 
non DNSSEC parent zones, that it would be feasible for some competing 
roots to be DNSSEC signed (which DS records for delegations) and others 
not.  But again I'm speaking from light reading not from deep knowledge.

(For a root with a few hundred delegations that, assuming I'm not 
completely off base, would be fairly easy to do.  For a huge TLD such as 
.com I would imagine that this would require something like a DNS 
version of a Google-bot to continuously dredge through that TLD's 
clients [e.g. example.com] to find new and updated DNSKEY records.)

Now I could be absolutely and totally wrong in this.  But from my 
(admittedly light) reading of DNSSEC all of the signing such that a 
child-zone (e.g. example.com is a child of .com and .com is a child of a 
root) contains no cryptographic materials to verify the parent.  Rather 
that the parent provides crypto materials of the child.  This suggests 
to me that a child zone could have any number of DNSSEC parents as long 
as each parent itself has a DS record for the child and that that DS 
record is signed by the DNSKEY of the parent, a key that can be 
different for each parent.  I.e. multiple parents implies the ability of 
multiple roots.

Again I could be dead-to-rights wrong on all of this.  But for a couple 
of years I've been asking to be corrected in specific terms and so far 
nobody has taken me to task.

It would be worthwhile to move this out of the abstract and to set up a 
DNSSEC testbed to test these exact scenarios.

		--karl--





____________________________________________________________
You received this message as a subscriber on the list:
     governance at lists.cpsr.org
To be removed from the list, send any message to:
     governance-unsubscribe at lists.cpsr.org

For all list information and functions, see:
     http://lists.cpsr.org/lists/info/governance

More information about the Governance mailing list