AW: [governance] US Congrerss & JPA
Karl Auerbach
karl at cavebear.com
Sun Aug 9 22:51:37 EDT 2009
On 08/09/2009 03:06 PM, Milton L Mueller wrote:
> Do you agree with me and with Philip Hallam-Baker that implementation
> of DNSSEC makes it much more difficult, if not impossible for
> multiple, consistent roots to be maintained?
I personally have not dredged into DNSSEC to make my own assessment.
(Although in preparing this reply I have lightly dug into the DNSSEC RFCs.)
A few months ago I asked this question of someone I trust who is deeply
involved with DNSSEC. His answer was that DNSSEC would not have the
effect of blocking competing roots. (He may have changed his opinion
since then, but I have not heard to the contrary.)
His rationale was to the effect that since DNSSEC is really, just like
DNS, a hierarchy of keys, what matters is that there is a downwards
looking chain of keys (via signed DS/DNSKEY records) from whatever one
accepts as "the root" (or "trust anchor".)
From my reading of DNSSEC RFC's a DNSSEC capable competing root would
need to provide DS records for all of the TLDs that have a zone key
(DNSKEY) record. That, I believe (but I can be wrong) can be done by
the competing root, as part of its root zone generation process, going
to each of the TLDs that are in its zone and asking for the DNSKEY
record and then computing an appropriate DS record for inclusion into
the competing root zone.
It seems to me that given that we today can run DNSSEC child zones under
non DNSSEC parent zones, that it would be feasible for some competing
roots to be DNSSEC signed (which DS records for delegations) and others
not. But again I'm speaking from light reading not from deep knowledge.
(For a root with a few hundred delegations that, assuming I'm not
completely off base, would be fairly easy to do. For a huge TLD such as
.com I would imagine that this would require something like a DNS
version of a Google-bot to continuously dredge through that TLD's
clients [e.g. example.com] to find new and updated DNSKEY records.)
Now I could be absolutely and totally wrong in this. But from my
(admittedly light) reading of DNSSEC all of the signing such that a
child-zone (e.g. example.com is a child of .com and .com is a child of a
root) contains no cryptographic materials to verify the parent. Rather
that the parent provides crypto materials of the child. This suggests
to me that a child zone could have any number of DNSSEC parents as long
as each parent itself has a DS record for the child and that that DS
record is signed by the DNSKEY of the parent, a key that can be
different for each parent. I.e. multiple parents implies the ability of
multiple roots.
Again I could be dead-to-rights wrong on all of this. But for a couple
of years I've been asking to be corrected in specific terms and so far
nobody has taken me to task.
It would be worthwhile to move this out of the abstract and to set up a
DNSSEC testbed to test these exact scenarios.
--karl--
____________________________________________________________
You received this message as a subscriber on the list:
governance at lists.cpsr.org
To be removed from the list, send any message to:
governance-unsubscribe at lists.cpsr.org
For all list information and functions, see:
http://lists.cpsr.org/lists/info/governance
More information about the Governance
mailing list