To:
Ted.Lindgreen@tednet.nl
Cc:
dnsop@cafax.se, dnssec@nlnetlabs.nl
From:
Edward Lewis <lewis@tislabs.com>
Date:
Mon, 16 Oct 2000 15:51:00 -0400
In-Reply-To:
<200010131349.PAA17610@omval.tednet.nl>
Sender:
owner-dnsop@cafax.se
Subject:
Re: DNSSEC and Parent SIG in Child zone
At 9:49 AM -0400 10/13/00, Ted Lindgreen wrote: >Reason to ask this, is that there seems no security-technical reason >to have this SIG in the parent zonefile instead. How about this: Having the parent publish the keys eliminates a beneficial three-way handshake. (How beneficial is open to question.) Given the current definition: 1) The child "signals" the intent to be secure by submitting keys to the parent. 2) The parent "acknowledges" the child's desire to be secure by signing 3) The child "accepts" this invitation by publishing the keys. The important part of this step is that the child has the option, once the parent has returned the signature, to decide if the signature is right. I.e., what if someone adds or modifies the keys between the time the child sends them and the parent receives them? The parent won't know this and publishing the erroneous keys and the signature would be a problem. This three-way handshake is the basis of channel contention and TCP connection establishment. ... I think the issue comes down to "how much trust must a child put into a parent?" A child implicitly trusts the parent to retain the delegation. Lame delegations happen, and are dealt with. Does this extend to keys? It's debateable. I don't think the issue is the size of the parent zone. It has already been pointed out that a widely delegated secured parent of unsecured children will be rife with NULL keys and signatures. Holding signed key sets will be just larger. (How much, a negligible amount or a considerable amount. Evidence seems to support more like negligible.) Is legal liability a consideration? If the parent publishes the child's keys, how responsible is the parent in case of a foul up? More importantly, is this issue a consideration? ... On one hand I like the idea of having the parent publish the signature. The parent made it, so is "authoritatve" for it. On the other hand, I like the idea of giving the child last choice on whether the parent has validated the key set correctly. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NAI Labs Phone: +1 443-259-2352 Email: lewis@tislabs.com "It takes years of training to know when to do nothing" - Dogbert Opinions expressed are property of my evil twin, not my employer.