To:
dnsop@cafax.se
From:
Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date:
Fri, 11 Oct 2002 16:56:27 -0400
In-reply-to:
Your message of "Thu, 10 Oct 2002 17:34:04 EDT." <a05111b22b9cb95ef2cbf@[192.149.252.231]>
Sender:
owner-dnsop@cafax.se
Subject:
Re: the call for bind software
-----BEGIN PGP SIGNED MESSAGE----- >>>>> "Edward" == Edward Lewis <edlewis@arin.net> writes: Edward> Do I want cybergenetic diversity? No, oddly enough. I don't want it Edward> - but it is a necessary evil. With it I am more assured that DNSSEC Edward> will be an available service, but the diversity on its own isn't of Edward> interest to an user. I do encourage cybergenetic diversity when I'm Edward> thinking about the protocol, but when I'm thinking about my servers, Edward> I only want to run the best version of DNS software. Unfortunately, I don't think that we'll get "best" until we have multiple as well. One reason is competition - but another reason is differences in goals - as you say, authoritative servers are not the same as recursive servers. As an non-DNS developer (a customer of the domain name service), I am suffering from the problem that the only real API that anyone knows about is gethostbyname(3)... I need to know: 1) was it signed at all? 2) how far am is this data from an axiomatic key? I assume a forest of trees, and I assume that as I get further from an axiomatic key, that the risk goes up. I just need the number so that I can keep it in my audit log. Some orgs will want to cross-sign (SIG(0) or preconfigured keys) trees with close partners. 3) even though some of the signatures may have expired, and it might be that the servers are not reachable to update them, I would still like to get the data if the signatures continue to check out. I want the degraded security to be visible of course! Again for the audit log. A perfect example.com of this. foo.example.com wants to talk to bar.example.com. The signature from .com on example.com is expired, and due to the backhoe event, we aren't getting any new data for awhile. But, there is no reason why I can't continue to use the old data for some applications. In most cases, end users will not be qualified to make decisions about the quality of this data. But that doesn't mean it shouldn't be available. Edward> But that's not all we need to address. Tools, tools, tools. We need Edward> to make DNSSEC as simple as possible to use, but no simpler, and Edward> still be useful. (Twisting a trite statement about design.) I'm not Edward> sure we've identified the simplest way in which DNSSEC can work just Edward> yet. Your ideas intringue me. Continue. :-) ] ON HUMILITY: to err is human. To moo, bovine. | firewalls [ ] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[ ] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[ ] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) Comment: Finger me for keys iQCVAwUBPac694qHRg3pndX9AQEiCgP/RPbrn79XfRpQ8l67iq7+gy/PLnghnIK5 bxJgWHmgFhBO4qrDoiyFW13/pMFeB8KtSCjESdbroabY4+opkIFIbz5alnNXO6zu vPW1KdmSbcypB4lLU6iFFO6z70Mu1s3WIzn2dxRBaSZfaAzmYRnqBMZ2W7BA3B4R JXQv06l8oHg= =LUyw -----END PGP SIGNATURE----- #---------------------------------------------------------------------- # To unsubscripbe, send a message to <dnsop-request@cafax.se>.