To:
dnsop@cafax.se
From:
Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date:
Fri, 11 Oct 2002 16:56:27 -0400
In-reply-to:
Your message of "Thu, 10 Oct 2002 17:34:04 EDT." <a05111b22b9cb95ef2cbf@[192.149.252.231]>
Sender:
owner-dnsop@cafax.se
Subject:
Re: the call for bind software
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Edward" == Edward Lewis <edlewis@arin.net> writes:
Edward> Do I want cybergenetic diversity? No, oddly enough. I don't want it
Edward> - but it is a necessary evil. With it I am more assured that DNSSEC
Edward> will be an available service, but the diversity on its own isn't of
Edward> interest to an user. I do encourage cybergenetic diversity when I'm
Edward> thinking about the protocol, but when I'm thinking about my servers,
Edward> I only want to run the best version of DNS software.
Unfortunately, I don't think that we'll get "best" until we have multiple
as well. One reason is competition - but another reason is differences in
goals - as you say, authoritative servers are not the same as recursive servers.
As an non-DNS developer (a customer of the domain name service), I am
suffering from the problem that the only real API that anyone knows about is
gethostbyname(3)...
I need to know:
1) was it signed at all?
2) how far am is this data from an axiomatic key? I assume a forest
of trees, and I assume that as I get further from an axiomatic key,
that the risk goes up. I just need the number so that I can keep
it in my audit log.
Some orgs will want to cross-sign (SIG(0) or preconfigured keys)
trees with close partners.
3) even though some of the signatures may have expired, and it might be
that the servers are not reachable to update them, I would still like
to get the data if the signatures continue to check out. I want the
degraded security to be visible of course! Again for the audit log.
A perfect example.com of this. foo.example.com wants to talk to bar.example.com.
The signature from .com on example.com is expired, and due to the
backhoe event, we aren't getting any new data for awhile.
But, there is no reason why I can't continue to use the old data for
some applications.
In most cases, end users will not be qualified to make decisions about the
quality of this data. But that doesn't mean it shouldn't be available.
Edward> But that's not all we need to address. Tools, tools, tools. We need
Edward> to make DNSSEC as simple as possible to use, but no simpler, and
Edward> still be useful. (Twisting a trite statement about design.) I'm not
Edward> sure we've identified the simplest way in which DNSSEC can work just
Edward> yet.
Your ideas intringue me. Continue. :-)
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBPac694qHRg3pndX9AQEiCgP/RPbrn79XfRpQ8l67iq7+gy/PLnghnIK5
bxJgWHmgFhBO4qrDoiyFW13/pMFeB8KtSCjESdbroabY4+opkIFIbz5alnNXO6zu
vPW1KdmSbcypB4lLU6iFFO6z70Mu1s3WIzn2dxRBaSZfaAzmYRnqBMZ2W7BA3B4R
JXQv06l8oHg=
=LUyw
-----END PGP SIGNATURE-----
#----------------------------------------------------------------------
# To unsubscripbe, send a message to <dnsop-request@cafax.se>.