To:
<john@chagres.net>
Cc:
DNS Operations <dnsop@cafax.se>
From:
David Conrad <david.conrad@nominum.com>
Date:
Tue, 15 Oct 2002 17:54:30 -0700
In-Reply-To:
<000901c2740f$b5324fe0$79112344@laptoy>
Sender:
owner-dnsop@cafax.se
User-Agent:
Microsoft-Entourage/10.1.0.2006
Subject:
Re: Interim signing of the root zone.
John, From an external perspective, how is a properly implemented anycast root any different than a unicast root advertised via a large network with multiple peers? In fact, the case documented in Dan's NANOG 25 slides was (I believe) "capture" of a unicast root. Anycast is completely orthogonal to the decision of whether or not to sign the root. Signing the root should be done. Johan's draft proposes a way to do that. Can we try to keep the discussion on issues (if any) in his draft? Rgds, -drc -------- On 10/14/02 10:57 PM, "John M. Brown" <john@chagres.net> wrote: > anycast root opens the root system up to more capture, > even if its localized capture, its still capture. > > Who decides on who can "anycast" the zone and how do > we know its the right zone ? > > signing the root, by whatever means is decided upon, helps > assure that the data is in fact "the original stuff". > > If the country of Futuro (make believe) decides to run its > own "root" via an anycast system, and they change the > NS RR set for .JP, how are users going to know that? > > > maybe I'm just naive..... > > john brown > >> -----Original Message----- >> From: owner-dnsop@cafax.se [mailto:owner-dnsop@cafax.se] On >> Behalf Of Masataka Ohta >> Sent: Monday, October 14, 2002 10:31 PM >> To: Loomis, Rip >> Cc: 'dnsop@cafax.se' >> Subject: Re: Interim signing of the root zone. >> >> >> Rip >> >>>>> as dnssec is finally approaching deployment, it seems >> imprudent to >>>>> rush into a not obviously critical anycast deployment when a >>>>> little patience would seem harmless. >>> >>>> DNSSEC, or any CA-based security, is not really secure and is >>>> undeployable for any practical security. >>> >>> With all due respect, you've made such claims/statements on >> the list >>> before, >> >> And the only counter argument was: >> >> My teacher taught me differently, I think. >> >>> Please feel free to back up that opinion >>> with fact, or don't waste peoples' time with it. >> >> If security is compromized, who pays how much? >> >> Have you ever checked the reality of terms and conditions of CAs? >> >>> Better yet, >>> if you think things are slightly broken then propose a fix. If you >>> think things are *very* broken then propose a workable >> alternative and >>> explain why things are so broken. >> >> The current DNS is working well with weak security replying on ISPs. >> >> Those who need additional security should share a secret end >> to end without introducing intellignet intermediate entities of CAs. >> >> So, I don't think I have to propose a workable alternative. >> >> Nonetheless, I proposed anycast root, which improves security >> against spoofed route. >> >> On the other hand, DNSSEC is unworkable as evidenced by the >> failed deployment attempt for so many years. >> >> Observing the failure, I gave an explanation why it is hopeless. >> >> Masataka Ohta >> #------------------------------------------------------------- >> --------- >> # To unsubscripbe, send a message to <dnsop-request@cafax.se>. >> > > > #---------------------------------------------------------------------- > # To unsubscripbe, send a message to <dnsop-request@cafax.se>. #---------------------------------------------------------------------- # To unsubscripbe, send a message to <dnsop-request@cafax.se>.