[prev in list] [next in list] [prev in thread] [next in thread]
List: namedroppers
Subject: Re: DNSSec NXT records
From: Derek Atkins <warlord () MIT ! EDU>
Date: 2001-08-21 13:11:02
[Download RAW message or body]
Ramakrishna Gummadi <ramki@aciri.org> writes:
> This is basically a Brands/Okamoto algorithm whose security has been
> proven elsewhere. Its attractiveness here is its ability to create
> "self-certifying" tld's.
> One can think of the entire scheme as an public key mechanism that binds
> names to keys tighter than alternate schemes using explicit certificates
> would.
>
> Any feedback is appreciated.
While a clever algorithm, this presents a number of problems (mostly
operational):
- The root zone has complete power over everyone (and knows
everyone's private key)
- Nobody can secure their own zone until the root buys into the
process.
- Anyone who wants to secure their zone must wait until they are
handed their key by the root, which means they cannot pre-sign
their data.
- Re-Keying is a nightmare. You effectively have to rekey everyone
at once, and somehow have to tell all clients the new 'N' or 'H'
values.
- If 'N' is ever broken, it is hell in a handbasket to recover. Keep
in mind that the 'global N' would be a mighty appealing target.
Personally, I don't think the problems with DNSSec stem from the
amount of data stored in the DNS, or the size of KEY records or
anything like that. Yes, the 512-byte problem _is_ a problem, but
that's easily surmountable.
I don't think we need (or want) to change the current KEY/SIG
definitions or uses much, we just need to solve the delegation-point
problem.
-derek
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord@MIT.EDU PGP key available
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic