[prev in list] [next in list] [prev in thread] [next in thread] 

List:       namedroppers
Subject:    Re: DNSSec NXT records
From:       Derek Atkins <warlord () MIT ! EDU>
Date:       2001-08-21 13:11:02
[Download RAW message or body]

Ramakrishna Gummadi <ramki@aciri.org> writes:

> This is basically a Brands/Okamoto algorithm whose security has been
> proven elsewhere. Its attractiveness here is its ability to create
> "self-certifying" tld's. 
> One can think of the entire scheme as an public key mechanism that binds
> names to keys tighter than alternate schemes using explicit certificates
> would.
> 
> Any feedback is appreciated.

While a clever algorithm, this presents a number of problems (mostly
operational):

 - The root zone has complete power over everyone (and knows
   everyone's private key)

 - Nobody can secure their own zone until the root buys into the
   process.

 - Anyone who wants to secure their zone must wait until they are
   handed their key by the root, which means they cannot pre-sign
   their data.

 - Re-Keying is a nightmare.  You effectively have to rekey everyone
   at once, and somehow have to tell all clients the new 'N' or 'H'
   values.

 - If 'N' is ever broken, it is hell in a handbasket to recover.  Keep
   in mind that the 'global N' would be a mighty appealing target.

Personally, I don't think the problems with DNSSec stem from the
amount of data stored in the DNS, or the size of KEY records or
anything like that.  Yes, the 512-byte problem _is_ a problem, but
that's easily surmountable.  

I don't think we need (or want) to change the current KEY/SIG
definitions or uses much, we just need to solve the delegation-point
problem.

-derek

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available


to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.

[prev in list] [next in list] [prev in thread] [next in thread]