ICANN/GNSO GNSO Email List Archives

[ga]

<<< Chronological Index >>>    <<< Thread Index >>>

Re: [ga] IPETEE - forget DNSSEC

  • To: "Joe Baptista" <baptista@xxxxxxxxxxxxxx>
  • Subject: Re: [ga] IPETEE - forget DNSSEC
  • From: JFC Morfin <jefsey@xxxxxxxxxxxxxxxx>
  • Date: Mon, 14 Jul 2008 15:37:59 +0200
At 04:56 14/07/2008, Joe Baptista wrote:
On Sat, Jul 12, 2008 at 1:57 PM, JFC Morfin <<mailto:jefsey@xxxxxxxxxxxxxxxx>jefsey@xxxxxxxxxxxxxxxx> wrote: 

At 11:48 12/07/2008, Peter Dambier wrote:
DNSSEC is the means to stop alternative roots. That is
probably the reason why everybody is made to want it.
could you please explain why?
Its to do with the start of authority key that signs all the other keys. If that is signed then all the remainder are signed based on the root DNSSEC key.
As far as I undertsand it only means that all the TLDs are protected by a key delivered by a central key per root. If there are several roots being supported there are different sets of keys: I am see no problem there.
One of the things I remember is how insecure it is from the point of view of the discover process. Because each record is in some encrypted way related to the former in a sequential order - i..e. alphabetical order. So TLD zones and domains who now protect their network infrastructure by not allowing AXFR can now have that zones list of names discoverable if they implement DNSSEC.
Maybe they fixed that. Just visit the IETF and look through the DNSSEC RFC. It a lot like IPv6 - a technical nightmare waiting to happen with many bugs and revisions.
It does not actually fix the problem with name server security - it just patches it with an encrypted. The problem in name server security was fixed back in 2002 by Dan Bernstein. We have all known about it and we all also know that Bernstein is the author to the solution of running a stable safe DNS. However what happened is the fools at the IETF and the senior DNS operators gave him a hard time on it and we have seen patches to DNS server software from all the vendors that have completed ignored the problem from day one. 

Bernstein solved the problem and is now credited for it.
Joe, what is necessary is to rewrite all the Internet documentation as an maintained Open Norms Standard and Document reference book + open source software apporved by the @large community. Would you be interested working on it? What is the problem that Bernstein solved and how ? 

jfc
<<< Chronological Index >>>    <<< Thread Index >>>