Re: [ga] IPETEE - forget DNSSEC

["Jeffrey A. Williams" <jwkckid1@xxxxxxxxxxxxx>]

Joe and all,

  I agree with everything Joe said except that DNSSEC is difficult to
maintain and that it will never be broadly implimented.

Joe Baptista wrote:

>
>
> On Mon, Jul 14, 2008 at 9:37 AM, JFC Morfin <jefsey@xxxxxxxxxxxxxxxx>
> wrote:
>
>      As far as I undertsand it only means that all the TLDs are
>      protected by a key delivered by a central key per root. If
>      there are several roots being supported there are different
>      sets of keys: I am see no problem there.
>
>
> No it is a problem.  The issue is in the chain of trust.  In order for
> DNSSEC to work properly it requires that the zones public key be
> signed by a higher authority.  That signed key is then added to the
> zone.  So by means of example foo.edu send its public key to .edu
> which signs the key with their private key and then returns it to
> foo.edu which then publishes it to the zone.
>
> Now maybe it can be done.  I see lots of problems with it.  But no one
> has experimented with adding DNSSEC to a non IANA root.  What ICANN
> these days is calling competing roots.  Which is somewhat flattering
> they now consider us competition.
>
>
>      Joe, what is necessary is to rewrite all the Internet
>      documentation as an maintained Open Norms Standard and
>      Document reference book + open source software apporved by
>      the @large community. Would you be interested working on it?
>
>
> I would only be interested if their was a budget.  Open standards are
> great but you need a fairly good sized knowledgeable community to make
> it work.  There are too few of us who actually known the ins and outs
> of the tech, historical and political aspects associated with all
> this.  Most of those people are busy - so its hard to get volunteers
> who know what they are doing.
>
> It is a good project for a company or individual who wants to invest
> in the nets future.
>
>      What is the problem that Bernstein solved and how ?
>
>
> The problem is and has always been that ports used in DNS lookups were
> not properly randomized.  So its easy for evil hackers to guess the
> port by means of a brute force attack.  Bernstein randomized the
> ports.  So its much harder to guess the port being used.
>
> Incidentally - I don't expect DNSSEC to take off.  Almost every year
> they come up with a new scare mongering tactic to get DNSSEC in the
> news.  And it never takes off.  The problem with DNSSEC is that it is
> so complicated and the maintenance overhead so large it becomes a
> burden to incorporate for either small or large scale enterprises.
>
> If you want a secure recursive resolver - just install Bernstein's DNS
> servers.
>
> regards
> joe baptista
>
> --
> Joe Baptista
> www.publicroot.org
> PublicRoot Consortium
> ----------------------------------------------------------------
> The future of the Internet is Open, Transparent, Inclusive,
> Representative & Accountable to the Internet community @large.
> ----------------------------------------------------------------
> Office: +1 (360) 526-6077 (extension 052)
> Fax: +1 (509) 479-0084

Regards,

Spokesman for INEGroup LLA. - (Over 281k members/stakeholders strong!)
"Obedience of the law is the greatest freedom" -
   Abraham Lincoln

"Credit should go with the performance of duty and not with what is
very often the accident of glory" - Theodore Roosevelt

"If the probability be called P; the injury, L; and the burden, B;
liability depends upon whether B is less than L multiplied by
P: i.e., whether B is less than PL."
United States v. Carroll Towing  (159 F.2d 169 [2d Cir. 1947]
===============================================================
Updated 1/26/04
CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS.
div. of Information Network Eng.  INEG. INC.
ABA member in good standing member ID 01257402 E-Mail
jwkckid1@xxxxxxxxxxxxx
My Phone: 214-244-4827