.gov DNSSEC operational message - picking a fight

Doug Barton dougb at dougbarton.us
Wed Dec 29 00:06:40 UTC 2010


On 12/28/2010 14:46, bmanning at vacation.karoshi.com wrote:
> On Tue, Dec 28, 2010 at 11:41:18AM -0800, Doug Barton wrote:
>>
>> Now OTOH if someone wants to demonstrate the value in having a
>> publication channel for TLD DNSKEYs outside of the root zone, I'm
>> certainly willing to listen. Just be forewarned that you will have an
>> uphill battle in trying to prove your case. :)
>>
>>
>> Doug
>
> 	well, not to pick on you, or the choices made by VSGN,
> 	but I -will- point out that there are many good reasons
> 	to support an out of band method for moving critical data.
> 	(lots of refs on the tradeoffs btwn OOB and IB channels are
> 	to be found by your fav search engine).

... and while as a general principle I tend to agree with you, I was 
pretty specific in what I asked for.

> 	the Internet of last century relied in most cases on in-band
> 	communications.

Actually I think I can make a pretty convincing argument that the 
Internet of last century relied almost entirely on certain individuals 
meeting face to face at IETF, RIR, and other meetings. But with respect 
to the season I will attempt to be charitable.

>       and what we have seen is the creation of
> 	overlays or outright independent "control plane" or C&C
> 	networks to manage data flow with independent prioritization
> 	over other traffic as the Internet has evolved.  In this case
> 	i think this DNSiSEC model is about 15 years behind the curve.
>
> 	IMHO, key management should be able to use an OOB channel
> 	when the in-band is corrupted or overlaoded.  Reliance on
> 	strictly the IB channel presumes there will be no problems
> 	with that channel.  EVER.   For me, I don't want to take
> 	that risk.  YMMV of course.

I'm not sure I agree that an OOB channel would be useful here, even 
given your premise. Yes, to some extent DNS is distributed, but I think 
the degree of fate-sharing that is inherent in the system makes the OOB 
validation scheme _for TLD DNSKEYs_ (which, again, is what I asked 
about) at best useless, and at worst a giant waste of everyone's time to 
try and do well.

> 	I can't presume that you (or anyone else)  share my values

You could have just stopped here. :)

> 	regarding system resilience.  For me, the choice made by
> 	VSGN in regards to this zone presuposes bullet-proof and DDOS
> 	proof communications between servers.  No packet overloads,
> 	no out of memory conditions, no link saturation, etc.  I
> 	appreciate that some might think they live in such a world.
> 	I hope that you and VSGN are lucky.  As for myself, I'm
> 	making plans to have more control over my DNS verification
> 	destiny.
>
> 	If this "proves" my case to you, wonderful! If not, no sweat,
> 	we'll agree to disagree.

Good plan.


Doug

-- 

	Nothin' ever doesn't change, but nothin' changes much.
			-- OK Go

	Breadth of IT experience, and depth of knowledge in the DNS.
	Yours for the right price.  :)  http://SupersetSolutions.com/





More information about the NANOG mailing list