On Wed, 30 Jan 2008 13:10:56 +0100, Joao Damas <Joao_Damas@isc.org> said:
On 30 Jan 2008, at 12:00, Jim Reid wrote:
On Jan 30, 2008, at 10:34, Alexander Gall wrote:
The current set of trust anchors distributed by RIPE NCC includes the domains
disi.nl example.net pwei.net
None of these currently have any DNSSEC resource records (i.e. they are insecure), which effectively brakes those zones for everybody who uses that particular set of trust anchors.
Doesn't everyone check any third party's trust anchors before configuring them into their secure resolvers?
Sometimes. At other times I place trust in registries that do this for me (eg a DLV registry that I find I can trust). It's the same with SSL certificates, I have to trust the CA to do its job
Yes. The subtle point I was trying to make was that once you've decided to trust a particular source of DNSSEC keys, you shouldn't throw away any of them based on your perceived status of a zone through plain DNS queries. If RIPE NCC would have chosen to use DLV, it would have put all keys that are now in the text file into the DLV zone and only hand out the public key of that zone. In that case, my validator would mark the three zones above as bogus - there would be no other choice except not to use this DLV registry at all. The way it is done now, I *technically* have the choice to exclude the keys for these zones from the set of trusted keys in my validator (this is what Jim suggests). The result would be that the zones are marked as insecure, which is a big difference. The question I'm rising is how I should handle this situation. I believe the answer (at least for the paranoid :-) is that I must install *all* keys and attribute the fact that, say, disi.nl is now bogus to malicious activity until either the zone gets properly signed or someone I trust tells me that the zone really is insecure. Before this happens, all I know is that someone I trust tells me the zone is secure but I can't verify it with the key this person is giving me. This ain't easy, I know. Security never is. Of course, people tend to be very pragmatic in a time where the root is not signed and everybody has to rely on some sort of out-of-band validation (we're all happy DNSSEC works on the protocol level, right?), but then I find the value of DNSSEC rather questionable. What a surprise ;-) -- Alex