DNS Scaling issues
Jorge Amodio
jmamodio at GMAIL.COM
Tue Oct 27 10:07:55 CET 2009
>> The root must be signed.
>
> I am moving to the conclusion that the root should not be signed. The crypto-politics involved are increasingly complex and scary, and the root is already too much of a political football. DNSSEC just makes the whole DNS that much more rigid, complex and contentious.
As McTim noted this is not a plan anymore, the wheel is in movement
and the new administration
injected the momentum and political will to make it happen. The root
will be signed by July 2010.
As I said before, no doubt that will be politics around this, and the
GAC and many others will
start again claiming that USG has absolute control of the Internet.
> Anyway, in terms of priorities, DNSSEC comes at the end of the list in my book; it imposes the greatest burden on the root, it poses the greatest risks for a fairly small amount of added security.
Using McTim's tag line and Jon Postel famous quote:
"A name indicates what we seek. An address indicates where it is. A
route indicates how we get there."'
Without DNSSEC and the root signed we have no other means to guarantee that the
address you get is for the name you seek.
It won't take much longer for the folks working on the next wave of attacks
to the DNS infrastructure to override the last patch, on top of that,
by adding more
gTLDs we are giving them more vulnerable targets.
DNSSEC deployment will not be easy or free, and it will be painful, but more
painful and costly would be to deal with the consequences of a major scale
attack.
> Most of the enormous security problems we have on the Internet today will not be improved by DNSSEC implementation at the root. And many of the advantages of DNSSEC can be gained at the TLD level without signing the root.
DNSSEC is not a magic solution and it's only one of the tools to start building
a more secure infrastructure, and as McTim said just signing the TLDs don't
do it, since the "chain of trust" starts from the root.
> IPv6 migration is far more important technically; new IDN gTLDs are more important economically.
You will be amazed to see how many, even from the technical community, still
argue that IPv6 is a marketing gimmick from the router vendors.
Besides the technical details about IDN gTLDs, in terms of security
and scalability
they fall in the same bucket as a regular gTLD, but I see more issues from the
non-technical side for their implementation.
As my friend and colleague Randy Bush says:
"I invite my competitors not to implement IPv6 and DNSSEC"
Have fun at the gala !!
Regards
Jorge
More information about the Ncuc-discuss
mailing list