[62205] in North American Network Operators' Group
Re: Verisign brain damage and DNSSec.....Was:Re: What *are*
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Tue Sep 16 17:43:06 2003
Date: Tue, 16 Sep 2003 15:06:44 -0400
From: Valdis.Kletnieks@vt.edu
To: bmanning@karoshi.com
Cc: bownes@web9.com, gmaxwell@martin.fl.us, haesu@towardex.com,
marius@marius.org, nanog@merit.edu
Errors-To: owner-nanog-outgoing@merit.edu
This is a multi-part message in MIME format.
------_=_NextPart_001_01C37C99.B5E48A00
Content-Type: text/plain;
charset=us-ascii
Content-Transfer-Encoding: 7bit
On Tue, 16 Sep 2003 11:27:08 PDT, bmanning@karoshi.com said:
> if vt.edu wants to place a:
>
> * in a 198.82.247.53
>
> in the vt.edu zone, why should anyone complain that now vt.edu
> doesn't return NXDOMAIN for all un-delegated entries? You want
> that everyone should hack the DNS to force NXDOMAINS for your
> wildcard? Feh.
So you're saying it's OK when Verisign does the same exact thing one
level up?
Or are you surprised that people are coding it for the Verisign case?
The difference is when we urinate in our zone of the DNS, it's OUR zone.
When Verisign does it, they're not urinating in *THEIR* .COM, they're
urinating in a .COM they were holding in the public trust.
If in fact .COM is now Verisign's playground rather than a public
trust,
then that's a different matter.
> DNSSEC will tell a validating resolver the signature of each
> party that signed part of the chain. If Verisign wishes to
> sign bits of data that might exist under the delegation point
> they have responsibility for, I'm in favor. Its not
"make-believe"
> ... or perhaps I don't understand your angst.
The point is they're not signing data that might exist, they're signing
data that
doesn't exist. If a query comes in for www.never-existed.com comes in,
what
exactly is getting signed? (Yes, if it's a synthesized reply based on a
wildcard,
you can count the NXT's and stuff to determine that - but I quite
frankly don't
trust the Verisign people to not intentionally obfuscate the replies to
make this
impossible.....)
------_=_NextPart_001_01C37C99.B5E48A00
Content-Type: text/html;
charset=us-ascii
Content-Transfer-Encoding: quoted-printable
<HTML>
<HEAD>
<META http-equiv=3D"Content-Type" content=3D"text/html; =
charset=3DUTF-16">
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3DUTF-16">
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
6.0.6396.0">
<TITLE>Re: Verisign brain damage and DNSSec.....Was:Re: What *are* they =
smoking?</TITLE>
</HEAD><BODY ><DIV>
<!-- Converted from text/plain format -->
<P><FONT SIZE=3D2>On Tue, 16 Sep 2003 11:27:08 PDT, bmanning@karoshi.com =
said:</FONT>
</P>
<P><FONT SIZE=3D2>> if vt.edu wants to =
place a: </FONT>
<BR><FONT SIZE=3D2>> </FONT>
<BR><FONT SIZE=3D2>> =
* in a 198.82.247.53</FONT>
<BR><FONT SIZE=3D2>> </FONT>
<BR><FONT SIZE=3D2>> in the vt.edu =
zone, why should anyone complain that now vt.edu</FONT>
<BR><FONT SIZE=3D2>> doesn't return =
NXDOMAIN for all un-delegated entries? You want</FONT>
<BR><FONT SIZE=3D2>> that everyone =
should hack the DNS to force NXDOMAINS for your</FONT>
<BR><FONT SIZE=3D2>> wildcard? =
Feh.</FONT>
</P>
<P><FONT SIZE=3D2>So you're saying it's OK when Verisign does the same =
exact thing one level up?</FONT>
<BR><FONT SIZE=3D2>Or are you surprised that people are coding it for =
the Verisign case?</FONT>
</P>
<P><FONT SIZE=3D2>The difference is when we urinate in our zone of the =
DNS, it's OUR zone.</FONT>
<BR><FONT SIZE=3D2>When Verisign does it, they're not urinating in =
*THEIR* .COM, they're</FONT>
<BR><FONT SIZE=3D2>urinating in a .COM they were holding in the public =
trust.</FONT>
</P>
<P><FONT SIZE=3D2>If in fact .COM is now Verisign's playground =
rather than a public trust,</FONT>
<BR><FONT SIZE=3D2>then that's a different matter.</FONT>
</P>
<P><FONT SIZE=3D2>> DNSSEC will tell a =
validating resolver the signature of each</FONT>
<BR><FONT SIZE=3D2>> party that signed =
part of the chain. If Verisign wishes to </FONT>
<BR><FONT SIZE=3D2>> sign bits of data =
that might exist under the delegation point</FONT>
<BR><FONT SIZE=3D2>> they have =
responsibility for, I'm in favor. Its not =
"make-believe"</FONT>
<BR><FONT SIZE=3D2>> ... or perhaps I =
don't understand your angst.</FONT>
</P>
<P><FONT SIZE=3D2>The point is they're not signing data that might =
exist, they're signing data that</FONT>
<BR><FONT SIZE=3D2>doesn't exist. If a query comes in for =
www.never-existed.com comes in, what</FONT>
<BR><FONT SIZE=3D2>exactly is getting signed? (Yes, if it's a =
synthesized reply based on a wildcard,</FONT>
<BR><FONT SIZE=3D2>you can count the NXT's and stuff to determine that - =
but I quite frankly don't</FONT>
<BR><FONT SIZE=3D2>trust the Verisign people to not intentionally =
obfuscate the replies to make this</FONT>
<BR><FONT SIZE=3D2>impossible.....)</FONT>
</P>
</DIV>
<P> </P></BODY></HTML>
------_=_NextPart_001_01C37C99.B5E48A00--
