On Sat, 2009-06-06 at 13:09 +0900, Masataka Ohta wrote: > David Wilson wrote: > > > However, I think there is some difference in the way people are using > > some terms. > > According to the terminology of David Clark, PKI including DNSSEC > is not secure end to end. DNSSEC provides two things. Firstly, it provides the means to digitally sign RRsets. This provides data origin authentication and data integrity. As this operates at the DNS application layer, this is clearly "end to end" within David Clark's terminology. It does not rely on any security services in the lower communication layers (in the way that, for instance, relying on TCP would). This origin authentication and integrity is precisely what is required to avoid the DNS cache poisoning which is the kind of vulnerability which prompted this discussion. This aspect of DNSSEC does not require the use of any PKI. A security aware resolver can obtain by some out-of-band means the public signing key for some "island of security", and choose to trust that key. However, such bilateral arrangements do not scale to the Internet. So, DNSSEC provides a means for an Authentication Chain, to use the specific DNSSEC term. A signed zone can authenticate the key of a child zone. There is a chain here. However, it is of a significantly different character to a communication network. Whether it is "end to end" or not, is for a different discussion. > > > "End-to-end" security means that the security of that data item does not > > depend on the trustworthiness of any intermediate node, or channel. > > According to the terminology of David Clark, certificate authorities > are intermediate nodes. > > If you have different terminology, use it outside of the Internet > community but not within. I get the impression from you that DNSSEC is to be disregarded because it is not "end to end". However, the opinion of "the Internet community" as regards DNSSEC has been made clear in the last few days, given these announcements: http://www.nist.gov/public_affairs/releases/dnssec_060309.html http://pir.org/index.php?db=content/Website&tbl=ORG_Advantage&id=2 http://www.networkworld.com/news/2009/022409-verisign-dns-security.html?hpg1=bn If the Internet community agrees with you that DNSSEC is not "end to end", then this does not seem to divert them from implementing it. best regards David _______________________________________________ Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf