nanog mailing list archives
Re: New addresses for b.root-servers.net
From: Matt Corallo <nanog () as397444 net>
Date: Tue, 20 Jun 2023 22:23:21 -0700
On 6/20/23 10:20 PM, Masataka Ohta wrote:
Matt Corallo wrote:So, let's recognize ISPs as trusted authorities and we are reasonably safe without excessive cost to support DNSSEC with all the untrustworthy hypes of HSMs and four-eyes principle.I think this list probably has a few things to say about "ISPs as trusted authorities"I'm afraid you miss the point. My point is that trusted third parties of CAs including DNSSEC providers are at least as untrustworthy as ISPs.- is everyone on this list already announcing and enforcing an exact ASPA policy (or BGPSec or so) and ensuring the full path for each packet they send is secure and robust to ensure it gets to its proper destination?I'm afraid that is a hype as bad as HSMs and four-eyes principle.Somehow I don't think this model is workable,As PKI, including DNSSEC, is subject to MitM attacks, is not cryptographically secure, does not provide end to end security and is not actually workable, why do you bother?
It sounds like you think nothing is workable, we simply cannot make anything secure - if we should give up on WebPKI (and all its faults) and DNSSEC (and all its faults) and RPKI (and all its faults), what do we have left?
Indeed, all of those things suck, they have had major hacks, minor hacks, and protocol design issues for years (okay, RPKI less so, but its newer, give it time), but what alternative do we have? I'd rather we use the tools we have, in all their faults, than not bother building any security on the internet :)
Matt
Current thread:
- Re: New addresses for b.root-servers.net, (continued)
- Re: New addresses for b.root-servers.net Masataka Ohta (Jun 18)
- Re: New addresses for b.root-servers.net Matt Corallo (Jun 18)
- Re: New addresses for b.root-servers.net niels=nanog (Jun 18)
- Re: New addresses for b.root-servers.net Cynthia Revström via NANOG (Jun 18)
- Re: New addresses for b.root-servers.net niels=nanog (Jun 18)
- Re: New addresses for b.root-servers.net Masataka Ohta (Jun 19)
- Re: New addresses for b.root-servers.net Matt Corallo (Jun 19)
- Re: New addresses for b.root-servers.net Masataka Ohta (Jun 19)
- Re: New addresses for b.root-servers.net Matt Corallo (Jun 20)
- Re: New addresses for b.root-servers.net Masataka Ohta (Jun 20)
- Re: New addresses for b.root-servers.net Matt Corallo (Jun 20)
- Re: New addresses for b.root-servers.net Masataka Ohta (Jun 20)
- Re: New addresses for b.root-servers.net Mark Andrews (Jun 20)
- Re: New addresses for b.root-servers.net Masataka Ohta (Jun 21)
- Re: New addresses for b.root-servers.net David Conrad (Jun 16)
- Re: New addresses for b.root-servers.net Jared Mauch (Jun 02)
- Re: New addresses for b.root-servers.net Wes Hardaker (Jun 15)
- Re: New addresses for b.root-servers.net Robert Story (Jun 04)
- Re: New addresses for b.root-servers.net Matthew Petach (Jun 07)