[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: "Re: DNS? was Re: Key Management, anyone?"



> >  Authentication for what?
> 
> Clarified Assertion:
> The minimal basis for authentication is the association of a public key
> with an IP address.

Agreed, though the association of a public key with a hostname would
be a little more useful.

But, note that any string, for example, URLs, containing a hostname,
signature, date etc. can authenticate a hostname.

> The minimal authentication chain is through DNS
> zone authorities.

I disagree here.

The source, root, of the authentication varies application by
application.

DNS zone delegation chain is the natural chain for Internic to
                                               ^^^^^^^^^^^^
authenticate DNS data structure itself, but nothing more than
that.

Secure DNS chain is NOT useful to track to an authentication root.

To track to the proper root, we need application specific signatures.

For example, it is possible to modify SIG RRs and KEY RRs of secure
DNS to have some field designating the authentication root.

Then, using multiple SIG and KEY RRs for each root, we can track the
appropriate chain to reach the desired root of the authentication.

This, I think, could be the minimal authentication chain with DNS.

But, now, we are not so much motivated to let the authentication
chain follow the DNS structure. Authetication chain can just be a
relationship between DNS nodes. Note that traversing DNS structure
with NS, glue A and CNAME cause a lot of wierd problems unrelated
to the authentication chain itself.

Finally, the problem of using DNS for such generic authentication
is that, we need separate SIG RR and KEY RR for each root, which
can easily cause DNS UDP packet overflow.

So, I'm rather discouraged to use DNS for authentication other than
securing DNS structure itself.

						Masataka Ohta


References: