Re: question about dns trust profile

[Peter Davis <peter.davis@neustar.biz>]

On Feb 5, 2009, at 2:14 PM, Brian Eaton wrote:
>
> I just read over the DNS authority trust profile you wrote up:
> http://wiki.oasis-open.org/xri/XrdOne/TrustProfileDNSAuthority
>
> I'm not sure I understand the resource name to document binding, let
> me double check.
>
> - someone starts with a resource X
> - DNS publishes a mapping from resource X to document id Y
> - when they download the document, they check that X == Y.

Yes, you have the mapping correctly.

> Is that right?  It seems vulnerable to attacks on DNS.

True, but no more so than an A record attack on the DNS for almost  
every resource we have.  They real test, IFAIC, is a trust in the  
signature keys. Anything else is liable to introduce attacks.

> Is the
> expectation that DNS SEC will be used to prevent those attacks, or
> that DNS spoofing is an acceptable risk?

Both, actually.  I suspect we will see a large growth in TLD signing  
over 2009... in the meantime, the DNS attack is, i think, acceptable.   
I thought pretty long on alternatives, but came up with nothing any  
better that did not require fundamental infrastructure changes which  
would only challenge interoperability.

=peterd