?

Log in

No account? Create an account

fanf

DNSSEC

« previous entry | next entry »
16th Sep 2009 | 13:22

Delegation, delegation! Delegation,
that's what you need.
If you want your names to nest,
and you don't want to host the rest,
ooh-ooh, delegation's what you need!

So last night I laughed out loud at a DNSSEC RFC. I blame Douglas Adams.

Near the start of Life, the Universe, and Everything, Arthur Dent and Ford Prefect escape from prehistoric Earth on Eddy's time-travelling sofa, and find themselves at Lord's cricket ground. There, shortly before all hell breaks loose, they spot Slartibartfast's spaceship hidden with a SEP. An S.E.P. is a kind of cloaking device which works at a psychological level. It prevents you from seeing something, or rather it forces you to disregard it because it is Somebody Else's Problem and nothing you need to worry about.

In DNSSEC there are (by convention) two kinds of key. Key Signing Keys are as secure as possible (the keys are big and their private parts can be kept offline) so that they can have a long lifetime. Zone Signing Keys are smaller to reduce packet sizes and CPU usage, and their private parts need to be kept online to support dynamic DNS; to compensate for their relative lack of security they have a shorter lifetime. The KSK's public part is used as a "trust anchor" that you give to other people so they can authenticate the contents of your zone. You want it to have a long lifetime so you don't have to keep bothering them with updates. Although the KSK/ZSK arrangement is just a convention, it turns out to be useful to have some explicit signalling in the protocol to distinguish them, so they added a flag bit to DNSKEYs for this purpose. However they chose a different name for the bit to emphasize that you can manage your keys in unconventional ways, so it is called the "secure entry point" bit. This indicates the key is intended to be used as a trust anchor (e.g. in RFC 5011 rollover).

To me the SEP bit is the "somebody else's problem" bit. But it has exactly the opposite effect of Douglas Adams's SEP, since it's the bit you set to make other people pay extra attention. I thought this was funny, but then I had been drinking Ardbeg.

| Leave a comment | Share

Comments {1}

Thorfinn

from: thorfinn
date: 17th Sep 2009 05:54 (UTC)

But if it's to make other people pay extra attention, then it is correctly the SEP bit! :-)

"Hello, Someone Else! Problem! Look!"

Reply | Thread