Re: New addresses for b.root-servers.net

[Matt Corallo <nanog () as397444 net>]

On 6/20/23 10:20 PM, Masataka Ohta wrote:
> Matt Corallo wrote:
>
> > > So, let's recognize ISPs as trusted authorities and
> > > we are reasonably safe without excessive cost to
> > > support DNSSEC with all the untrustworthy hypes of
> > > HSMs and four-eyes principle.
> >
> > I think this list probably has a few things to say about "ISPs as trusted authorities" 
>
> I'm afraid you miss the point.
>
> My point is that trusted third parties of CAs including
> DNSSEC providers are at least as untrustworthy as ISPs.
>
> > - is everyone on this list already announcing and enforcing an exact ASPA policy (or BGPSec or so) 
> > and ensuring the full path for each packet they send is secure and robust to ensure it gets to its 
> > proper destination?
>
> I'm afraid that is a hype as bad as HSMs and four-eyes
> principle.
>
> > Somehow I don't think this model is workable,
>
> As PKI, including DNSSEC, is subject to MitM attacks, is
> not cryptographically secure, does not provide end to end
> security and is not actually workable, why do you bother?

It sounds like you think nothing is workable, we simply cannot make anything secure - if we should 
give up on WebPKI (and all its faults) and DNSSEC (and all its faults) and RPKI (and all its 
faults), what do we have left?

Indeed, all of those things suck, they have had major hacks, minor hacks, and protocol design issues 
 for years (okay, RPKI less so, but its newer, give it time), but what alternative do we have? I'd 
rather we use the tools we have, in all their faults, than not bother building any security on the 
internet :)

Matt