Hands-off DNS root zone security proposal
Thierry Moreau <thierry.moreau@connotech.com> Thu, 24 November 2005 19:39 UTC
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EfMwd-0001xi-Oa for dnsext-archive@megatron.ietf.org; Thu, 24 Nov 2005 14:39:47 -0500
Received: from psg.com (mailnull@psg.com [147.28.0.62]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA16063 for <dnsext-archive@lists.ietf.org>; Thu, 24 Nov 2005 14:39:06 -0500 (EST)
Received: from majordom by psg.com with local (Exim 4.54 (FreeBSD)) id 1EfMq9-000KiE-V0 for namedroppers-data@psg.com; Thu, 24 Nov 2005 19:33:05 +0000
X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on psg.com
X-Spam-Status: No, score=-1.8 required=5.0 tests=AWL,BAYES_00, UNPARSEABLE_RELAY autolearn=ham version=3.1.0
Received: from [66.163.8.251] (helo=SMTP.Lamicro.com) by psg.com with esmtp (Exim 4.54 (FreeBSD)) id 1EfMq6-000Khg-L2 for namedroppers@ops.ietf.org; Thu, 24 Nov 2005 19:33:03 +0000
Received: from Spooler by SMTP.Lamicro.com (Mercury/32 v4.01b) ID MO0017F5; 24 Nov 2005 14:38:38 -0500
Received: from spooler by Lamicro.com (Mercury/32 v4.01b); 24 Nov 2005 14:38:24 -0500
Received: from connotech.com (209.71.204.102) by SMTP.Lamicro.com (Mercury/32 v4.01b) with ESMTP ID MG0017F4; 24 Nov 2005 14:38:15 -0500
Message-ID: <43861D3A.306@connotech.com>
Date: Thu, 24 Nov 2005 15:06:18 -0500
From: Thierry Moreau <thierry.moreau@connotech.com>
User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: DNSSEC deployment <dnssec-deployment@shinkuro.com>, namedroppers@ops.ietf.org
Subject: Hands-off DNS root zone security proposal
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
Content-Transfer-Encoding: 7bit
Dear all: The political aspects of signing the DNS root zone seem to be recurring with little indication that some progress in this direction can be made in a predictable time. Echoes from a recent centr meeting (i.e. an association of ccTLD registries, at http://www.centr.org) indicate that "There seems to be a need for a Trust Anchor Distribution mechanism with which one can distribute multiple trust-anchors (e.g. those of TLDs) without the need for the mechanism itself to rely on [the DNS root] trust anchor." (- Olaf M. Kolkman). The present proposal is inspired from an approach has been taken by the ICAO (International Civil Aviation Authority) for their "PKI for Machine Readable Travel Documents [i.e. electronic passports]" (which bears little relation to the IETF PKI given the amount of simplification they did in the PKI model). Basically, the overseeing organization (ICAO as a treaty organization / ICANN as a domain manager overseeing TLDs) merely collects public key information from its constituency ("member states" for ICAO / TLD managers for ICANN), puts it together in a computer file, and makes it available to the public (ICAO Public Key Directory / ICANN "TLD TAK-i file" explained below). No digital signature by the overseeing organization, hence little mixed signals about the overseeing organization operational liability implied by a "digital signature." Those interested in the institutional paperwork and MoUs can look at http://www.icao.int/icao/en/atb/fal/mrtd/tagmrtd16/Tagmrtd16_026_ en.pdf. Important third parties will be interested in reading the computer file for configuring signature verification systems (for ICAO, airlines for passenger identification at boarding time / for ICANN, DNS resolver software developers and vendors for embedding trust anchor key material in software release initial configuration). In the case of ICANN, it is operationally more difficult (i.e. unrealistic) to update the configuration in signature verification systems (i.e. fielded resolver software) than in the case of ICAO member states (i.e. border control equipment) and airlines (boarding control systems). Accordingly, the present proposal assumes a clear separation of Trust Anchor Key initialization (TAK-i) from Trust Anchor Key rollover (TAK-r). The TLD TAK-i file maintained by ICANN would thus be concerned only with TAK-i related public data. Accordingly, the update operations on the TLD TAK-i file would be limited to: o adding TAK-i related public data for a TLD that will support DNSSEC, o updates in the case of TLD redelegation incidents, i.e. when a TLD is redelegated and the TAK-i private data counterpart does not follow the redelagation. The above is intended to be independent of a specific TAK-i and TAK-r solution. Nonetheless, the TAKREM for DNS (draft-moreau-dnsext-takrem-dns-00.txt) is indeed well suited to the present proposal, notably: o TAKREM meets the required separation of TAK-i from TAK-r, o TAKREM allows the preparation of TAK-i public data well in advance of the decision to make a TLD DNSSEC-aware, o the TAK-i private data counterpart is easily transferred from one organization to its successor in the case of a mutually agreed TLD redelegation. So, the above is presented as a path to DNSSEC deployment without full support of DNSSEC in root zone management. Perhaps the institutional arrangement can be described as "the root zone provisioning by ICANN is augmented with the collection of Trust Anchor Key public information from TLDs but the root zone DNS operation is not modified." So it is hands-off, i.e. no hands-on handling of private key material by ICANN or root zone operator. Hope it can be useful. Regards, -- - Thierry Moreau CONNOTECH Experts-conseils inc. 9130 Place de Montgolfier Montreal, Qc Canada H2M 2A1 Tel.: (514)385-5691 Fax: (514)385-5900 web site: http://www.connotech.com e-mail: thierry.moreau@connotech.com -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/namedroppers/>
- Hands-off DNS root zone security proposal Thierry Moreau