Re: Signature at parent (draft-ietf-dnsop-parent-sig-00.txt)
Dan Massey <masseyd@isi.edu> Tue, 03 April 2001 18:02 UTC
Received: from psg.com (exim@[147.28.0.62]) by ietf.org (8.9.1a/8.9.1a) with SMTP id OAA10874 for <dnsext-archive@lists.ietf.org>; Tue, 3 Apr 2001 14:02:49 -0400 (EDT)
Received: from lserv by psg.com with local (Exim 3.16 #1) id 14kUc1-0006ss-00 for namedroppers-data@psg.com; Tue, 03 Apr 2001 10:29:01 -0700
Received: from 64-214-53-171.dhcp.arin.gblx.net ([64.214.53.171] helo=roam.psg.com ident=root) by psg.com with esmtp (Exim 3.16 #1) id 14kUc0-0006sa-00 for namedroppers@ops.ietf.org; Tue, 03 Apr 2001 10:29:00 -0700
Received: from randy by roam.psg.com with local (Exim 3.20 #1) id 14kUc0-0004gd-00 for namedroppers@ops.ietf.org; Tue, 03 Apr 2001 10:29:00 -0700
Date: Tue, 03 Apr 2001 12:54:14 -0400
From: Dan Massey <masseyd@isi.edu>
To: Ted Lindgreen <ted@tednet.nl>
Cc: Brian Wellington <Brian.Wellington@nominum.com>, namedroppers@ops.ietf.org, fmeshd@east.isi.edu
Subject: Re: Signature at parent (draft-ietf-dnsop-parent-sig-00.txt)
Message-ID: <20010403125414.A10897@snarl.east.isi.edu>
Mail-Followup-To: Ted Lindgreen <ted@tednet.nl>, Brian Wellington <Brian.Wellington@nominum.com>, namedroppers@ops.ietf.org, fmeshd@east.isi.edu
References: <200103301035.MAA20499@omval.tednet.nl>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <200103301035.MAA20499@omval.tednet.nl>; from ted@tednet.nl on Fri, Mar 30, 2001 at 12:35:04PM +0200
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
On Friday, March 30, 2001 at 12:35PM, Ted Lindgreen wrote: | | But, perhaps you refer to registry testbeds? I know of two | implementations: one at CAIRN and one over here at NLnet Labs. | | The former uses the KEY+parentalSIG @child scheme. From private | communication during the last IETF (50th) with the | authors/zoneadministrators I know that most, of not all, of their | test child zones are currently BAD. They told me that they consider | their setup as very difficult, if not impossible, to maintain, and | that they are considering to adopt the parental-SIG@parent scheme. | First, I'd like to follow up on the above comment. In CAIRN, we have found that the SIG at child approach makes changing parent keys operationally difficult and we are testing the NLnet Labs approach. Currently we have some people working out the operation guidelines and revising our key registration and rollover procedures appropriately. The switch should be complete soon. With respect to the latest sig@parent draft, I think this a good idea but I have some questions/comments. Section 2.1 describes the TTL at the parent but it does not specify anything about the lifetime of the SIG at the parent. Note that an attacker can continue replaying an expired or compromised key until the parent's SIG expires. You want to avoid scenarios where the child plans to change keys once a month, but the parent creates SIGs with a lifetime of one year. Perhaps you need something like the following: The parent and child should agree upon an expiration date for the child's key. Any SIGs generated by the parent must not exceed this expiration date. In CAIRN, our current plan is that the child will send a self-signed key and the expiration date on that (self-signed) SIG is taken as the key's expiration date. Section 4 describes a scheduled key rollover. Should there be a transition period where both keys are valid? The old cairn.net plan had a short transition period where both the old and new key were active. After the transition, the zone moved to only the new key. The current draft seems to disallow this. Section 8 seems to push a lot of complexity into the resolver. To lookup the non-zone (ipsec/ssh/whatever) key for host bar.foo.com, the resolver just requests the keyset for bar.foo.com, verifies the set signed by the foo.com zone key, and returns the result. But to lookup a non-zone key for foo.com, the resolver requests the keyset for foo.com and gets only the zone keys. At this point, the resolver must be smart enough to know that the requestor wants something besides zone keys and the resovler must be smart enough to send a query for the keyset of f.i.keys.foo.com. Shouldn't the query just say keyset for foo.com, not this particular type of KEY record? Will this work for recursive queries? If the foo.com zone chooses a name other f.i.keys.foo.com, how will the resolver know what to ask for? Dan to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body.
- Re: Signature at parent (draft-ietf-dnsop-parent-… Ted Lindgreen
- Re: Signature at parent (draft-ietf-dnsop-parent-… Olaf Kolkman
- Re: Signature at parent (draft-ietf-dnsop-parent-… Roy Arends
- Re: Signature at parent (draft-ietf-dnsop-parent-… Miek Gieben
- Re: Signature at parent (draft-ietf-dnsop-parent-… Edward Lewis
- Re: Signature at parent (draft-ietf-dnsop-parent-… Edward Lewis
- Re: Signature at parent (draft-ietf-dnsop-parent-… Edward Lewis
- Re: Signature at parent (draft-ietf-dnsop-parent-… John Gilmore
- Re: Signature at parent (draft-ietf-dnsop-parent-… Olaf Kolkman
- Re: Signature at parent (draft-ietf-dnsop-parent-… Brian Wellington
- Re: Signature at parent (draft-ietf-dnsop-parent-… Ted Lindgreen
- Re: DNS vs. non-DNS Data (was Re: Signature at pa… Kevin Darcy
- Re: Signature at parent (draft-ietf-dnsop-parent-… Ted Lindgreen
- Re: DNS vs. non-DNS Data (was Re: Signature at pa… Eric A. Hall
- Re: Signature at parent (draft-ietf-dnsop-parent-… Dan Massey
- DNS vs. non-DNS Data (was Re: Signature at parent… Kevin Darcy
- Re: Signature at parent (draft-ietf-dnsop-parent-… Randy Bush
- Re: Signature at parent (draft-ietf-dnsop-parent-… Ted Lindgreen
- Re: Signature at parent (draft-ietf-dnsop-parent-… Peter Koch
- Re: DNS vs. non-DNS Data (was Re: Signature at pa… Eric A. Hall
- Re: Signature at parent (draft-ietf-dnsop-parent-… Brian Wellington
- Re: Signature at parent (draft-ietf-dnsop-parent-… Edward Lewis
- Re: Signature at parent (draft-ietf-dnsop-parent-… Edward Lewis