IETF Logo Mail Archive

Re: [dnsext] historal root keys for upgrade path?

Thierry Moreau <thierry.moreau@connotech.com> Fri, 28 January 2011 16:53 UTC

Return-Path: <thierry.moreau@connotech.com>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 926263A67B0 for <dnsext@core3.amsl.com>; Fri, 28 Jan 2011 08:53:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.768
X-Spam-Level:
X-Spam-Status: No, score=0.768 tagged_above=-999 required=5 tests=[AWL=1.205, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_ORG=0.611, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wHm8GSMomaAN for <dnsext@core3.amsl.com>; Fri, 28 Jan 2011 08:53:17 -0800 (PST)
Received: from bretelle.intaglionic.org (unknown [76.10.176.241]) by core3.amsl.com (Postfix) with ESMTP id 86ABB3A67AE for <dnsext@ietf.org>; Fri, 28 Jan 2011 08:53:17 -0800 (PST)
Received: from [192.168.1.200] (unknown [192.168.1.200]) by bretelle.intaglionic.org (Postfix) with ESMTPA id 3C9BB3076B; Fri, 28 Jan 2011 17:07:30 -0500 (EST)
Message-ID: <4D42F4ED.6070502@connotech.com>
Date: Fri, 28 Jan 2011 11:55:09 -0500
From: Thierry Moreau <thierry.moreau@connotech.com>
User-Agent: Thunderbird 2.0.0.17 (X11/20090608)
MIME-Version: 1.0
To: David Conrad <drc@virtualized.org>
References: <alpine.LFD.1.10.1101251250040.30991@newtla.xelerance.com> <17A80F45-52CB-43F6-BD4A-3488821F6933@hopcount.ca> <3A1DEE95-8C8E-4C89-97EB-6D8F799ADE25@virtualized.org>
In-Reply-To: <3A1DEE95-8C8E-4C89-97EB-6D8F799ADE25@virtualized.org>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: dnsext List <dnsext@ietf.org>
Subject: Re: [dnsext] historal root keys for upgrade path?
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Jan 2011 16:53:18 -0000

David Conrad wrote:
> On Jan 26, 2011, at 1:26 PM, Joe Abley wrote:
>> Wouter's earlier proposal which is mentioned elsewhere in this thread had the principle defect that its use relied upon trusting signatures made by old keys, which in general some of us thought was a poor idea (e.g. in the event that a key was rolled because it was compromised).
> 
> I don't think that's a risk. If a key is rolled because of a known compromise, it simply means you can't safely chain from the old-but-installed-key to the current-but-not-yet-installed key.  Presumably, when a key is known to be compromised, the chain from old to current keys would be broken such that automated systems would require human intervention.
>

A known compromise might occur at T[n]-epsilon but detected at 
T[n]+delta (T[n] is the absolute time of rollover, and epsilon is less 
than previous cryptoperiod, i.e. T[n]-T[n-1]). Then, human intervention 
is pointless for systems that has been on-line (too late to do anything) 
and very much unlikely for those having been off-line during these 
troubled times.

Note that RFC5011 could have been "practiced" (by who would you guess 
... IANA) such that the next KSK is pre-announced at T[n-1]+mu (mu is 
small). If mu+epsilon<T[n]-T[n-1], then the on-line systems would 
reliably recover at T[n] without an implicit leap-of-faith. But that 
path would have made the root DNSKEY RRset larger.

(I quoted "practiced" because RFC5011 mandates specific validator 
procedures and allows various strategies for the root/island-of-trust 
zone manager.)

> As far as I can tell the real risk is that an attacker has an increased amount of time to secretly compromise any key in the old to current chain, thereby enabling a MITM attack to insert a branch to a new chain that will end in a malicious key.  The continued use of the old keys for something valuable means the keys have to be much stronger and it sort of defeats the purpose of scheduled rolling of keys.
> 

Correct, that is a risk or concern.

As a more general observation, what is needed here, in essence, is a 
small assistance (sign current root KSK) from a public-key based 
notarization service (the foremost example of a PK scheme with long-term 
trust at the core of the mission statement).

However, neither IETF standardization activities nor organizations 
involved in the DNS root operations ever considered the PK notarization 
seriously.

Hence my general conclusion that DNSSEC validation must rely on some 
leap-of-faith somehow somewhere, like it or not. Root KSK recovery may 
require leap-of-faith. Unless the whole DNSSEC root zone management is 
revisited, which is not going to occur.

Some may not like the color of the room where the leap-of-faith occurs 
(yes, I did watch portions of the ICANN-staged ceremonies, thanks for 
the webcast, but no, I don't recall the color of the room). If there is 
more to it, the requirements should be spelled out in terms of basic 
deployment strategies for public key capabilities.

Regards,

-- 
- Thierry Moreau

CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, QC, Canada H2M 2A1

Tel. +1-514-385-5691

v2.23.0 | Report a Bug | By Email