IETF Logo Mail Archive

Re: [dnsext] historal root keys for upgrade path?

Brian Dickson <brian.peter.dickson@gmail.com> Thu, 27 January 2011 20:45 UTC

Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 551033A6916 for <dnsext@core3.amsl.com>; Thu, 27 Jan 2011 12:45:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.173
X-Spam-Level:
X-Spam-Status: No, score=-3.173 tagged_above=-999 required=5 tests=[AWL=0.426, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1nb9KY3xLES0 for <dnsext@core3.amsl.com>; Thu, 27 Jan 2011 12:45:29 -0800 (PST)
Received: from mail-fx0-f44.google.com (mail-fx0-f44.google.com [209.85.161.44]) by core3.amsl.com (Postfix) with ESMTP id 297363A68A7 for <dnsext@ietf.org>; Thu, 27 Jan 2011 12:45:28 -0800 (PST)
Received: by fxm9 with SMTP id 9so2827019fxm.31 for <dnsext@ietf.org>; Thu, 27 Jan 2011 12:48:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=aUxMpYGBBqQllOe1govxPXRhB9ZvVejMQcNc8UiTykw=; b=Mj9/Ubqrg4gNhiDebctYVza8HsTE7LUvsoOtfaW8Q2F9sYU8jjonyapi2UGw2miWMd aS27cE+YE5Ww8/+rKb6ZFjMq0jrjCtyFaB4En0jhI18Il+ZaqkaR6cjK3F6ItC5bpP1O +6dzkxH+WPNQ8uwBA2OuxG8DhOTTlgHsmzxq4=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=BelyVgZVRSoD1X0oQWkQnY6gs+DjVWb0XOUw+vkxyqqQUQC0TUTMT6sWRQz31jpeaS AE9Ce4gZGsEk95LRLi0SrARErq36Y0AIBqY7DGdC7V8UEGXSyt9379WaD1ZDHV2fWNXw bSTaWLyiZUngRrAr/D8dlQr/FWM/uaaokhuj4=
MIME-Version: 1.0
Received: by 10.223.83.8 with SMTP id d8mr1394198fal.94.1296160633799; Thu, 27 Jan 2011 12:37:13 -0800 (PST)
Received: by 10.223.108.71 with HTTP; Thu, 27 Jan 2011 12:37:13 -0800 (PST)
In-Reply-To: <alpine.LFD.1.10.1101271523100.24608@newtla.xelerance.com>
References: <alpine.LFD.1.10.1101251250040.30991@newtla.xelerance.com> <4D3F233C.7000900@vpnc.org> <alpine.LFD.1.10.1101251510140.30991@newtla.xelerance.com> <alpine.LSU.2.00.1101261442120.3329@hermes-1.csi.cam.ac.uk> <AANLkTinCB-d2HWGY4kSOmfSCMNQ-D61keEE+1poTu11g@mail.gmail.com> <alpine.LFD.1.10.1101260958490.30991@newtla.xelerance.com> <82vd1amfjm.fsf@mid.bfk.de> <AANLkTi=eOGd0Ce0ei-c_MysqbHpp7NUWFPc-xCpt=muq@mail.gmail.com> <AANLkTimiaL-eSWSAEfsDqjgZsSuU5HfkMyM2uP5v34za@mail.gmail.com> <alpine.LFD.1.10.1101271523100.24608@newtla.xelerance.com>
Date: Thu, 27 Jan 2011 16:37:13 -0400
Message-ID: <AANLkTi=UuejsF29sD6cDQ_a8G88WDy7FZSibFPysOPn0@mail.gmail.com>
From: Brian Dickson <brian.peter.dickson@gmail.com>
To: Paul Wouters <paul@xelerance.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: dnsext@ietf.org, Paul Hoffman <paul.hoffman@vpnc.org>
Subject: Re: [dnsext] historal root keys for upgrade path?
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Jan 2011 20:45:30 -0000

On Thu, Jan 27, 2011 at 4:24 PM, Paul Wouters <paul@xelerance.com> wrote:
> On Thu, 27 Jan 2011, Brian Dickson wrote:
>
>> Open question, to whoever feels like answering it:
>> Would the following, as a general mechanism for publishing someone
>> else's DNSKEY (securely) work?
>> (Here, "foreign" means, we don't hold the private keys)
>>
>> (1) Using a current, known-good trust anchor, retrieve and validate
>> the (foreign) DNSKEY data (possibly plural).
>> (2) For every algorithm in the set of foreign DNSKEY data :
>> (2a) Generate (one time only!!!)  a new public/private key pair for
>> our own (local) DNSKEY
>> (2b) Combine the local and foreign DNSKEY data into the apex of our
>> own zone file, for which we are authoritative.
>> (2c) Sign the DNSKEYs with our private keys
>
> Now you have just moved the problem. I need this DNSKEY as trust anchor. How
> do I know this will not be rolled and how to I get historic data on this
> key.

Sorry, I thought that was obvious... This DNS zone (or these zones)
would need to be maintained, actively, by $vendor.

The vendor is then responsible for the key not rolling, and the
accuracy of the served trust anchor data (root keys) in the zone, the
serving (or outsourcing the serving) of the zone, etc.

The only traffic to this zone will be bootstrapping devices, and
ideally just once per device.

The zones can be fed by a private master, and served literally from
anywhere the vendor wants.

The liability issues are strictly with the vendor to the itself (and
its customers), i.e. negligible.

It scales reasonably well, and the overhead, in terms of operational
management, while important to get right, is really insignificant.

Brian

v2.23.0 | Report a Bug | By Email