Re: [dnsext] historal root keys for upgrade path?
Phillip Hallam-Baker <hallam@gmail.com> Thu, 27 January 2011 20:56 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7E8B33A6A56 for <dnsext@core3.amsl.com>; Thu, 27 Jan 2011 12:56:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.472
X-Spam-Level:
X-Spam-Status: No, score=-3.472 tagged_above=-999 required=5 tests=[AWL=0.126, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ojmg3X6qKWpe for <dnsext@core3.amsl.com>; Thu, 27 Jan 2011 12:56:51 -0800 (PST)
Received: from mail-yw0-f44.google.com (mail-yw0-f44.google.com [209.85.213.44]) by core3.amsl.com (Postfix) with ESMTP id 0B4843A6A51 for <dnsext@ietf.org>; Thu, 27 Jan 2011 12:56:50 -0800 (PST)
Received: by ywk9 with SMTP id 9so883331ywk.31 for <dnsext@ietf.org>; Thu, 27 Jan 2011 12:59:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=KYEvO+t0HLxd7+VpHmH4MQ+l9yAGFY7b8FamCmq2BOg=; b=xtbgnT3yYf4aL/2/bN/SG4WflSt6edqnpO16la5zkd/LXqZlD9f0YgOD0XgRXEYxkO hSfjwTcvKZpg8jzGAZGTgE7Zo9mUoMQ5rt6zgYzHKGS63F01F2UhPdvvIC1xfzTAkNzu UTuto4VMxqgIzalkMalvnV1Kjo30lR5IJvJ+8=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=kJg9WZPOGZb14dSI7Vp2djYOy7Z7zFp5ibhO11ZhtFNzDbTTBA9cfFPUKIJWMZC5uS yTREM0lc0RClVuoihaqrpvNSdJ0z5F6esPqCZXJZHTuJ8wiJYqvuc0Fi6dmNiRlvMrxD 8ffiDbSna3sBUNtjYeIHxpqWwjG9S7U4epZHE=
MIME-Version: 1.0
Received: by 10.100.195.12 with SMTP id s12mr957864anf.18.1296161995025; Thu, 27 Jan 2011 12:59:55 -0800 (PST)
Received: by 10.100.109.16 with HTTP; Thu, 27 Jan 2011 12:59:54 -0800 (PST)
In-Reply-To: <AANLkTi=UuejsF29sD6cDQ_a8G88WDy7FZSibFPysOPn0@mail.gmail.com>
References: <alpine.LFD.1.10.1101251250040.30991@newtla.xelerance.com> <4D3F233C.7000900@vpnc.org> <alpine.LFD.1.10.1101251510140.30991@newtla.xelerance.com> <alpine.LSU.2.00.1101261442120.3329@hermes-1.csi.cam.ac.uk> <AANLkTinCB-d2HWGY4kSOmfSCMNQ-D61keEE+1poTu11g@mail.gmail.com> <alpine.LFD.1.10.1101260958490.30991@newtla.xelerance.com> <82vd1amfjm.fsf@mid.bfk.de> <AANLkTi=eOGd0Ce0ei-c_MysqbHpp7NUWFPc-xCpt=muq@mail.gmail.com> <AANLkTimiaL-eSWSAEfsDqjgZsSuU5HfkMyM2uP5v34za@mail.gmail.com> <alpine.LFD.1.10.1101271523100.24608@newtla.xelerance.com> <AANLkTi=UuejsF29sD6cDQ_a8G88WDy7FZSibFPysOPn0@mail.gmail.com>
Date: Thu, 27 Jan 2011 15:59:54 -0500
Message-ID: <AANLkTi=tVtWmLNfP9LrSE0evauhatxtYbQW6yToAHJ+9@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Brian Dickson <brian.peter.dickson@gmail.com>
Content-Type: multipart/alternative; boundary="0016e644c63048ee0f049ada3b6d"
Cc: dnsext@ietf.org, Paul Hoffman <paul.hoffman@vpnc.org>
Subject: Re: [dnsext] historal root keys for upgrade path?
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Jan 2011 20:56:52 -0000
Or alternatively, the vendors get together as a consortium and set up some infrastructure whereby they manage this in a practical manner. This is an important problem that is not limited to DNS trust roots. But the people who would be interested in a solution are going to be the type of people who consider real world business issues of the type that cause many people on this list to stick their fingers in their ears and chant 'la-la-la not listening'. So it is really not a problem that I think is useful to address as part of a DNSSEC infrastructure consideration. On Thu, Jan 27, 2011 at 3:37 PM, Brian Dickson < brian.peter.dickson@gmail.com> wrote: > On Thu, Jan 27, 2011 at 4:24 PM, Paul Wouters <paul@xelerance.com> wrote: > > On Thu, 27 Jan 2011, Brian Dickson wrote: > > > >> Open question, to whoever feels like answering it: > >> Would the following, as a general mechanism for publishing someone > >> else's DNSKEY (securely) work? > >> (Here, "foreign" means, we don't hold the private keys) > >> > >> (1) Using a current, known-good trust anchor, retrieve and validate > >> the (foreign) DNSKEY data (possibly plural). > >> (2) For every algorithm in the set of foreign DNSKEY data : > >> (2a) Generate (one time only!!!) a new public/private key pair for > >> our own (local) DNSKEY > >> (2b) Combine the local and foreign DNSKEY data into the apex of our > >> own zone file, for which we are authoritative. > >> (2c) Sign the DNSKEYs with our private keys > > > > Now you have just moved the problem. I need this DNSKEY as trust anchor. > How > > do I know this will not be rolled and how to I get historic data on this > > key. > > Sorry, I thought that was obvious... This DNS zone (or these zones) > would need to be maintained, actively, by $vendor. > > The vendor is then responsible for the key not rolling, and the > accuracy of the served trust anchor data (root keys) in the zone, the > serving (or outsourcing the serving) of the zone, etc. > > The only traffic to this zone will be bootstrapping devices, and > ideally just once per device. > > The zones can be fed by a private master, and served literally from > anywhere the vendor wants. > > The liability issues are strictly with the vendor to the itself (and > its customers), i.e. negligible. > > It scales reasonably well, and the overhead, in terms of operational > management, while important to get right, is really insignificant. > > Brian > _______________________________________________ > dnsext mailing list > dnsext@ietf.org > https://www.ietf.org/mailman/listinfo/dnsext > -- Website: http://hallambaker.com/
- [dnsext] historal root keys for upgrade path? Paul Wouters
- Re: [dnsext] historal root keys for upgrade path? Stephan Lagerholm
- Re: [dnsext] historal root keys for upgrade path? Andrew Sullivan
- Re: [dnsext] historal root keys for upgrade path? Paul Wouters
- Re: [dnsext] historal root keys for upgrade path? Paul Hoffman
- Re: [dnsext] historal root keys for upgrade path? Paul Wouters
- Re: [dnsext] historal root keys for upgrade path? Paul Hoffman
- Re: [dnsext] historal root keys for upgrade path? Paul Wouters
- Re: [dnsext] historal root keys for upgrade path? Brian Dickson
- Re: [dnsext] historal root keys for upgrade path? Tony Finch
- Re: [dnsext] historal root keys for upgrade path? Phillip Hallam-Baker
- Re: [dnsext] historal root keys for upgrade path? Paul Wouters
- Re: [dnsext] historal root keys for upgrade path? Paul Wouters
- Re: [dnsext] historal root keys for upgrade path? Edward Lewis
- Re: [dnsext] historal root keys for upgrade path? Thierry Moreau
- Re: [dnsext] historal root keys for upgrade path? Tony Finch
- Re: [dnsext] historal root keys for upgrade path? Edward Lewis
- Re: [dnsext] historal root keys for upgrade path? Phillip Hallam-Baker
- Re: [dnsext] historal root keys for upgrade path? Brian Dickson
- Re: [dnsext] historal root keys for upgrade path? Paul Wouters
- Re: [dnsext] historal root keys for upgrade path? Alex Nicoll
- Re: [dnsext] historal root keys for upgrade path? Phillip Hallam-Baker
- Re: [dnsext] historal root keys for upgrade path? Paul Wouters
- Re: [dnsext] historal root keys for upgrade path? Stephan Lagerholm
- Re: [dnsext] historal root keys for upgrade path? Joe Abley
- Re: [dnsext] historal root keys for upgrade path? Florian Weimer
- Re: [dnsext] historal root keys for upgrade path? Jakob Schlyter
- Re: [dnsext] historal root keys for upgrade path? Paul Wouters
- Re: [dnsext] historal root keys for upgrade path? Nicholas Weaver
- Re: [dnsext] historal root keys for upgrade path? Phillip Hallam-Baker
- Re: [dnsext] historal root keys for upgrade path? Matthew Dempsky
- Re: [dnsext] historal root keys for upgrade path? Phillip Hallam-Baker
- Re: [dnsext] historal root keys for upgrade path? Florian Weimer
- Re: [dnsext] historal root keys for upgrade path? Florian Weimer
- Re: [dnsext] historal root keys for upgrade path? Paul Wouters
- Re: [dnsext] historal root keys for upgrade path? Brian Dickson
- Re: [dnsext] historal root keys for upgrade path? Joe Abley
- Re: [dnsext] historal root keys for upgrade path? Paul Vixie
- Re: [dnsext] historal root keys for upgrade path? Paul Vixie
- Re: [dnsext] historal root keys for upgrade path? Brian Dickson
- Re: [dnsext] historal root keys for upgrade path? Brian Dickson
- Re: [dnsext] historal root keys for upgrade path? Paul Wouters
- Re: [dnsext] historal root keys for upgrade path? Phillip Hallam-Baker
- Re: [dnsext] historal root keys for upgrade path? Brian Dickson
- Re: [dnsext] historal root keys for upgrade path? Phillip Hallam-Baker
- Re: [dnsext] historal root keys for upgrade path? Paul Wouters
- Re: [dnsext] historal root keys for upgrade path? Paul Wouters
- Re: [dnsext] historal root keys for upgrade path? Andrew Sullivan
- Re: [dnsext] historal root keys for upgrade path? Joe Abley
- Re: [dnsext] historal root keys for upgrade path? Phillip Hallam-Baker
- Re: [dnsext] historal root keys for upgrade path? David Conrad
- Re: [dnsext] historal root keys for upgrade path? Florian Weimer
- Re: [dnsext] historal root keys for upgrade path? Joe Abley
- Re: [dnsext] historal root keys for upgrade path? Joe Abley
- Re: [dnsext] historal root keys for upgrade path? Thierry Moreau
- Re: [dnsext] historal root keys for upgrade path? Tony Finch
- Re: [dnsext] historal root keys for upgrade path? Tony Finch
- Re: [dnsext] historal root keys for upgrade path? Joe Abley
- Re: [dnsext] historal root keys for upgrade path? Paul Hoffman
- Re: [dnsext] historal root keys for upgrade path? Brian Dickson
- Re: [dnsext] historal root keys for upgrade path? Tony Finch
- Re: [dnsext] historal root keys for upgrade path? Joe Abley
- Re: [dnsext] historal root keys for upgrade path? W.C.A. Wijngaards
- Re: [dnsext] historal root keys for upgrade path? Phillip Hallam-Baker
- Re: [dnsext] historal root keys for upgrade path? Joe Abley
- Re: [dnsext] historal root keys for upgrade path? Brian Dickson
- Re: [dnsext] historal root keys for upgrade path? Paul Wouters
- Re: [dnsext] historal root keys for upgrade path? Joe Abley
- Re: [dnsext] historal root keys for upgrade path? Phillip Hallam-Baker
- Re: [dnsext] historal root keys for upgrade path? Nicholas Weaver
- Re: [dnsext] historal root keys for upgrade path? Brian Dickson
- Re: [dnsext] historal root keys for upgrade path? Nicholas Weaver
- Re: [dnsext] historal root keys for upgrade path? Phillip Hallam-Baker
- Re: [dnsext] historal root keys for upgrade path? Phillip Hallam-Baker
- Re: [dnsext] historal root keys for upgrade path? Joe Abley
- Re: [dnsext] historal root keys for upgrade path? Phillip Hallam-Baker
- Re: [dnsext] historal root keys for upgrade path? Joe Abley
- Re: [dnsext] historal root keys for upgrade path? Phillip Hallam-Baker
- Re: [dnsext] historal root keys for upgrade path? Joe Abley
- Re: [dnsext] historal root keys for upgrade path? Paul Wouters
- Re: [dnsext] historal root keys for upgrade path? Brian Dickson
- Re: [dnsext] historal root keys for upgrade path? Phillip Hallam-Baker
- Re: [dnsext] historal root keys for upgrade path? Tony Finch
- Re: [dnsext] historal root keys for upgrade path? Tony Finch
- Re: [dnsext] historal root keys for upgrade path? Phillip Hallam-Baker
- Re: [dnsext] historal root keys for upgrade path? Jakob Schlyter
- Re: [dnsext] historal root keys for upgrade path? Tony Finch
- Re: [dnsext] historal root keys for upgrade path? Jakob Schlyter
- Re: [dnsext] historal root keys for upgrade path? Phillip Hallam-Baker
- Re: [dnsext] historal root keys for upgrade path? Tony Finch
- Re: [dnsext] historal root keys for upgrade path? Phillip Hallam-Baker
- Re: [dnsext] historal root keys for upgrade path? Ted Lemon
- Re: [dnsext] historal root keys for upgrade path? Paul Wouters
- Re: [dnsext] historal root keys for upgrade path? Florian Weimer