Re: [dnsext] historal root keys for upgrade path?

[Phillip Hallam-Baker <hallam@gmail.com>]

The risk of doing such a roll would be that the ensuing chaos is then used
as proof that DNSSEC is not ready for prime-time.


I do think that it is worth people like myself who have been considering
cyber-conflict issues for some time war-gaming an emergency roll. But we are
talking about possibilities that are really very unlikely indeed and we are
probably talking about scenarios that involve 'kinetic' attacks in addition
to purely cyber.

If you want to engage in that type of exercise you need to posit a plausible
scenario that would cause the emergency roll to be required.

And once you start considering those type of scenarios we are talking about
catastrophic failures that are going to completely invalidate any experience
from the proposed fire-drill.


Airlines do train for evacuation of passengers from aircraft, but they do
not perform such drills on a regular basis with paying passengers (liners on
the other hand do).


So the downside risk is large, if you try that test it is likely to damage
prospects for DNSSEC deployment. The benefit is negligible.


On Thu, Jan 27, 2011 at 4:38 PM, Joe Abley <jabley@hopcount.ca> wrote:

>
> On 2011-01-27, at 14:03, Paul Vixie wrote:
>
> >> From: Joe Abley <jabley@hopcount.ca>
> >> Date: Thu, 27 Jan 2011 13:28:26 -0500
> >>
> >> There is no established schedule for rolling the root zone's KSK. All
> >> we have said to date is that we don't expect to do it any time soon,
> >> because it's not clear that support for automated handling of such an
> >> event is well-deployed in clients.
> >
> > under what conditions can you imagine that changing?
>
> If the groundwork was done and it looked like the client population was
> likely to be substantially KSK-roll-tolerant (by which I intend to imply
> experimentation, real-world surveys and testing, conversations with relevant
> vendors, a much clearer specification for desired client behaviour, etc) I
> would advocate scheduled KSK rolls for the root.
>
> The benefits of all that work would be operational rather than
> cryptographic (at least, I have been told that there is little cryptographic
> in rolling an uncompromised 2048 bit root zone KSK). For example, clients
> are far more likely to be able to survive an emergency key roll if we know
> that all the code points associated with a scheduled key roll are
> well-understood and exercised; those from IANA and the community who are
> involved in managing the KSK have a better shot of getting it right if the
> processes involved are regularly used (even if they're not used very often).
>
> Without a much better understanding of the likely impact on clients,
> however, and without any confidence that clients will handle the event
> without helpdesk intervention, the costs of a KSK roll appear to outweigh
> the benefits, even with the relatively small validating base we might
> imagine exists today.
>
>
> Joe
>
> _______________________________________________
> dnsext mailing list
> dnsext@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsext
>



-- 
Website: http://hallambaker.com/