Re: [dnsext] historal root keys for upgrade path?
Phillip Hallam-Baker <hallam@gmail.com> Thu, 27 January 2011 23:20 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 769C63A69D6 for <dnsext@core3.amsl.com>; Thu, 27 Jan 2011 15:20:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.473
X-Spam-Level:
X-Spam-Status: No, score=-3.473 tagged_above=-999 required=5 tests=[AWL=0.125, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EKPJ2tK1xCWr for <dnsext@core3.amsl.com>; Thu, 27 Jan 2011 15:20:00 -0800 (PST)
Received: from mail-yx0-f172.google.com (mail-yx0-f172.google.com [209.85.213.172]) by core3.amsl.com (Postfix) with ESMTP id 5A04D3A68AA for <dnsext@ietf.org>; Thu, 27 Jan 2011 15:19:57 -0800 (PST)
Received: by yxt33 with SMTP id 33so943938yxt.31 for <dnsext@ietf.org>; Thu, 27 Jan 2011 15:23:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=eHKgrJt0qVWD4+RrjPwm2AMCSI9blKtnaaVlhGSAbto=; b=bVQMWQG4rbADBmI/Ky8lVFVdhsGK6LOcopWkMK1aSiYUtd3MCWmJKTKx5xyq/UMYNB jKA35/udr38Deo4HDVxbEvlD7Phbk8LepR3J5lUU3tHQaElEsOph/BwmLST5EkS49mGB CQaT238cTTVX9l4JYu5sxsDTCtwPDjB6T9IQg=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=RqBlWvYgBQG44NFHNvrayHukbouyaUKOufimb8I4hKaEmyJPt/98pKiN8lLVZ/o4Yq oVvOK64+w0XdEYDk5mLFPXT3DamBSK25CvXaV+Rpo8rDHH0KnSZk8PSYDMSsMokrPy1Z oEhzNt75fk5Rjt9Kic7uABSevKThWAG0nxLMw=
MIME-Version: 1.0
Received: by 10.100.48.3 with SMTP id v3mr1046166anv.154.1296170581459; Thu, 27 Jan 2011 15:23:01 -0800 (PST)
Received: by 10.100.109.16 with HTTP; Thu, 27 Jan 2011 15:23:01 -0800 (PST)
In-Reply-To: <D442CA92-EC36-4425-B9D9-58D00E2735E4@hopcount.ca>
References: <alpine.LFD.1.10.1101251250040.30991@newtla.xelerance.com> <4D3F233C.7000900@vpnc.org> <CAB4A416-148B-435E-A1BB-78035A1D539D@kirei.se> <alpine.LFD.1.10.1101271036560.19497@newtla.xelerance.com> <10A3D861-EC02-49FF-BBD1-44843378C9CB@icsi.berkeley.edu> <2BC28AF0-9132-4FFD-9FA6-FCEC29A1D471@hopcount.ca> <50123.1296155020@nsa.vix.com> <D442CA92-EC36-4425-B9D9-58D00E2735E4@hopcount.ca>
Date: Thu, 27 Jan 2011 18:23:01 -0500
Message-ID: <AANLkTinopGbhuVHxeK9og6y7TJtL7joUnr7ykE4_G4jb@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Joe Abley <jabley@hopcount.ca>
Content-Type: multipart/alternative; boundary="0016e645b8c4138405049adc3b28"
Cc: dnsext@ietf.org
Subject: Re: [dnsext] historal root keys for upgrade path?
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Jan 2011 23:20:11 -0000
The risk of doing such a roll would be that the ensuing chaos is then used as proof that DNSSEC is not ready for prime-time. I do think that it is worth people like myself who have been considering cyber-conflict issues for some time war-gaming an emergency roll. But we are talking about possibilities that are really very unlikely indeed and we are probably talking about scenarios that involve 'kinetic' attacks in addition to purely cyber. If you want to engage in that type of exercise you need to posit a plausible scenario that would cause the emergency roll to be required. And once you start considering those type of scenarios we are talking about catastrophic failures that are going to completely invalidate any experience from the proposed fire-drill. Airlines do train for evacuation of passengers from aircraft, but they do not perform such drills on a regular basis with paying passengers (liners on the other hand do). So the downside risk is large, if you try that test it is likely to damage prospects for DNSSEC deployment. The benefit is negligible. On Thu, Jan 27, 2011 at 4:38 PM, Joe Abley <jabley@hopcount.ca> wrote: > > On 2011-01-27, at 14:03, Paul Vixie wrote: > > >> From: Joe Abley <jabley@hopcount.ca> > >> Date: Thu, 27 Jan 2011 13:28:26 -0500 > >> > >> There is no established schedule for rolling the root zone's KSK. All > >> we have said to date is that we don't expect to do it any time soon, > >> because it's not clear that support for automated handling of such an > >> event is well-deployed in clients. > > > > under what conditions can you imagine that changing? > > If the groundwork was done and it looked like the client population was > likely to be substantially KSK-roll-tolerant (by which I intend to imply > experimentation, real-world surveys and testing, conversations with relevant > vendors, a much clearer specification for desired client behaviour, etc) I > would advocate scheduled KSK rolls for the root. > > The benefits of all that work would be operational rather than > cryptographic (at least, I have been told that there is little cryptographic > in rolling an uncompromised 2048 bit root zone KSK). For example, clients > are far more likely to be able to survive an emergency key roll if we know > that all the code points associated with a scheduled key roll are > well-understood and exercised; those from IANA and the community who are > involved in managing the KSK have a better shot of getting it right if the > processes involved are regularly used (even if they're not used very often). > > Without a much better understanding of the likely impact on clients, > however, and without any confidence that clients will handle the event > without helpdesk intervention, the costs of a KSK roll appear to outweigh > the benefits, even with the relatively small validating base we might > imagine exists today. > > > Joe > > _______________________________________________ > dnsext mailing list > dnsext@ietf.org > https://www.ietf.org/mailman/listinfo/dnsext > -- Website: http://hallambaker.com/
- [dnsext] historal root keys for upgrade path? Paul Wouters
- Re: [dnsext] historal root keys for upgrade path? Stephan Lagerholm
- Re: [dnsext] historal root keys for upgrade path? Andrew Sullivan
- Re: [dnsext] historal root keys for upgrade path? Paul Wouters
- Re: [dnsext] historal root keys for upgrade path? Paul Hoffman
- Re: [dnsext] historal root keys for upgrade path? Paul Wouters
- Re: [dnsext] historal root keys for upgrade path? Paul Hoffman
- Re: [dnsext] historal root keys for upgrade path? Paul Wouters
- Re: [dnsext] historal root keys for upgrade path? Brian Dickson
- Re: [dnsext] historal root keys for upgrade path? Tony Finch
- Re: [dnsext] historal root keys for upgrade path? Phillip Hallam-Baker
- Re: [dnsext] historal root keys for upgrade path? Paul Wouters
- Re: [dnsext] historal root keys for upgrade path? Paul Wouters
- Re: [dnsext] historal root keys for upgrade path? Edward Lewis
- Re: [dnsext] historal root keys for upgrade path? Thierry Moreau
- Re: [dnsext] historal root keys for upgrade path? Tony Finch
- Re: [dnsext] historal root keys for upgrade path? Edward Lewis
- Re: [dnsext] historal root keys for upgrade path? Phillip Hallam-Baker
- Re: [dnsext] historal root keys for upgrade path? Brian Dickson
- Re: [dnsext] historal root keys for upgrade path? Paul Wouters
- Re: [dnsext] historal root keys for upgrade path? Alex Nicoll
- Re: [dnsext] historal root keys for upgrade path? Phillip Hallam-Baker
- Re: [dnsext] historal root keys for upgrade path? Paul Wouters
- Re: [dnsext] historal root keys for upgrade path? Stephan Lagerholm
- Re: [dnsext] historal root keys for upgrade path? Joe Abley
- Re: [dnsext] historal root keys for upgrade path? Florian Weimer
- Re: [dnsext] historal root keys for upgrade path? Jakob Schlyter
- Re: [dnsext] historal root keys for upgrade path? Paul Wouters
- Re: [dnsext] historal root keys for upgrade path? Nicholas Weaver
- Re: [dnsext] historal root keys for upgrade path? Phillip Hallam-Baker
- Re: [dnsext] historal root keys for upgrade path? Matthew Dempsky
- Re: [dnsext] historal root keys for upgrade path? Phillip Hallam-Baker
- Re: [dnsext] historal root keys for upgrade path? Florian Weimer
- Re: [dnsext] historal root keys for upgrade path? Florian Weimer
- Re: [dnsext] historal root keys for upgrade path? Paul Wouters
- Re: [dnsext] historal root keys for upgrade path? Brian Dickson
- Re: [dnsext] historal root keys for upgrade path? Joe Abley
- Re: [dnsext] historal root keys for upgrade path? Paul Vixie
- Re: [dnsext] historal root keys for upgrade path? Paul Vixie
- Re: [dnsext] historal root keys for upgrade path? Brian Dickson
- Re: [dnsext] historal root keys for upgrade path? Brian Dickson
- Re: [dnsext] historal root keys for upgrade path? Paul Wouters
- Re: [dnsext] historal root keys for upgrade path? Phillip Hallam-Baker
- Re: [dnsext] historal root keys for upgrade path? Brian Dickson
- Re: [dnsext] historal root keys for upgrade path? Phillip Hallam-Baker
- Re: [dnsext] historal root keys for upgrade path? Paul Wouters
- Re: [dnsext] historal root keys for upgrade path? Paul Wouters
- Re: [dnsext] historal root keys for upgrade path? Andrew Sullivan
- Re: [dnsext] historal root keys for upgrade path? Joe Abley
- Re: [dnsext] historal root keys for upgrade path? Phillip Hallam-Baker
- Re: [dnsext] historal root keys for upgrade path? David Conrad
- Re: [dnsext] historal root keys for upgrade path? Florian Weimer
- Re: [dnsext] historal root keys for upgrade path? Joe Abley
- Re: [dnsext] historal root keys for upgrade path? Joe Abley
- Re: [dnsext] historal root keys for upgrade path? Thierry Moreau
- Re: [dnsext] historal root keys for upgrade path? Tony Finch
- Re: [dnsext] historal root keys for upgrade path? Tony Finch
- Re: [dnsext] historal root keys for upgrade path? Joe Abley
- Re: [dnsext] historal root keys for upgrade path? Paul Hoffman
- Re: [dnsext] historal root keys for upgrade path? Brian Dickson
- Re: [dnsext] historal root keys for upgrade path? Tony Finch
- Re: [dnsext] historal root keys for upgrade path? Joe Abley
- Re: [dnsext] historal root keys for upgrade path? W.C.A. Wijngaards
- Re: [dnsext] historal root keys for upgrade path? Phillip Hallam-Baker
- Re: [dnsext] historal root keys for upgrade path? Joe Abley
- Re: [dnsext] historal root keys for upgrade path? Brian Dickson
- Re: [dnsext] historal root keys for upgrade path? Paul Wouters
- Re: [dnsext] historal root keys for upgrade path? Joe Abley
- Re: [dnsext] historal root keys for upgrade path? Phillip Hallam-Baker
- Re: [dnsext] historal root keys for upgrade path? Nicholas Weaver
- Re: [dnsext] historal root keys for upgrade path? Brian Dickson
- Re: [dnsext] historal root keys for upgrade path? Nicholas Weaver
- Re: [dnsext] historal root keys for upgrade path? Phillip Hallam-Baker
- Re: [dnsext] historal root keys for upgrade path? Phillip Hallam-Baker
- Re: [dnsext] historal root keys for upgrade path? Joe Abley
- Re: [dnsext] historal root keys for upgrade path? Phillip Hallam-Baker
- Re: [dnsext] historal root keys for upgrade path? Joe Abley
- Re: [dnsext] historal root keys for upgrade path? Phillip Hallam-Baker
- Re: [dnsext] historal root keys for upgrade path? Joe Abley
- Re: [dnsext] historal root keys for upgrade path? Paul Wouters
- Re: [dnsext] historal root keys for upgrade path? Brian Dickson
- Re: [dnsext] historal root keys for upgrade path? Phillip Hallam-Baker
- Re: [dnsext] historal root keys for upgrade path? Tony Finch
- Re: [dnsext] historal root keys for upgrade path? Tony Finch
- Re: [dnsext] historal root keys for upgrade path? Phillip Hallam-Baker
- Re: [dnsext] historal root keys for upgrade path? Jakob Schlyter
- Re: [dnsext] historal root keys for upgrade path? Tony Finch
- Re: [dnsext] historal root keys for upgrade path? Jakob Schlyter
- Re: [dnsext] historal root keys for upgrade path? Phillip Hallam-Baker
- Re: [dnsext] historal root keys for upgrade path? Tony Finch
- Re: [dnsext] historal root keys for upgrade path? Phillip Hallam-Baker
- Re: [dnsext] historal root keys for upgrade path? Ted Lemon
- Re: [dnsext] historal root keys for upgrade path? Paul Wouters
- Re: [dnsext] historal root keys for upgrade path? Florian Weimer