Re: Redux: Why I want to remove the null key (SIG)
Edward Lewis <lewis@tislabs.com> Fri, 23 June 2000 18:03 UTC
Received: from psg.com (psg.com [147.28.0.62]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA16447 for <dnsext-archive@lists.ietf.org>; Fri, 23 Jun 2000 14:03:11 -0400 (EDT)
Received: from lserv by psg.com with local (Exim 3.13 #1) id 135XDW-0008G9-00 for namedroppers-data@psg.com; Fri, 23 Jun 2000 10:26:10 -0700
Received: from [212.158.2.190] (helo=roam.psg.com) by psg.com with esmtp (Exim 3.13 #1) id 135XDU-0008Fm-00 for namedroppers@ops.ietf.org; Fri, 23 Jun 2000 10:26:09 -0700
Received: from randy by roam.psg.com with local (Exim 3.12 #1) id 135XDQ-0000jb-00 for namedroppers@ops.ietf.org; Fri, 23 Jun 2000 18:26:04 +0100
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-Id: <v03130302b5792af29da0@[207.172.148.170]>
In-Reply-To: <Pine.BSF.4.21.0006141506170.30682-100000@open.nlnetlabs.nl>
Date: Fri, 23 Jun 2000 12:44:52 -0400
To: Roy Arends <roy@nlnetlabs.nl>
From: Edward Lewis <lewis@tislabs.com>
Subject: Re: Redux: Why I want to remove the null key (SIG)
Cc: namedroppers <namedroppers@ops.ietf.org>, Edward Lewis <lewis@tislabs.com>
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
Content-Transfer-Encoding: 7bit
At 9:39 AM -0400 6/14/00, Roy Arends wrote: >As this child has a KEY, which is validated off-tree, a secure entrypoint >is defined here (as explained in our remarks on the >draft-ietf-dnsext-zone-status-01.txt). The resolver of interest for this >secure branch has the Mars Certification Agency KEY pre-configured and >knows that this is a secure entrypoint. Therefore this secure resolver >can positively validate the SIG(KEY) at the child. This assumes that all of the resolvers-of-interest are so configured. The problem is that for all other resolvers, this is a misconfiguration. >> This was legal under the policy in RFC 2535, section 6, but is not legal >> given the updating draft. > >Which draft would this be ? > draft-ietf-dnsext-simple-secure-update-01.txt, > draft-ietf-dnsext-signing-auth-01.txt or > draft-ietf-dnsext-zone-status-01.txt. #2 - signing-auth >According to 2535 there MUST be a NULL key signed by the parent in this >case. This is also needed to prevent denial of service for this >child for security aware resolvers, that are not preconfigured with >the Mars Certification Agency KEY and corresponding entry-points. >Of course, for these resolvers, the child is seen as unsecured. > >IMHO this doesn't say anything about the NULL key being a bad idea. The "bad idea" is that although the parent has properly issued a NULL key, the NULL key is not available (hidden). OTOH, if the indication were in the NXT record (current proposal is using the OPT record bit - we'll argue that later), then the parent can still signal that it thinks the child is unsecured. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NAI Labs Phone: +1 443-259-2352 Email: lewis@tislabs.com "It takes years of training to know when to do nothing" - Dogbert Opinions expressed are property of my evil twin, not my employer. to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body.
- Re: Redux: Why I want to remove the null key (SIG) Harald Tveit Alvestrand
- Re: Redux: Why I want to remove the null key (SIG) Bill Manning
- Re: Redux: Why I want to remove the null key (SIG) Roy Arends
- Re: Redux: Why I want to remove the null key (SIG) Bill Manning
- Re: Redux: Why I want to remove the null key (SIG) Ted Lindgreen
- Re: Redux: Why I want to remove the null key (SIG) Bill Manning
- Re: Redux: Why I want to remove the null key (SIG) Harald Tveit Alvestrand
- Re: Redux: Why I want to remove the null key (SIG) Roy Arends
- Re: Redux: Why I want to remove the null key (SIG) Roy Arends
- Re: Redux: Why I want to remove the null key (SIG) Bill Manning
- Re: Redux: Why I want to remove the null key (SIG) Edward Lewis
- Re: Redux: Why I want to remove the null key (SIG) Edward Lewis
- Re: Redux: Why I want to remove the null key (SIG) Bill Manning
- Re: Redux: Why I want to remove the null key (SIG) Roy Arends
- Re: Redux: Why I want to remove the null key (SIG) Roy Arends
- Re: Redux: Why I want to remove the null key (SIG) Edward Lewis
- Re: Redux: Why I want to remove the null key (SIG) Roy Arends
- Re: Redux: Why I want to remove the null key (SIG) Edward Lewis
- Re: Redux: Why I want to remove the null key (SIG) Bill Manning