IETF Logo Mail Archive

Re: Redux: Why I want to remove the null key (SIG)

Edward Lewis <lewis@tislabs.com> Fri, 23 June 2000 18:03 UTC

Received: from psg.com (psg.com [147.28.0.62]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA16447 for <dnsext-archive@lists.ietf.org>; Fri, 23 Jun 2000 14:03:11 -0400 (EDT)
Received: from lserv by psg.com with local (Exim 3.13 #1) id 135XDW-0008G9-00 for namedroppers-data@psg.com; Fri, 23 Jun 2000 10:26:10 -0700
Received: from [212.158.2.190] (helo=roam.psg.com) by psg.com with esmtp (Exim 3.13 #1) id 135XDU-0008Fm-00 for namedroppers@ops.ietf.org; Fri, 23 Jun 2000 10:26:09 -0700
Received: from randy by roam.psg.com with local (Exim 3.12 #1) id 135XDQ-0000jb-00 for namedroppers@ops.ietf.org; Fri, 23 Jun 2000 18:26:04 +0100
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-Id: <v03130302b5792af29da0@[207.172.148.170]>
In-Reply-To: <Pine.BSF.4.21.0006141506170.30682-100000@open.nlnetlabs.nl>
Date: Fri, 23 Jun 2000 12:44:52 -0400
To: Roy Arends <roy@nlnetlabs.nl>
From: Edward Lewis <lewis@tislabs.com>
Subject: Re: Redux: Why I want to remove the null key (SIG)
Cc: namedroppers <namedroppers@ops.ietf.org>, Edward Lewis <lewis@tislabs.com>
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
Content-Transfer-Encoding: 7bit

At 9:39 AM -0400 6/14/00, Roy Arends wrote:
>As this child has a KEY, which is validated off-tree, a secure entrypoint
>is defined here (as explained in our remarks on the
>draft-ietf-dnsext-zone-status-01.txt). The resolver of interest for this
>secure branch has the Mars Certification Agency KEY pre-configured and
>knows that this is a secure entrypoint.  Therefore this secure resolver
>can positively validate the SIG(KEY) at the child.

This assumes that all of the resolvers-of-interest are so configured.  The
problem is that for all other resolvers, this is a misconfiguration.

>> This was legal under the policy in RFC 2535, section 6, but is not legal
>> given the updating draft.
>
>Which draft would this be ?
>  draft-ietf-dnsext-simple-secure-update-01.txt,
>  draft-ietf-dnsext-signing-auth-01.txt or
>  draft-ietf-dnsext-zone-status-01.txt.

#2 - signing-auth

>According to 2535 there MUST be a NULL key signed by the parent in this
>case. This is also needed to prevent denial of service for this
>child for security aware resolvers, that are not preconfigured with
>the Mars Certification Agency KEY and corresponding entry-points.
>Of course, for these resolvers, the child is seen as unsecured.
>
>IMHO this doesn't say anything about the NULL key being a bad idea.

The "bad idea" is that although the parent has properly issued a NULL key,
the NULL key is not available (hidden).  OTOH, if the indication were in
the NXT record (current proposal is using the OPT record bit - we'll argue
that later), then the parent can still signal that it thinks the child is
unsecured.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis                                                NAI Labs
Phone: +1 443-259-2352                      Email: lewis@tislabs.com

"It takes years of training to know when to do nothing" - Dogbert

Opinions expressed are property of my evil twin, not my employer.




to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.

v2.23.0 | Report a Bug | By Email