Re: Signature at parent (draft-ietf-dnsop-parent-sig-00.txt)
Edward Lewis <lewis@tislabs.com> Mon, 02 April 2001 05:50 UTC
Received: from psg.com (exim@[147.28.0.62]) by ietf.org (8.9.1a/8.9.1a) with SMTP id BAA07827 for <dnsext-archive@lists.ietf.org>; Mon, 2 Apr 2001 01:50:18 -0400 (EDT)
Received: from lserv by psg.com with local (Exim 3.16 #1) id 14jwsI-000BOm-00 for namedroppers-data@psg.com; Sun, 01 Apr 2001 22:27:34 -0700
Received: from 64-214-53-107.dhcp.arin.gblx.net ([64.214.53.107] helo=roam.psg.com ident=root) by psg.com with esmtp (Exim 3.16 #1) id 14jwsH-000BOg-00 for namedroppers@ops.ietf.org; Sun, 01 Apr 2001 22:27:33 -0700
Received: from randy by roam.psg.com with local (Exim 3.20 #1) id 14jwsO-0003mo-00 for namedroppers@ops.ietf.org; Sun, 01 Apr 2001 22:27:40 -0700
Message-Id: <v03130300b6ecc11924ad@[207.172.150.120]>
In-Reply-To: <Pine.LNX.4.30.0103301224540.1442-100000@localhost.localdomain>
References: <v03130306b6ea85023565@[207.172.150.120]>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Sun, 01 Apr 2001 07:42:39 -0400
To: Brian Wellington <Brian.Wellington@nominum.com>
From: Edward Lewis <lewis@tislabs.com>
Subject: Re: Signature at parent (draft-ietf-dnsop-parent-sig-00.txt)
Cc: Edward Lewis <lewis@tislabs.com>, Ted.Lindgreen@tednet.nl, namedroppers@ops.ietf.org
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
At 4:28 PM -0400 3/30/01, Brian Wellington wrote: >Because that's what you said. "There is [sic] a few reasons to have the >data in the parent.", followed by said reasons. Oh. I meant that "there is [sic ;)] a few reasons to have the data in the child." >... But I'm not convinced that operation experience has shown that the >decision was wrong. The argument now is that it's somehow easier to store >keys in the parent. This is not true. In both cases, the key must be >sent from the child to the parent. In both cases, something must be sent >from the parent back to the child, whether this something may either be a >signed keyset or a confirmation doesn't change the fact that it's still a >message. >From what I've garnered from discussions, the issue is this: When the parent needs to change its keys, it will need to resign all of the children's keys and make the new signatures available. (More on this in a minute.) The issue of passing information back and forth at the delegation point is equal whether the existing signature-at-the-child is used or the new proposal. I consider that issue somewhat of a red herring in this discussion. Now, about the re-signing of the parent. In Sweden last fall the workshop changed the parent's key in the afternoon one of the days. Stepping backwards, the children had submitted keys via an HTTP interface and retrieved the signatures via another page. I forget if the parent explicitly retained the keys, but I do know that if a child submitted multiple keys sets (ie one for Monday, another for Tuesday), the later key set overwrote the first in the parent's system. What happened when the parent went to resign its zone, it turned out that one of two things happened. A child's key could either not be resigned (the parent no longer had it) or the child neglected to take the action to get the new key. Eventually, the parent marked unresponsive children as unsecured. (A few children did notice and were kept secured. Those children happened to be those sitting closest to the parent. Draw from that what you will.) The upshot is that there is a requirement that the parent keep a copy of all the children keys in order to make the resigning of the parent work - at least in my view. Now, this requirement could be met in two ways - the parent places the children keys in a database off-line where the signer can get to them or the parent keeps the keys in DNS. Personally, I don't care which is which (...this is an issue I'd like to get input from TLDs on - and NLnet is providing this input). Now, the issue is where the signature goes. This is a related question - recall that there were children who didn't grab the new signatures (because they weren't aware of them). So, does the delegator just cut the middleman and publish the signatures that it generated, or does the child need to be notified by (push) or need to poll the (pull) parent. NLnet is proposing cutting out the middleman... Yet another question...this proposal helps keep the parent-child relationship going, but is it secure? -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NAI Labs Phone: +1 443-259-2352 Email: lewis@tislabs.com Dilbert is an optimist. Opinions expressed are property of my evil twin, not my employer. to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body.
- Re: Signature at parent (draft-ietf-dnsop-parent-… Ted Lindgreen
- Re: Signature at parent (draft-ietf-dnsop-parent-… Olaf Kolkman
- Re: Signature at parent (draft-ietf-dnsop-parent-… Roy Arends
- Re: Signature at parent (draft-ietf-dnsop-parent-… Miek Gieben
- Re: Signature at parent (draft-ietf-dnsop-parent-… Edward Lewis
- Re: Signature at parent (draft-ietf-dnsop-parent-… Edward Lewis
- Re: Signature at parent (draft-ietf-dnsop-parent-… Edward Lewis
- Re: Signature at parent (draft-ietf-dnsop-parent-… John Gilmore
- Re: Signature at parent (draft-ietf-dnsop-parent-… Olaf Kolkman
- Re: Signature at parent (draft-ietf-dnsop-parent-… Brian Wellington
- Re: Signature at parent (draft-ietf-dnsop-parent-… Ted Lindgreen
- Re: DNS vs. non-DNS Data (was Re: Signature at pa… Kevin Darcy
- Re: Signature at parent (draft-ietf-dnsop-parent-… Ted Lindgreen
- Re: DNS vs. non-DNS Data (was Re: Signature at pa… Eric A. Hall
- Re: Signature at parent (draft-ietf-dnsop-parent-… Dan Massey
- DNS vs. non-DNS Data (was Re: Signature at parent… Kevin Darcy
- Re: Signature at parent (draft-ietf-dnsop-parent-… Randy Bush
- Re: Signature at parent (draft-ietf-dnsop-parent-… Ted Lindgreen
- Re: Signature at parent (draft-ietf-dnsop-parent-… Peter Koch
- Re: DNS vs. non-DNS Data (was Re: Signature at pa… Eric A. Hall
- Re: Signature at parent (draft-ietf-dnsop-parent-… Brian Wellington
- Re: Signature at parent (draft-ietf-dnsop-parent-… Edward Lewis
- Re: Signature at parent (draft-ietf-dnsop-parent-… Edward Lewis