Re: [dnsext] historal root keys for upgrade path?

[Paul Hoffman <paul.hoffman@vpnc.org>]

On 1/25/11 9:53 AM, Paul Wouters wrote:
>
> A very large router vendor is about to make it mandatory that new devices
> they produce use dnssec by default. One issue that comes up with that
> is what happens if these devices were off long enough for a rollover to
> have happened and the RFC5011 bit/key has been retired.
>
> Are there plans to create a zone with all old root keys, that all sign the
> DNSKEY RRset (eg rootkeys.root-servers.net) so that having ANY one old root
> key could lead you to get a signed version of the latest root key? This way
> you could disable DNSSEC to resolve rootkeys.root-servers.net, use your
> current key to confirm the latest key, configure it, and drop the cache,
> and you're golden.
>
> Is something like this even possible? I'm not sure what happens to the
> root private keys once they are retired...

It is possible, but not in the way you seem to be thinking. If you 
trusted that hardware/software vendor to securely populate your trust 
anchor store originally, you can trust them to do so in the future as well.

One simple method would be, when you see you have a stale trust anchor 
and no way to use 5011 to get a fresher one, to securely ask the vendor 
for the new trust anchor out of band (that is, not using the DNS). There 
are lots of ways to do this, and none need to be standardized. One 
simple method is to do a HTTP-over-TLS query to a pre-loaded IP address 
that is controlled by the vendor, and validate the session with a 
certificate that is not tied to the DNS. Another simple(r?) method is 
SSH to an IP address controlled by the vendor (and so on).

Bootstrapping is hard, but once you have done it, you can reuse the 
trust logic you used to do it again.

--Paul Hoffman