Re: [dnsext] Historical root keys: The Large Router Vendor Speaks
David Conrad <drc@virtualized.org> Fri, 28 January 2011 06:03 UTC
Return-Path: <drc@virtualized.org>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3D5683A6BCC for <dnsext@core3.amsl.com>; Thu, 27 Jan 2011 22:03:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.532
X-Spam-Level:
X-Spam-Status: No, score=-0.532 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_NUMERIC_HELO=2.067]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nxjFD49k1tS8 for <dnsext@core3.amsl.com>; Thu, 27 Jan 2011 22:03:10 -0800 (PST)
Received: from virtualized.org (trantor.virtualized.org [204.152.189.190]) by core3.amsl.com (Postfix) with ESMTP id B85023A6BC0 for <dnsext@ietf.org>; Thu, 27 Jan 2011 22:03:08 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by virtualized.org (Postfix) with ESMTP id 7550210625A1; Thu, 27 Jan 2011 22:06:14 -0800 (PST)
X-Quarantine-ID: <1eauwqF7LzTc>
X-Virus-Scanned: amavisd-new at virtualized.org
Received: from virtualized.org ([127.0.0.1]) by localhost (trantor.virtualized.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1eauwqF7LzTc; Thu, 27 Jan 2011 22:06:12 -0800 (PST)
Received: from 205.122.224.10.in-addr.arpa (m170436d0.tmodns.net [208.54.4.23]) by virtualized.org (Postfix) with ESMTP id 733EA1062599; Thu, 27 Jan 2011 22:06:12 -0800 (PST)
Mime-Version: 1.0 (Apple Message framework v1082)
Content-Type: text/plain; charset="us-ascii"
From: David Conrad <drc@virtualized.org>
In-Reply-To: <4D41D3E2.6060107@cisco.com>
Date: Thu, 27 Jan 2011 22:06:13 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <3976B502-F2D5-4C70-8354-B46A9185E9CF@virtualized.org>
References: <4D41D3E2.6060107@cisco.com>
To: John Bashinski <jbash@cisco.com>
X-Mailer: Apple Mail (2.1082)
Cc: dnsext@ietf.org
Subject: Re: [dnsext] Historical root keys: The Large Router Vendor Speaks
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Jan 2011 06:03:12 -0000
John, Very useful note, thanks! On Jan 27, 2011, at 12:21 PM, John Bashinski wrote: > At the moment, the following are under consideration: > > I. Get IANA and the root zone to provide some kind of service for > getting up to date starting from old trust roots. If you only want to use DNS/DNSSEC, the implication of this is that the old trust roots would need to be forever (or at least the longest lifetime of all products) secure. This would also sort of defeat the purpose of scheduled key rolls and would fail in the face of a key roll caused by known or suspected key compromise (you won't want to chain up through a known-compromised key). > II. Provide our own key update service. How would this be (conceptually) different than providing a (secure) software update service? (Somewhat as an aside, in a world in which you can't trust admins, I'd argue that (by default) requiring user approval to install updates is demonstrably more risky to the Internet at large than otherwise.) > III. Try to ship devices with up-to-date keys, and rely on admins to > update them when that fails. I think this would blow up on us, and > I got some indignant pushback for even suggesting it. I'd agree relying on admins is unlikely to work. > IV. Weaken the scheme in one of the following ways: > > a. Just query for the key record for the root zone at installation > time, and believe whatever comes back. At least you're only exposed > at one time instead of forever afterwards. > > b. Try a wired-in key, then fall back to (a) if it doesn't > work. Which isn't every different from (a). This doesn't seem that much different from III. You'd have to rely on the admin to do something (in this case, ensure the initial connection used to fetch the root key is safe). > Using the current public X.509 PKI is NOT under consideration. Understandable. However, this doesn't necessarily preclude the use of a private (not necessarily X.509, e.g., PGP/GPG) PKI. Fundamentally, I don't see how this can be solved securely via DNS/DNSSEC. Regards, -drc
- Re: [dnsext] Historical root keys: The Large Rout… Phillip Hallam-Baker
- [dnsext] Historical root keys: The Large Router V… John Bashinski
- Re: [dnsext] Historical root keys: The Large Rout… Joe Abley
- Re: [dnsext] Historical root keys: The Large Rout… David Conrad
- Re: [dnsext] Historical root keys: The Large Rout… Brian Dickson
- Re: [dnsext] Historical root keys: The Large Rout… Jakob Schlyter
- Re: [dnsext] Historical root keys: The Large Rout… Florian Weimer
- Re: [dnsext] Historical root keys: The Large Rout… George Barwood
- Re: [dnsext] Historical root keys: The Large Rout… Alex Bligh
- Re: [dnsext] Historical root keys: The Large Rout… John Bashinski
- Re: [dnsext] Historical root keys: The Large Rout… Andrew Sullivan
- Re: [dnsext] Historical root keys: The Large Rout… Joe Abley
- Re: [dnsext] Historical root keys: The Large Rout… John Bashinski
- Re: [dnsext] Historical root keys: The Large Rout… Paul Hoffman
- Re: [dnsext] Historical root keys: The Large Rout… Nicholas Weaver
- Re: [dnsext] Historical root keys: The Large Rout… John Bashinski
- Re: [dnsext] Historical root keys: The Large Rout… Ted Lemon
- Re: [dnsext] Historical root keys: The Large Rout… Alex Bligh
- Re: [dnsext] Historical root keys: The Large Rout… John Bashinski
- Re: [dnsext] Historical root keys: The Large Rout… John Bashinski
- [dnsext] A question about the need for "historica… Edward Lewis
- Re: [dnsext] Historical root keys: The Large Rout… Paul Hoffman
- Re: [dnsext] Historical root keys: The Large Rout… Ted Lemon
- Re: [dnsext] A question about the need for "histo… John Bashinski
- Re: [dnsext] A question about the need for "histo… Ted Lemon
- Re: [dnsext] Historical root keys: The Large Rout… John Bashinski
- Re: [dnsext] A question about the need for "histo… Paul Wouters
- Re: [dnsext] Historical root keys: The Large Rout… Ted Lemon
- Re: [dnsext] Historical root keys: The Large Rout… John Bashinski
- Re: [dnsext] Historical root keys: The Large Rout… Paul Wouters
- Re: [dnsext] Historical root keys: The Large Rout… Thierry Moreau
- Re: [dnsext] Historical root keys: The Large Rout… John Bashinski
- Re: [dnsext] Historical root keys: The Large Rout… Phillip Hallam-Baker
- Re: [dnsext] Historical root keys: The Large Rout… Paul Wouters
- Re: [dnsext] Historical root keys: The Large Rout… Thierry Moreau
- Re: [dnsext] Historical root keys: The Large Rout… Paul Wouters
- Re: [dnsext] Historical root keys: The Large Rout… Phillip Hallam-Baker
- Re: [dnsext] Historical root keys: The Large Rout… Tony Finch
- Re: [dnsext] Historical root keys: The Large Rout… Chris Thompson
- Re: [dnsext] Historical root keys: The Large Rout… George Barwood
- Re: [dnsext] Historical root keys: The Large Rout… Tony Finch
- Re: [dnsext] Historical root keys: The Large Rout… Phillip Hallam-Baker
- Re: [dnsext] Historical root keys: The Large Rout… Olafur Gudmundsson