Minimalist TAK automated rollover procedure in DNS resolver
Thierry Moreau <thierry.moreau@connotech.com> Thu, 10 August 2006 16:29 UTC
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GBDPl-0007g6-QG for dnsext-archive@lists.ietf.org; Thu, 10 Aug 2006 12:29:45 -0400
Received: from psg.com ([147.28.0.62]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GBDPg-0001WJ-AC for dnsext-archive@lists.ietf.org; Thu, 10 Aug 2006 12:29:45 -0400
Received: from majordom by psg.com with local (Exim 4.60 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1GBDJ9-000FCb-0C for namedroppers-data@psg.com; Thu, 10 Aug 2006 16:22:55 +0000
X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on psg.com
X-Spam-Level:
X-Spam-Status: No, score=-2.6 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=3.1.1
Received: from [216.127.148.222] (helo=mail2.sea.safepages.com) by psg.com with esmtp (Exim 4.60 (FreeBSD)) (envelope-from <thierry.moreau@connotech.com>) id 1GBDJ6-000FCB-Cw for namedroppers@ops.ietf.org; Thu, 10 Aug 2006 16:22:52 +0000
Received: by mail2.sea.safepages.com (Postfix, from userid 1012) id F33FE68CAC; Thu, 10 Aug 2006 16:22:48 +0000 (GMT)
Received: from connotech.com (unknown [165.154.49.7]) by mail2.sea.safepages.com (Postfix) with ESMTP id EC26568D1D for <namedroppers@ops.ietf.org>; Thu, 10 Aug 2006 16:14:23 +0000 (GMT)
Message-ID: <44DB5BF5.1040501@connotech.com>
Date: Thu, 10 Aug 2006 12:16:53 -0400
From: Thierry Moreau <thierry.moreau@connotech.com>
User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Namedroppers <namedroppers@ops.ietf.org>
Subject: Minimalist TAK automated rollover procedure in DNS resolver
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
X-Spam-Score: 0.0 (/)
X-Scan-Signature: c83ccb5cc10e751496398f1233ca9c3a
Dear dnsext wg participants: The TAK automated rollover protocol consists of a zone administrator procedure (reflected in the responses provided by authoritative nameservers for the zone), and a resolver procedure. The present message raises the question of a minimalist resolver procedure that "does the job" in every operational conditions *that are to be expected in practice*, and conceptually could survive operational mismanagement of the zone which would, paradoxically, be detrimental to resolvers implementations of the full TAK rollover specification. The minimalist TAK automated rollover procedure in DNS resolver is as follows: o A trust anchor key is a DNSKEY RR that is flagged as such in the current DNS resolver state. o Whenever a DNSKEY RRset is validly signed by an RRSIG RR using a trust anchor key, every DNSKEY RR in the RRset becomes a trust anchor key. o Also when a DNSKEY RRset is validly signed by an RRSIG RR using a trust anchor key, the DNS resolver implementation may drop any current trust anchor key for the same zone but absent from the RRset. Such minimalist procedure may be implemented in a resolver on the basis of either local policy support, software release expeditiousness, or even software design criteria prioritizing operational resilience over ultimate security. There are two categories of operational conditions that are relevant to the question of a minimalist resolver procedure: 1) false validation in minimalist resolver implementation: security incidents that would be properly handled (either successfully recovered or detected with loss of valid trusted key) by the fully compliant resolvers implementations, but bringing minimalist resolver implementation to an *undetected* breached state, 2) false invalidation in fully compliant resolver implementation: unusual operational sequence of a zone administration (devoid of ill intentioned behavior) that would bring the fully compliant resolvers to a loss of valid trusted key (or other type of false alarm) but would be handled gracefully (i.e. the resolver maintains a non- empty set of trust anchors with one of them allowing zone contents verification at any single point in time). The main argument for operating a minimalist resolver implementation is the small likelihood of operational condition 1) above. After all, a zone administrator for an island of trust, including the root, somehow commits to properly handle any DNSSEC private signature key. The operational condition 2), if it ever occurs once resolver implementations of the two kinds are deployed, would be very detrimental to the acceptance of fully compliant resolver implementations. This suggests a test strategy for a TAK automated rollover scheme: in a lab setup, operate the two types of resolvers, and exercise diversified zone administration actions (irrespective of compliance to the rollover specification); detect and document any corner case leading to the operational condition 2) above. For the purpose of this post, a fully compliant resolver implementation may be associated with timers-based TAK automated rollover procedure (draft-ietf-dnsext-trustupdate-timers-03.txt). The TAKREM TAK automated rollover procedure (draft-moreau-dnsext-sdda-rr-02.txt, draft-moreau-dnsext-takrem-dns-02.txt) does not interoperate with the minimalist TAK automated rollover procedure in DNS resolver (except perhaps for awkward resolvers polling the DNSKEY RRsets for islands of trust at a high frequency). If promotion of good quality DNSSEC implementation at the resolver side is desirable, this TAKREM lack of interoperability with a less secure resolver implementation is a good thing. The fundamental issue is that an implementation claim of DNSSEC compliance is an interoperability claim (claim supported by empirical evidence), while the DNSSEC stated goal is end-to-end data assurance mechanism which, by definition, implies resistance to security incidents that are unlikely to be observed (by virtue of the deterrent effect of security measures). There is no software quality or security standard that can be readily applied to a DNSSEC resolver implementation to provide assurance that Internet clients actually experience increased security from DNSSEC support. Regards, -- - Thierry Moreau CONNOTECH Experts-conseils inc. 9130 Place de Montgolfier Montreal, Qc Canada H2M 2A1 Tel.: (514)385-5691 Fax: (514)385-5900 web site: http://www.connotech.com e-mail: thierry.moreau@connotech.com -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/namedroppers/>
- Minimalist TAK automated rollover procedure in DN… Thierry Moreau