IETF Logo Mail Archive

Re: [dnsext] Historical root keys: The Large Router Vendor Speaks

John Bashinski <jbash@cisco.com> Fri, 28 January 2011 17:25 UTC

Return-Path: <jbash@cisco.com>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 672393A68D2 for <dnsext@core3.amsl.com>; Fri, 28 Jan 2011 09:25:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.486
X-Spam-Level:
X-Spam-Status: No, score=-2.486 tagged_above=-999 required=5 tests=[AWL=0.113, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R3irsiVrEVog for <dnsext@core3.amsl.com>; Fri, 28 Jan 2011 09:25:20 -0800 (PST)
Received: from vps1.velvet.com (vps1.velvet.com [66.249.7.50]) by core3.amsl.com (Postfix) with ESMTP id 7B19C3A67C2 for <dnsext@ietf.org>; Fri, 28 Jan 2011 09:25:20 -0800 (PST)
Received: from candyfloss.jbash.velvet.com (206-248-144-221.dsl.teksavvy.com [206.248.144.221]) by vps1.velvet.com (Postfix) with ESMTPSA id 21B861A5305; Fri, 28 Jan 2011 12:28:24 -0500 (EST)
Received: from candyfloss.jbash.velvet.com (candyfloss.jbash.velvet.com [127.0.0.1]) by candyfloss.jbash.velvet.com (Postfix) with ESMTP id F3FE76726; Fri, 28 Jan 2011 12:28:22 -0500 (EST)
Message-ID: <4D42FCB6.70005@cisco.com>
Date: Fri, 28 Jan 2011 12:28:22 -0500
From: John Bashinski <jbash@cisco.com>
Organization: Cisco Systems, Inc.
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.13) Gecko/20101209 Fedora/3.1.7-0.35.b3pre.fc14 Lightning/1.0b3pre Thunderbird/3.1.7
MIME-Version: 1.0
To: Paul Hoffman <paul.hoffman@vpnc.org>
References: <4D41D3E2.6060107@cisco.com> <3125F45F-7594-498F-AFA3-D2D738A228F5@hopcount.ca> <4D42F597.8090006@vpnc.org>
In-Reply-To: <4D42F597.8090006@vpnc.org>
X-Enigmail-Version: 1.1.2
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="------------enigA8413E90374F2AED8CE658D3"
Cc: dnsext@ietf.org
Subject: Re: [dnsext] Historical root keys: The Large Router Vendor Speaks
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Jan 2011 17:25:22 -0000

On 2011-01-28 11:57, Paul Hoffman wrote:

> Is there a reason that we are only focusing on one of the multiple
> proposals that this person proposed? Path II was:
>
>  II. Provide our own key update service. This might be DNS-based or
>      HTTP-based. It would provide either:
> 
>      a. The entire historical chain of DNS root KSKs, with older keys
>     signing newer ones, so that the device could pick up from
>     whatever key it had, OR
> 
>      b. Just the current root key, signed with a key validated by
>     Cisco's private X.509 PKI (the same PKI we use to sign
>         software), OR
> 
>      c. The chain of (a) further signed with a key from (b).
> 
>      We are obviously capable of this. We also obviously think it's
>      inferior to (I).

> It is not clear that it is inferior to (I) if doing (I) makes the
> entire system more fragile by adding another moving part.

I'm not sure I see how it does that. The new "moving part" isn't in
the main trust path. It's off to the side, and it doesn't affect
the basic system. It only affects devices that choose to validate
by default and choose to bootstrap from old keys.

If you do want to think of that as a new moving part, then if you have
every vendor do it separately,what you've really done is to add N
new moving parts instead of one.

> I think (II)(b) looks quite sane, easy to do right now, and if this
> community ever agrees to a safe way to do (I) *and* implements it,
> doing a firmware update to switch over to it would not be hard. I
> would not hold my breath, though.

> We're talking pre-loaded trust anchors here. They have the same power
> as pre-loaded software. If (II)(b) works for your software, it should
> work just fine for your trust anchors.

Actually, it's not quite the preloaded trust anchors we're talking
about. It's the updated keys that get validated using those preloaded
anchors.

It's a given that you're going to start with some key to bootstrap your
trust in DNSSEC, and that key is going to be preloaded. Then you're
going to download some updated DNSSEC trust root, and validate it
against your preloaded key.

The question is how the downloaded key got signed.

From my point of view, some person or persons, inside or outside of
Cisco, is going to have the ability to cause a new DNSSEC root key to
get signed using that preloaded key.

That person or persons is NOT going to be the same person or persons
who generates the software loads. I'm adding a new trusted entity
to the system.

I think you're saying "well, let Cisco be trusted; it's trusted already
anyway". That's true if you look at Cisco as a monolith, but I don't
have that luxury. Something has to be set up inside Cisco to deal with
handling these keys. The complexity still exists; it's just been made
less visible from a certain point of view.

So, the question is whether it's better to have a single, publicly
visible process that may be able to break a very large number
of devices, or a large number of hidden processes each of which
can break a smaller number of devices.

I tend to prefer the former.

						-- jbash

v2.23.0 | Report a Bug | By Email