IETF Logo Mail Archive

Re: [dnsext] Historical root keys: The Large Router Vendor Speaks

"George Barwood" <george.barwood@blueyonder.co.uk> Tue, 01 February 2011 16:47 UTC

Return-Path: <george.barwood@blueyonder.co.uk>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 92B003A6C23 for <dnsext@core3.amsl.com>; Tue, 1 Feb 2011 08:47:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.731
X-Spam-Level:
X-Spam-Status: No, score=0.731 tagged_above=-999 required=5 tests=[AWL=0.136, BAYES_00=-2.599, HELO_EQ_BLUEYON=1.4, MIME_BASE64_BLANKS=0.041, MIME_BASE64_TEXT=1.753]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D0Ost4TRBG0x for <dnsext@core3.amsl.com>; Tue, 1 Feb 2011 08:47:11 -0800 (PST)
Received: from smtp-out3.blueyonder.co.uk (smtp-out3.blueyonder.co.uk [195.188.213.6]) by core3.amsl.com (Postfix) with ESMTP id 5C6B83A6BFF for <dnsext@ietf.org>; Tue, 1 Feb 2011 08:47:11 -0800 (PST)
Received: from [172.23.170.141] (helo=anti-virus02-08) by smtp-out3.blueyonder.co.uk with smtp (Exim 4.52) id 1PkJQx-00015h-N5; Tue, 01 Feb 2011 16:50:27 +0000
Received: from [92.238.99.235] (helo=GeorgeLaptop) by asmtp-out6.blueyonder.co.uk with smtp (Exim 4.72) (envelope-from <george.barwood@blueyonder.co.uk>) id 1PkJQf-0000YX-00; Tue, 01 Feb 2011 16:50:09 +0000
Message-ID: <5AD6E9AC27744EC0BA907125654003F8@local>
From: George Barwood <george.barwood@blueyonder.co.uk>
To: Tony Finch <dot@dotat.at>
References: <4D41D3E2.6060107@cisco.com> <82r5bxl8yo.fsf@mid.bfk.de> <1964C69C6E2043BAA45387ED557C72E2@local> <alpine.LSU.2.00.1102011624120.5244@hermes-1.csi.cam.ac.uk>
Date: Tue, 01 Feb 2011 16:50:49 -0000
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: base64
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5994
Cc: dnsext@ietf.org
Subject: Re: [dnsext] Historical root keys: The Large Router Vendor Speaks
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Feb 2011 16:47:12 -0000

----- Original Message ----- 
From: "Tony Finch" <dot@dotat.at>
To: "George Barwood" <george.barwood@blueyonder.co.uk>
Cc: <dnsext@ietf.org>
Sent: Tuesday, February 01, 2011 4:25 PM
Subject: Re: [dnsext] Historical root keys: The Large Router Vendor Speaks


> On Fri, 28 Jan 2011, George Barwood wrote:
>>
>> I think it's necessary to roll the key eventually because DNSSEC
>> signature dates wrap, (and signatures can therefore be replayed) but
>> only after 136 years.
> 
> There are no dates on DNS keys so I don't understand the relevance of this
> point.

Ok, we are talking about replay attacks.

The date fields in RRSIG records wrap around after 136 years,  so an attacker
can replay responses from 136 years ago and they will be accepted as current,
if no KSK rollover has been performed.

Thus in DNSSEC, you must roll any KSK at least once every 136 years to remain secure.

( 136 years = 2^32 seconds )

George

> Tony.
> -- 
> f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
> HUMBER THAMES DOVER WIGHT PORTLAND: NORTH BACKING WEST OR NORTHWEST, 5 TO 7,
> DECREASING 4 OR 5, OCCASIONALLY 6 LATER IN HUMBER AND THAMES. MODERATE OR
> ROUGH. RAIN THEN FAIR. GOOD.

v2.23.0 | Report a Bug | By Email