IETF Logo Mail Archive

Re: [dnsext] Historical root keys: The Large Router Vendor Speaks

Olafur Gudmundsson <ogud@ogud.com> Tue, 01 February 2011 19:09 UTC

Return-Path: <ogud@ogud.com>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9DD4F3A6C4F for <dnsext@core3.amsl.com>; Tue, 1 Feb 2011 11:09:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.562
X-Spam-Level:
X-Spam-Status: No, score=-102.562 tagged_above=-999 required=5 tests=[AWL=0.037, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YcNLV-nYWxdd for <dnsext@core3.amsl.com>; Tue, 1 Feb 2011 11:09:17 -0800 (PST)
Received: from stora.ogud.com (stora.ogud.com [66.92.146.20]) by core3.amsl.com (Postfix) with ESMTP id DD0583A6B01 for <dnsext@ietf.org>; Tue, 1 Feb 2011 11:09:16 -0800 (PST)
Received: from [IPv6:::1] (nyttbox.md.ogud.com [10.20.30.4]) by stora.ogud.com (8.14.4/8.14.4) with ESMTP id p11JCXeW044704 for <dnsext@ietf.org>; Tue, 1 Feb 2011 14:12:33 -0500 (EST) (envelope-from ogud@ogud.com)
Message-ID: <4D485B1B.80801@ogud.com>
Date: Tue, 01 Feb 2011 14:12:27 -0500
From: Olafur Gudmundsson <ogud@ogud.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7
MIME-Version: 1.0
To: dnsext@ietf.org
References: <4D41D3E2.6060107@cisco.com> <82r5bxl8yo.fsf@mid.bfk.de> <1964C69C6E2043BAA45387ED557C72E2@local> <alpine.LSU.2.00.1102011624120.5244@hermes-1.csi.cam.ac.uk> <5AD6E9AC27744EC0BA907125654003F8@local>
In-Reply-To: <5AD6E9AC27744EC0BA907125654003F8@local>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.68 on 10.20.30.4
Subject: Re: [dnsext] Historical root keys: The Large Router Vendor Speaks
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Feb 2011 19:09:20 -0000

On 01/02/2011 11:50 AM, George Barwood wrote:
>
> ----- Original Message -----
> From: "Tony Finch"<dot@dotat.at>
> To: "George Barwood"<george.barwood@blueyonder.co.uk>
> Cc:<dnsext@ietf.org>
> Sent: Tuesday, February 01, 2011 4:25 PM
> Subject: Re: [dnsext] Historical root keys: The Large Router Vendor Speaks
>
>
>> On Fri, 28 Jan 2011, George Barwood wrote:
>>>
>>> I think it's necessary to roll the key eventually because DNSSEC
>>> signature dates wrap, (and signatures can therefore be replayed) but
>>> only after 136 years.
>>
>> There are no dates on DNS keys so I don't understand the relevance of this
>> point.
>
> Ok, we are talking about replay attacks.
>
> The date fields in RRSIG records wrap around after 136 years,  so an attacker
> can replay responses from 136 years ago and they will be accepted as current,
> if no KSK rollover has been performed.
>
> Thus in DNSSEC, you must roll any KSK at least once every 136 years to remain secure.
>
> ( 136 years = 2^32 seconds )
>

Actually there is no explicit requirement to roll, you need signatures 
to be included that show the key has not changed every 34 years or so, 
as validators are supposed to only accept timer values that are not that 
far off each other (there are times I wish we had gone with at least 40 
bit timer values).

	Olafur

v2.23.0 | Report a Bug | By Email