IETF Logo Mail Archive

Re: [dnsext] MAR proposal #2: Allowing pre-publishing of DNSKEYs

"Marc Lampo" <marc.lampo@eurid.eu> Mon, 18 April 2011 07:46 UTC

Return-Path: <marc.lampo@eurid.eu>
X-Original-To: dnsext@ietfc.amsl.com
Delivered-To: dnsext@ietfc.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfc.amsl.com (Postfix) with ESMTP id F0967E0790 for <dnsext@ietfc.amsl.com>; Mon, 18 Apr 2011 00:46:01 -0700 (PDT)
X-Quarantine-ID: <H1Fv9F4L-Vgu>
X-Virus-Scanned: amavisd-new at amsl.com
X-Amavis-Alert: BAD HEADER SECTION, Improper folded header field made up entirely of whitespace (char 20 hex): References: ....00.1104011024530.92106@fle\n \n dge.watson.org>
X-Spam-Flag: NO
X-Spam-Score: -1.15
X-Spam-Level:
X-Spam-Status: No, score=-1.15 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, MSGID_MULTIPLE_AT=1.449]
Received: from mail.ietf.org ([208.66.40.236]) by localhost (ietfc.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H1Fv9F4L-Vgu for <dnsext@ietfc.amsl.com>; Mon, 18 Apr 2011 00:46:01 -0700 (PDT)
Received: from barra.eurid.eu (mx.eurid.eu [212.190.206.103]) by ietfc.amsl.com (Postfix) with ESMTP id 11E09E078A for <dnsext@ietf.org>; Mon, 18 Apr 2011 00:45:53 -0700 (PDT)
X-ASG-Debug-ID: 1303112751-7f420b550001-uIE7UK
Received: from zimbra.eurid.eu (zcs-master.vt.eurid.eu [10.19.100.121]) by barra.eurid.eu with ESMTP id gXVjBLpW6DPV7gvv; Mon, 18 Apr 2011 09:45:51 +0200 (CEST)
X-Barracuda-Envelope-From: marc.lampo@eurid.eu
X-ASG-Whitelist: Client
Received: from localhost (localhost.localdomain [127.0.0.1]) by zimbra.eurid.eu (Postfix) with ESMTP id 4C08BE4072; Mon, 18 Apr 2011 09:39:23 +0200 (CEST)
X-Virus-Scanned: amavisd-new at techmail.eurid.eu
Received: from zimbra.eurid.eu ([127.0.0.1]) by localhost (zimbra.eurid.eu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id slPxFWbK34-n; Mon, 18 Apr 2011 09:39:23 +0200 (CEST)
Received: from zimbra.eurid.eu (zimbra.eurid.eu [10.19.100.120]) by zimbra.eurid.eu (Postfix) with ESMTP id 3A03EE4052; Mon, 18 Apr 2011 09:39:23 +0200 (CEST)
From: Marc Lampo <marc.lampo@eurid.eu>
To: 'Samuel Weiler' <weiler@watson.org>, dnsext@ietf.org
References: <alpine.BSF.2.00.1011180553250.83352@fledge.watson.org> <22284.1290447209@nsa.vix.com> <4CF4D54B.5000407@nlnetlabs.nl> <20110310223438.978E9C0E902@drugs.dv.isc.org> <4D79DDFA.3010006@nlnetlabs.nl> <alpine.BSF.2.00.1103140901170.99213@fledge.watson.org> <20110314213319.A2799C8CA0B@drugs.dv.isc.org> <alpine.BSF.2.00.1103141750530.74870@fledge.watson.org> <a06240800c9a50cf4632a@10.31.200.110> <AANLkTimUUa5zkr+hZH4jR-euENg_n=9EwtRVBN-cxr9_@mail.gmail.com> <a06240802c9a7b6cb4cc3@192.168.1.105> <AANLkTin+hMZ-27VjkQq7_44zNguMiefhxbgGD+-XZxPP@mail.gmail.com> <a06240802c9a7e0807069@10.31.200.117> <AANLkTi=4co5mS3RYhK1BvUMOm54wgNAMeKtk3_Zm0ff1@mail.gmail.com> <a06240802c9a93d762e13@[10.31.200.112]> <a06240803c9a9417e1fe8@[10.31.200.112]> <4D938CC3.1020103@nlnetlabs.nl> <a06240800c9ba6184d535@[10.31.200.112]> <4D94DF2B.1040407@nlnetlabs.nl> <a06240800c9bb6f86edae@[10.31.200.112]> <alpine.BSF.2.00.1104011022030.92106@fledge.watson.org> <alpine.BSF.2.00.1104011024530.92106@fle dge.watson.org>
In-Reply-To: <alpine.BSF.2.00.1104011024530.92106@fledge.watson.org>
Date: Mon, 18 Apr 2011 09:39:23 +0200
X-ASG-Orig-Subj: RE: [dnsext] MAR proposal #2: Allowing pre-publishing of DNSKEYs
Message-ID: <006901cbfd9c$a3844030$ea8cc090$@lampo>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 12.0
X-Mailer: Zimbra 6.0.10_GA_2692 (ZimbraConnectorForOutlook/5.0.3064.18)
Thread-Index: AcvweQlsNzl8joobT3235Msidg6wcwNIquNA
Content-Language: en-za
X-Originating-IP: [172.20.1.130]
X-Barracuda-Connect: zcs-master.vt.eurid.eu[10.19.100.121]
X-Barracuda-Start-Time: 1303112751
X-Barracuda-URL: http://172.20.1.190:8000/cgi-mod/mark.cgi
X-Virus-Scanned: by bsmtpd at eurid.eu
Subject: Re: [dnsext] MAR proposal #2: Allowing pre-publishing of DNSKEYs
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Apr 2011 07:46:02 -0000

(sorry for the late reply - catching up ...)

I am not in favour of publishing DS records (in the parent)
referring towards DNSKEY records that are not present (in the child zone).
 (is this change seems to propose)

Motivation :
As registry we try to protect the chain-of trust towards our customers
by validating DNSSEC information presented to us.
Up till now, we have had several cases where such "orphaned" DS records
actually turned out to be configuration errors.
As our validation warned about this, we did not contribute to a broken
chain-of-trust.

If orphaned DS records were to become common,
we can no longer easily distinguish between "normal" and "error"
situation.


Kind regards,

Marc Lampo

 
-----Original Message-----
From: Samuel Weiler [mailto:weiler@watson.org] 
Sent: 01 April 2011 04:28 PM
To: dnsext@ietf.org
Subject: [dnsext] MAR proposal #2: Allowing pre-publishing of DNSKEYs

This is a proposed change in DNSSECbis that changes the mandatory 
algorithm rules.  I'm posting this as a summary of what I understand 
some may support; I don't support this change myself. Please post in 
this thread with your support or lack thereof.

For additional operational and zone-signing flexibility, particularly
to allow the publication of a DNSKEY of a new algorithm before a zone
is fully signed with that algorithm, we propose to change these rules
to use ONLY the DS RRset for algorithm signalling, not the DNSKEY
RRset.

Zones will be required to be signed with each algorithm (though not
necessarily eack key) present in the zone's DS RRset or configured
trust anchors.

My opinion:

In retrospect, we probably could have used this mechanism when we 
first wrote these rules -- the choice to use both DS and DNSKEY for 
signalling may have been an artifact of history.  As it is, this 
change may cause zones signed under these new rules to fail validation 
in deployed code, including unbound.  That alone is enough to lead me 
to oppose this change.

-- Sam

v2.23.0 | Report a Bug | By Email