IETF Logo Mail Archive

Re: [dnsext] historal root keys for upgrade path?

Brian Dickson <brian.peter.dickson@gmail.com> Thu, 27 January 2011 19:04 UTC

Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 05A963A6818 for <dnsext@core3.amsl.com>; Thu, 27 Jan 2011 11:04:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.132
X-Spam-Level:
X-Spam-Status: No, score=-3.132 tagged_above=-999 required=5 tests=[AWL=0.467, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ni8EW8YtXsGv for <dnsext@core3.amsl.com>; Thu, 27 Jan 2011 11:04:47 -0800 (PST)
Received: from mail-fx0-f44.google.com (mail-fx0-f44.google.com [209.85.161.44]) by core3.amsl.com (Postfix) with ESMTP id C3A283A6835 for <dnsext@ietf.org>; Thu, 27 Jan 2011 11:04:46 -0800 (PST)
Received: by fxm9 with SMTP id 9so2715487fxm.31 for <dnsext@ietf.org>; Thu, 27 Jan 2011 11:07:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=8AeuMTYzJ5QCy+ugkfCzL94GoZPQ90/TnwQVEuWJ13o=; b=SkIKFkcbTX/cK7lJBmyvjQWktFmsxUmMU51KsMNDyC2YYiQ27lghukJNuTuy+Xoclx fC8Zt1nzgW4V3abm1iWK92zaxUPRKpZk6knYqolZFfZ9tmLEbIAqiXhpXX1FjAa2Omk4 yicRL+38Dx05/LoIDJihIbrl/UAj6naMxb3/g=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=mdzBtIYj8lFNIN9Tn4U8fMS/zSioh/W6A7HARfWf01fzPedwdIggwRm7M1hUfN2oHN mcexG6nQo+MFrtBv1wExu4Hkp1BxAneapRMOYdSt/LCKoq5csF8Z+xH0BJARvrcCORso tjicwkflrn3wrjksaTf0T0SJqI35nJ8ZO4IjI=
MIME-Version: 1.0
Received: by 10.223.123.142 with SMTP id p14mr1307256far.56.1296155138393; Thu, 27 Jan 2011 11:05:38 -0800 (PST)
Received: by 10.223.108.71 with HTTP; Thu, 27 Jan 2011 11:05:38 -0800 (PST)
In-Reply-To: <AANLkTi=eOGd0Ce0ei-c_MysqbHpp7NUWFPc-xCpt=muq@mail.gmail.com>
References: <alpine.LFD.1.10.1101251250040.30991@newtla.xelerance.com> <4D3F233C.7000900@vpnc.org> <alpine.LFD.1.10.1101251510140.30991@newtla.xelerance.com> <alpine.LSU.2.00.1101261442120.3329@hermes-1.csi.cam.ac.uk> <AANLkTinCB-d2HWGY4kSOmfSCMNQ-D61keEE+1poTu11g@mail.gmail.com> <alpine.LFD.1.10.1101260958490.30991@newtla.xelerance.com> <82vd1amfjm.fsf@mid.bfk.de> <AANLkTi=eOGd0Ce0ei-c_MysqbHpp7NUWFPc-xCpt=muq@mail.gmail.com>
Date: Thu, 27 Jan 2011 15:05:38 -0400
Message-ID: <AANLkTimiaL-eSWSAEfsDqjgZsSuU5HfkMyM2uP5v34za@mail.gmail.com>
From: Brian Dickson <brian.peter.dickson@gmail.com>
To: Florian Weimer <fweimer@bfk.de>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: Paul Hoffman <paul.hoffman@vpnc.org>, dnsext@ietf.org
Subject: Re: [dnsext] historal root keys for upgrade path?
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Jan 2011 19:04:48 -0000

On Thu, Jan 27, 2011 at 1:49 PM, Brian Dickson
<brian.peter.dickson@gmail.com> wrote:

> We complain about adoption delays. This, we should be falling over
> ourselves to assist on, or never, ever complain again about adoption.
> Seriously.

/*  *mouth = money */

Open question, to whoever feels like answering it:
Would the following, as a general mechanism for publishing someone
else's DNSKEY (securely) work?
(Here, "foreign" means, we don't hold the private keys)

(1) Using a current, known-good trust anchor, retrieve and validate
the (foreign) DNSKEY data (possibly plural).
(2) For every algorithm in the set of foreign DNSKEY data :
(2a) Generate (one time only!!!)  a new public/private key pair for
our own (local) DNSKEY
(2b) Combine the local and foreign DNSKEY data into the apex of our
own zone file, for which we are authoritative.
(2c) Sign the DNSKEYs with our private keys
(2d) RRSIGs signed by our DNSKEYs are the only RRSIGs, and there is
one for every DNSKEY algorithm present, so even "strict" validators
should be happy
(3) Provide our (permanent) public keys as trust anchors, to whoever
will use our zone as a "bootstrap" for the foreign (possibly changing)
DNSKEYs.
(4) As necessary, i.e. whenever any foreign DNSKEY needs to be
updated, added/deleted, make corresponding adds/changes to our DNSKEY
set, and re-sign the RRSET

NB - the same foreign DNSKEYs can be kept in multiple zones, so that
specific instance usage can be tracked over time.

E.g. over time, the set of algorithms required by the foreign keys may
change, and rather than continue to sign with a superset of
historically-used algorithms,  newer instances of the zone get signed
only with new local DNSKEYs for the current algorithms. Older zone
instances continue being signed with the older keys/algorithms, so
there could be a weakness related to use of them, but that would be
limited to clients with old keys, which would expect to tail off over
time (drastically, perhaps).

These zones would be used only for bootstrapping DNSKEY data used for
"real" trust anchors, and could be discarded once the "real" trust
anchor has been validated (and *only* then).

The bootstrap process would need to rely on DNSSEC-unknown
(unvalidated) data, to reach the trust-anchored zone, but the fact
that the zone is signed with the trust anchor itself, provides
"enough" security to be considered "secure", IMHO.

Brian

v2.23.0 | Report a Bug | By Email