Re: [dnsext] historal root keys for upgrade path?
Brian Dickson <brian.peter.dickson@gmail.com> Thu, 27 January 2011 19:04 UTC
Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 05A963A6818 for <dnsext@core3.amsl.com>; Thu, 27 Jan 2011 11:04:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.132
X-Spam-Level:
X-Spam-Status: No, score=-3.132 tagged_above=-999 required=5 tests=[AWL=0.467, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ni8EW8YtXsGv for <dnsext@core3.amsl.com>; Thu, 27 Jan 2011 11:04:47 -0800 (PST)
Received: from mail-fx0-f44.google.com (mail-fx0-f44.google.com [209.85.161.44]) by core3.amsl.com (Postfix) with ESMTP id C3A283A6835 for <dnsext@ietf.org>; Thu, 27 Jan 2011 11:04:46 -0800 (PST)
Received: by fxm9 with SMTP id 9so2715487fxm.31 for <dnsext@ietf.org>; Thu, 27 Jan 2011 11:07:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=8AeuMTYzJ5QCy+ugkfCzL94GoZPQ90/TnwQVEuWJ13o=; b=SkIKFkcbTX/cK7lJBmyvjQWktFmsxUmMU51KsMNDyC2YYiQ27lghukJNuTuy+Xoclx fC8Zt1nzgW4V3abm1iWK92zaxUPRKpZk6knYqolZFfZ9tmLEbIAqiXhpXX1FjAa2Omk4 yicRL+38Dx05/LoIDJihIbrl/UAj6naMxb3/g=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=mdzBtIYj8lFNIN9Tn4U8fMS/zSioh/W6A7HARfWf01fzPedwdIggwRm7M1hUfN2oHN mcexG6nQo+MFrtBv1wExu4Hkp1BxAneapRMOYdSt/LCKoq5csF8Z+xH0BJARvrcCORso tjicwkflrn3wrjksaTf0T0SJqI35nJ8ZO4IjI=
MIME-Version: 1.0
Received: by 10.223.123.142 with SMTP id p14mr1307256far.56.1296155138393; Thu, 27 Jan 2011 11:05:38 -0800 (PST)
Received: by 10.223.108.71 with HTTP; Thu, 27 Jan 2011 11:05:38 -0800 (PST)
In-Reply-To: <AANLkTi=eOGd0Ce0ei-c_MysqbHpp7NUWFPc-xCpt=muq@mail.gmail.com>
References: <alpine.LFD.1.10.1101251250040.30991@newtla.xelerance.com> <4D3F233C.7000900@vpnc.org> <alpine.LFD.1.10.1101251510140.30991@newtla.xelerance.com> <alpine.LSU.2.00.1101261442120.3329@hermes-1.csi.cam.ac.uk> <AANLkTinCB-d2HWGY4kSOmfSCMNQ-D61keEE+1poTu11g@mail.gmail.com> <alpine.LFD.1.10.1101260958490.30991@newtla.xelerance.com> <82vd1amfjm.fsf@mid.bfk.de> <AANLkTi=eOGd0Ce0ei-c_MysqbHpp7NUWFPc-xCpt=muq@mail.gmail.com>
Date: Thu, 27 Jan 2011 15:05:38 -0400
Message-ID: <AANLkTimiaL-eSWSAEfsDqjgZsSuU5HfkMyM2uP5v34za@mail.gmail.com>
From: Brian Dickson <brian.peter.dickson@gmail.com>
To: Florian Weimer <fweimer@bfk.de>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: Paul Hoffman <paul.hoffman@vpnc.org>, dnsext@ietf.org
Subject: Re: [dnsext] historal root keys for upgrade path?
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Jan 2011 19:04:48 -0000
On Thu, Jan 27, 2011 at 1:49 PM, Brian Dickson <brian.peter.dickson@gmail.com> wrote: > We complain about adoption delays. This, we should be falling over > ourselves to assist on, or never, ever complain again about adoption. > Seriously. /* *mouth = money */ Open question, to whoever feels like answering it: Would the following, as a general mechanism for publishing someone else's DNSKEY (securely) work? (Here, "foreign" means, we don't hold the private keys) (1) Using a current, known-good trust anchor, retrieve and validate the (foreign) DNSKEY data (possibly plural). (2) For every algorithm in the set of foreign DNSKEY data : (2a) Generate (one time only!!!) a new public/private key pair for our own (local) DNSKEY (2b) Combine the local and foreign DNSKEY data into the apex of our own zone file, for which we are authoritative. (2c) Sign the DNSKEYs with our private keys (2d) RRSIGs signed by our DNSKEYs are the only RRSIGs, and there is one for every DNSKEY algorithm present, so even "strict" validators should be happy (3) Provide our (permanent) public keys as trust anchors, to whoever will use our zone as a "bootstrap" for the foreign (possibly changing) DNSKEYs. (4) As necessary, i.e. whenever any foreign DNSKEY needs to be updated, added/deleted, make corresponding adds/changes to our DNSKEY set, and re-sign the RRSET NB - the same foreign DNSKEYs can be kept in multiple zones, so that specific instance usage can be tracked over time. E.g. over time, the set of algorithms required by the foreign keys may change, and rather than continue to sign with a superset of historically-used algorithms, newer instances of the zone get signed only with new local DNSKEYs for the current algorithms. Older zone instances continue being signed with the older keys/algorithms, so there could be a weakness related to use of them, but that would be limited to clients with old keys, which would expect to tail off over time (drastically, perhaps). These zones would be used only for bootstrapping DNSKEY data used for "real" trust anchors, and could be discarded once the "real" trust anchor has been validated (and *only* then). The bootstrap process would need to rely on DNSSEC-unknown (unvalidated) data, to reach the trust-anchored zone, but the fact that the zone is signed with the trust anchor itself, provides "enough" security to be considered "secure", IMHO. Brian
- [dnsext] historal root keys for upgrade path? Paul Wouters
- Re: [dnsext] historal root keys for upgrade path? Stephan Lagerholm
- Re: [dnsext] historal root keys for upgrade path? Andrew Sullivan
- Re: [dnsext] historal root keys for upgrade path? Paul Wouters
- Re: [dnsext] historal root keys for upgrade path? Paul Hoffman
- Re: [dnsext] historal root keys for upgrade path? Paul Wouters
- Re: [dnsext] historal root keys for upgrade path? Paul Hoffman
- Re: [dnsext] historal root keys for upgrade path? Paul Wouters
- Re: [dnsext] historal root keys for upgrade path? Brian Dickson
- Re: [dnsext] historal root keys for upgrade path? Tony Finch
- Re: [dnsext] historal root keys for upgrade path? Phillip Hallam-Baker
- Re: [dnsext] historal root keys for upgrade path? Paul Wouters
- Re: [dnsext] historal root keys for upgrade path? Paul Wouters
- Re: [dnsext] historal root keys for upgrade path? Edward Lewis
- Re: [dnsext] historal root keys for upgrade path? Thierry Moreau
- Re: [dnsext] historal root keys for upgrade path? Tony Finch
- Re: [dnsext] historal root keys for upgrade path? Edward Lewis
- Re: [dnsext] historal root keys for upgrade path? Phillip Hallam-Baker
- Re: [dnsext] historal root keys for upgrade path? Brian Dickson
- Re: [dnsext] historal root keys for upgrade path? Paul Wouters
- Re: [dnsext] historal root keys for upgrade path? Alex Nicoll
- Re: [dnsext] historal root keys for upgrade path? Phillip Hallam-Baker
- Re: [dnsext] historal root keys for upgrade path? Paul Wouters
- Re: [dnsext] historal root keys for upgrade path? Stephan Lagerholm
- Re: [dnsext] historal root keys for upgrade path? Joe Abley
- Re: [dnsext] historal root keys for upgrade path? Florian Weimer
- Re: [dnsext] historal root keys for upgrade path? Jakob Schlyter
- Re: [dnsext] historal root keys for upgrade path? Paul Wouters
- Re: [dnsext] historal root keys for upgrade path? Nicholas Weaver
- Re: [dnsext] historal root keys for upgrade path? Phillip Hallam-Baker
- Re: [dnsext] historal root keys for upgrade path? Matthew Dempsky
- Re: [dnsext] historal root keys for upgrade path? Phillip Hallam-Baker
- Re: [dnsext] historal root keys for upgrade path? Florian Weimer
- Re: [dnsext] historal root keys for upgrade path? Florian Weimer
- Re: [dnsext] historal root keys for upgrade path? Paul Wouters
- Re: [dnsext] historal root keys for upgrade path? Brian Dickson
- Re: [dnsext] historal root keys for upgrade path? Joe Abley
- Re: [dnsext] historal root keys for upgrade path? Paul Vixie
- Re: [dnsext] historal root keys for upgrade path? Paul Vixie
- Re: [dnsext] historal root keys for upgrade path? Brian Dickson
- Re: [dnsext] historal root keys for upgrade path? Brian Dickson
- Re: [dnsext] historal root keys for upgrade path? Paul Wouters
- Re: [dnsext] historal root keys for upgrade path? Phillip Hallam-Baker
- Re: [dnsext] historal root keys for upgrade path? Brian Dickson
- Re: [dnsext] historal root keys for upgrade path? Phillip Hallam-Baker
- Re: [dnsext] historal root keys for upgrade path? Paul Wouters
- Re: [dnsext] historal root keys for upgrade path? Paul Wouters
- Re: [dnsext] historal root keys for upgrade path? Andrew Sullivan
- Re: [dnsext] historal root keys for upgrade path? Joe Abley
- Re: [dnsext] historal root keys for upgrade path? Phillip Hallam-Baker
- Re: [dnsext] historal root keys for upgrade path? David Conrad
- Re: [dnsext] historal root keys for upgrade path? Florian Weimer
- Re: [dnsext] historal root keys for upgrade path? Joe Abley
- Re: [dnsext] historal root keys for upgrade path? Joe Abley
- Re: [dnsext] historal root keys for upgrade path? Thierry Moreau
- Re: [dnsext] historal root keys for upgrade path? Tony Finch
- Re: [dnsext] historal root keys for upgrade path? Tony Finch
- Re: [dnsext] historal root keys for upgrade path? Joe Abley
- Re: [dnsext] historal root keys for upgrade path? Paul Hoffman
- Re: [dnsext] historal root keys for upgrade path? Brian Dickson
- Re: [dnsext] historal root keys for upgrade path? Tony Finch
- Re: [dnsext] historal root keys for upgrade path? Joe Abley
- Re: [dnsext] historal root keys for upgrade path? W.C.A. Wijngaards
- Re: [dnsext] historal root keys for upgrade path? Phillip Hallam-Baker
- Re: [dnsext] historal root keys for upgrade path? Joe Abley
- Re: [dnsext] historal root keys for upgrade path? Brian Dickson
- Re: [dnsext] historal root keys for upgrade path? Paul Wouters
- Re: [dnsext] historal root keys for upgrade path? Joe Abley
- Re: [dnsext] historal root keys for upgrade path? Phillip Hallam-Baker
- Re: [dnsext] historal root keys for upgrade path? Nicholas Weaver
- Re: [dnsext] historal root keys for upgrade path? Brian Dickson
- Re: [dnsext] historal root keys for upgrade path? Nicholas Weaver
- Re: [dnsext] historal root keys for upgrade path? Phillip Hallam-Baker
- Re: [dnsext] historal root keys for upgrade path? Phillip Hallam-Baker
- Re: [dnsext] historal root keys for upgrade path? Joe Abley
- Re: [dnsext] historal root keys for upgrade path? Phillip Hallam-Baker
- Re: [dnsext] historal root keys for upgrade path? Joe Abley
- Re: [dnsext] historal root keys for upgrade path? Phillip Hallam-Baker
- Re: [dnsext] historal root keys for upgrade path? Joe Abley
- Re: [dnsext] historal root keys for upgrade path? Paul Wouters
- Re: [dnsext] historal root keys for upgrade path? Brian Dickson
- Re: [dnsext] historal root keys for upgrade path? Phillip Hallam-Baker
- Re: [dnsext] historal root keys for upgrade path? Tony Finch
- Re: [dnsext] historal root keys for upgrade path? Tony Finch
- Re: [dnsext] historal root keys for upgrade path? Phillip Hallam-Baker
- Re: [dnsext] historal root keys for upgrade path? Jakob Schlyter
- Re: [dnsext] historal root keys for upgrade path? Tony Finch
- Re: [dnsext] historal root keys for upgrade path? Jakob Schlyter
- Re: [dnsext] historal root keys for upgrade path? Phillip Hallam-Baker
- Re: [dnsext] historal root keys for upgrade path? Tony Finch
- Re: [dnsext] historal root keys for upgrade path? Phillip Hallam-Baker
- Re: [dnsext] historal root keys for upgrade path? Ted Lemon
- Re: [dnsext] historal root keys for upgrade path? Paul Wouters
- Re: [dnsext] historal root keys for upgrade path? Florian Weimer