IETF Logo Mail Archive

Re: [dnsext] historal root keys for upgrade path?

Nicholas Weaver <nweaver@icsi.berkeley.edu> Mon, 31 January 2011 19:28 UTC

Return-Path: <nweaver@icsi.berkeley.edu>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5C3DE3A6C58 for <dnsext@core3.amsl.com>; Mon, 31 Jan 2011 11:28:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.399
X-Spam-Level:
X-Spam-Status: No, score=-2.399 tagged_above=-999 required=5 tests=[AWL=0.200, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Eiwdfm6C+nKL for <dnsext@core3.amsl.com>; Mon, 31 Jan 2011 11:28:40 -0800 (PST)
Received: from taffy.ICSI.Berkeley.EDU (taffy.ICSI.Berkeley.EDU [192.150.187.26]) by core3.amsl.com (Postfix) with ESMTP id 56AE03A6C57 for <dnsext@ietf.org>; Mon, 31 Jan 2011 11:28:40 -0800 (PST)
Received: from gala.icsi.berkeley.edu (gala.ICSI.Berkeley.EDU [192.150.186.168]) (Authenticated sender: nweaver) by taffy.ICSI.Berkeley.EDU (Postfix) with ESMTP id 7D77B36A037; Mon, 31 Jan 2011 11:31:55 -0800 (PST)
References: <alpine.LFD.1.10.1101251250040.30991@newtla.xelerance.com> <17A80F45-52CB-43F6-BD4A-3488821F6933@hopcount.ca> <3A1DEE95-8C8E-4C89-97EB-6D8F799ADE25@virtualized.org> <583A62B0-0DBF-469A-AF8A-B81DEDD1E7E2@dotat.at> <86B1D38A-C274-4335-B30E-3C5C0DF05C38@hopcount.ca> <4D45DE93.9090508@vpnc.org> <AANLkTinbjRebooyqWMpZ2oTudruoDSGqgaXXr35WPYVH@mail.gmail.com> <AANLkTikiqe2K4S-dNsyQZ-xp71J4bM11SsahwpxfDKCX@mail.gmail.com> <4C747F08-A9E8-46E6-AE76-0A999A16D276@hopcount.ca> <AANLkTinOtx88vK3mz-w=uw1CnsKwm=c-nTDOsj=5JAPY@mail.gmail.com> <B4F822D3-F4D6-4657-B299-075B89B5CC86@hopcount.ca>
In-Reply-To: <B4F822D3-F4D6-4657-B299-075B89B5CC86@hopcount.ca>
Mime-Version: 1.0 (Apple Message framework v1082)
Content-Type: text/plain; charset="us-ascii"
Message-Id: <899F4D8E-2E75-44C3-A001-612582209C86@icsi.berkeley.edu>
Content-Transfer-Encoding: quoted-printable
From: Nicholas Weaver <nweaver@icsi.berkeley.edu>
Date: Mon, 31 Jan 2011 11:31:55 -0800
To: Joe Abley <jabley@hopcount.ca>
X-Mailer: Apple Mail (2.1082)
Cc: dnsext@ietf.org, Paul Hoffman <paul.hoffman@vpnc.org>
Subject: Re: [dnsext] historal root keys for upgrade path?
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Jan 2011 19:28:41 -0000

On Jan 31, 2011, at 11:20 AM, Joe Abley wrote:

> 
> On 2011-01-31, at 13:22, Brian Dickson wrote:
> 
>> On Mon, Jan 31, 2011 at 9:24 AM, Joe Abley <jabley@hopcount.ca> wrote:
>>> 
>>> Since we have a published DPS, let's refer to that rather than pulling numbers out of e-mail threads.
>>> 
>>> https://www.iana.org/dnssec/icann-dps.txt
>> 
>> Thanks for pointing that out.
>> 
>> Having read it, it appears that any new RZ KSK is pre-published and
>> signed by the old KSK for about 50 days only.
> 
> For a scheduled KSK roll, yes. Note that that's not what we're talking about.

I thought we WERE talking about for scheduled KSK rolls.

If we have either an algorithm or KSK key compromise, we have a far bigger problem and going to a more human-centric route is probably doable.


ESPECIALLY if a failure for the TALINK-like mechanism (which fails for compromise-cases) is 'do leap of faith for the root for NON-secure records', so even then the name lookups etc will still work, only cryptographic trust mechanisms built on top of DNSSEC would fail.

v2.23.0 | Report a Bug | By Email