IETF Logo Mail Archive

Re: weiler-dnssec-dlv-02

Thierry Moreau <thierry.moreau@connotech.com> Thu, 22 March 2007 23:36 UTC

Return-path: <owner-namedroppers@ops.ietf.org>
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HUWpK-0003Kg-IS; Thu, 22 Mar 2007 19:36:14 -0400
Received: from psg.com ([147.28.0.62]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HUWpF-000090-U3; Thu, 22 Mar 2007 19:36:14 -0400
Received: from majordom by psg.com with local (Exim 4.63 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1HUWjN-000JIi-7A for namedroppers-data@psg.com; Thu, 22 Mar 2007 23:30:05 +0000
X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on psg.com
X-Spam-Level:
X-Spam-Status: No, score=-2.5 required=5.0 tests=BAYES_00,FORGED_RCVD_HELO autolearn=ham version=3.1.7
Received: from [68.142.225.206] (helo=smtp108.rog.mail.re2.yahoo.com) by psg.com with smtp (Exim 4.63 (FreeBSD)) (envelope-from <thierry.moreau@connotech.com>) id 1HUWjJ-000JC6-8z for namedroppers@ops.ietf.org; Thu, 22 Mar 2007 23:30:03 +0000
Received: (qmail 17719 invoked from network); 22 Mar 2007 23:29:56 -0000
Received: from unknown (HELO connotech.com) (t2i6@rogers.com@209.148.165.15 with plain) by smtp108.rog.mail.re2.yahoo.com with SMTP; 22 Mar 2007 23:29:55 -0000
X-YMail-OSG: HH3xBBAVM1kC.g3fs3SC7R6tfCFurj688JJTZgSFsDdPtx_K2SxWyVPBel8LinBbVQ--
Message-ID: <460312BF.8080002@connotech.com>
Date: Thu, 22 Mar 2007 18:35:27 -0500
From: Thierry Moreau <thierry.moreau@connotech.com>
User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: David Conrad <david.conrad@icann.org>
CC: namedroppers@ops.ietf.org
Subject: Re: weiler-dnssec-dlv-02
References: <31513.1174480876@sandelman.ottawa.on.ca> <FC2FD963-5882-4D34-896B-8B9459386AA6@icann.org> <20070322073609.GA4489@laperouse.bortzmeyer.org> <67730.1174572329@sa.vix.com> <48CBA67D-FF7C-4930-AA53-CAA2CE1F30DA@icann.org>
In-Reply-To: <48CBA67D-FF7C-4930-AA53-CAA2CE1F30DA@icann.org>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-id: DNSEXT discussion <namedroppers.ops.ietf.org>
X-Spam-Score: 0.1 (/)
X-Scan-Signature: fb6060cb60c0cea16e3f7219e40a0a81


David Conrad wrote:

> Hi,
> 
> 
>> and strong security around the KSK,
> 
> 
> Not specified in the draft, but define "strong".  IANA already has  some 
> level of security, but I suspect nothing on the order of what  would be 
> necessary to provide a sufficient level of assurance that  the KSK 
> wasn't compromised.  Since the data we're talking about here  are used 
> to sign information that relates to national interests, I  suspect the 
> level of security necessary is on the order of that  necessary to 
> protect national-level secrets.  I don't plan on moving  IANA to a 
> former ICBM silo.
> 
> In my mind, this sort of points out a bit of a flaw in the  operational 
> implications of DNSSEC.  Forget (as we have to date since  it is a hard 
> problem) how one might recover from a root KSK  compromise.  
> Pragmatically speaking, the holder of the root KSK is  setting itself up 
> to be a teensy bit of a target.  Compromise of the  root KSK would have 
> ... significant implications and likely  astounding liabilities.  Who 
> wants that?  Since the implications are  so great (and there is no way 
> to recover), you have to be _EXTREMELY_  careful with the key.  This 
> level of care is likely to be is very,  very expensive.  Who is going to 
> pay for that?
> 

Thanks David for re-stating the requirement for emergency KSK rollover 
requirement.

However, the KSK security strength was not particularly stressed in the 
trust anchor (TA) automated rollover requirements draft that the DNSEXT 
produced, at least not with the above pragmatic perspective. The DNSEXT 
wg has moved this draft to the IESG, so it looks like a done deal for 
the wg.

In the early days of TA rollover requirements discussions, I used to 
advocate for the expliciteness of emergency rollover recovery 
principles, with an implied "catastrophic failure mode" disclosure 
requirement. I.e. let's disclose the exact circumstances where "there is 
no way to recover", so that _EXTREME_ _CARE_ could be applied to these 
circumstances.

But the wg paid more attention to other requirements and selection 
criteria. Overall, I came to the conclusion that the TA rollover issue 
hit a limit in what an IETF wg can realistically achieve.

Regards,

-- 

- Thierry Moreau

CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, Qc
Canada   H2M 2A1

Tel.: (514)385-5691
Fax:  (514)385-5900

web site: http://www.connotech.com
e-mail: thierry.moreau@connotech.com


--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.23.0 | Report a Bug | By Email