Re: [dnsext] Historical root keys: The Large Router Vendor Speaks
Alex Bligh <alex@alex.org.uk> Fri, 28 January 2011 10:59 UTC
Return-Path: <alex@alex.org.uk>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1F8AF3A6767 for <dnsext@core3.amsl.com>; Fri, 28 Jan 2011 02:59:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.949
X-Spam-Level:
X-Spam-Status: No, score=-1.949 tagged_above=-999 required=5 tests=[AWL=0.650, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pOOCzyvIPuwG for <dnsext@core3.amsl.com>; Fri, 28 Jan 2011 02:59:26 -0800 (PST)
Received: from mail.avalus.com (mail.avalus.com [89.16.176.221]) by core3.amsl.com (Postfix) with ESMTP id 7CA643A635F for <dnsext@ietf.org>; Fri, 28 Jan 2011 02:59:26 -0800 (PST)
Received: from [192.168.100.15] (87-194-71-186.bethere.co.uk [87.194.71.186]) by mail.avalus.com (Postfix) with ESMTPSA id 8A80CC56606; Fri, 28 Jan 2011 11:02:30 +0000 (GMT)
Date: Fri, 28 Jan 2011 11:02:29 +0000
From: Alex Bligh <alex@alex.org.uk>
To: John Bashinski <jbash@cisco.com>, dnsext@ietf.org
Message-ID: <7780AF9B46FB75DD51990806@Ximines.local>
In-Reply-To: <4D41D3E2.6060107@cisco.com>
References: <4D41D3E2.6060107@cisco.com>
X-Mailer: Mulberry/4.0.8 (Mac OS X)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Subject: Re: [dnsext] Historical root keys: The Large Router Vendor Speaks
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Alex Bligh <alex@alex.org.uk>
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Jan 2011 10:59:28 -0000
--On 27 January 2011 15:21:54 -0500 John Bashinski <jbash@cisco.com> wrote: > II. Provide our own key update service. This might be DNS-based or > HTTP-based. It would provide either: ... > We are obviously capable of this. We also obviously think it's > inferior to (I). I wonder if we're not overcomplicating this, or more accurately looking at this as a problem unique to DNSSEC. With plain old DNS, or DNSSEC, or SSL cert validation, or whatever, there is a set of bootstrap data that need to be distributed with any image. Under certain circumstances (all root servers move IP address, lots of key rollover whilst disconnected from the internet, new CAs, whatever), that data can become out of date in a manner where the protocols themselves can't make things right. There's also a pile of other bootstrap stuff distributed with Large Router Vendor (for any value of LRV) devices, which is the firmware it's designed to run on. One presumes LRV's devices have at least some permanent storage in even if their firmware is non-upgradable, else this problem is near insoluble. So, how about 1. When 'things go wrong', 'periodically', or 'on UI interaction' (obviously the latter to be avoided), device makes a simple http request to a known URL at LRV. 2. Device downloads new bootstrap data. At this stage, it could be bogus. No need to use anything more fancy than http. 3. Device verifies it is genuine, e.g. by checking it is signed with a private key (held securely by the LRV), the public key-pair being in the firmware. If it is, genuine, it replaces the current bootstrap data. DoS attacks, etc. could prevent this upgrade from happening, but that would have to be for an entire key rollover period. -- Alex Bligh
- Re: [dnsext] Historical root keys: The Large Rout… Phillip Hallam-Baker
- [dnsext] Historical root keys: The Large Router V… John Bashinski
- Re: [dnsext] Historical root keys: The Large Rout… Joe Abley
- Re: [dnsext] Historical root keys: The Large Rout… David Conrad
- Re: [dnsext] Historical root keys: The Large Rout… Brian Dickson
- Re: [dnsext] Historical root keys: The Large Rout… Jakob Schlyter
- Re: [dnsext] Historical root keys: The Large Rout… Florian Weimer
- Re: [dnsext] Historical root keys: The Large Rout… George Barwood
- Re: [dnsext] Historical root keys: The Large Rout… Alex Bligh
- Re: [dnsext] Historical root keys: The Large Rout… John Bashinski
- Re: [dnsext] Historical root keys: The Large Rout… Andrew Sullivan
- Re: [dnsext] Historical root keys: The Large Rout… Joe Abley
- Re: [dnsext] Historical root keys: The Large Rout… John Bashinski
- Re: [dnsext] Historical root keys: The Large Rout… Paul Hoffman
- Re: [dnsext] Historical root keys: The Large Rout… Nicholas Weaver
- Re: [dnsext] Historical root keys: The Large Rout… John Bashinski
- Re: [dnsext] Historical root keys: The Large Rout… Ted Lemon
- Re: [dnsext] Historical root keys: The Large Rout… Alex Bligh
- Re: [dnsext] Historical root keys: The Large Rout… John Bashinski
- Re: [dnsext] Historical root keys: The Large Rout… John Bashinski
- [dnsext] A question about the need for "historica… Edward Lewis
- Re: [dnsext] Historical root keys: The Large Rout… Paul Hoffman
- Re: [dnsext] Historical root keys: The Large Rout… Ted Lemon
- Re: [dnsext] A question about the need for "histo… John Bashinski
- Re: [dnsext] A question about the need for "histo… Ted Lemon
- Re: [dnsext] Historical root keys: The Large Rout… John Bashinski
- Re: [dnsext] A question about the need for "histo… Paul Wouters
- Re: [dnsext] Historical root keys: The Large Rout… Ted Lemon
- Re: [dnsext] Historical root keys: The Large Rout… John Bashinski
- Re: [dnsext] Historical root keys: The Large Rout… Paul Wouters
- Re: [dnsext] Historical root keys: The Large Rout… Thierry Moreau
- Re: [dnsext] Historical root keys: The Large Rout… John Bashinski
- Re: [dnsext] Historical root keys: The Large Rout… Phillip Hallam-Baker
- Re: [dnsext] Historical root keys: The Large Rout… Paul Wouters
- Re: [dnsext] Historical root keys: The Large Rout… Thierry Moreau
- Re: [dnsext] Historical root keys: The Large Rout… Paul Wouters
- Re: [dnsext] Historical root keys: The Large Rout… Phillip Hallam-Baker
- Re: [dnsext] Historical root keys: The Large Rout… Tony Finch
- Re: [dnsext] Historical root keys: The Large Rout… Chris Thompson
- Re: [dnsext] Historical root keys: The Large Rout… George Barwood
- Re: [dnsext] Historical root keys: The Large Rout… Tony Finch
- Re: [dnsext] Historical root keys: The Large Rout… Phillip Hallam-Baker
- Re: [dnsext] Historical root keys: The Large Rout… Olafur Gudmundsson