Re: DNSSECbis Q-07: Discuss preconfigured trusted DSs in addition to preconfigured trusted KEYs?
Derek Atkins <warlord@MIT.EDU> Wed, 09 April 2003 21:03 UTC
Received: from psg.com (mailnull@psg.com [147.28.0.62]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA14571 for <dnsext-archive@lists.ietf.org>; Wed, 9 Apr 2003 17:03:35 -0400 (EDT)
Received: from lserv by psg.com with local (Exim 3.36 #1) id 193MdB-000GAs-00 for namedroppers-data@psg.com; Wed, 09 Apr 2003 20:57:17 +0000
Received: from fort-point-station.mit.edu ([18.7.7.76]) by psg.com with esmtp (Exim 3.36 #1) id 193Md5-000GAe-00 for namedroppers@ops.ietf.org; Wed, 09 Apr 2003 13:57:11 -0700
Received: from grand-central-station.mit.edu (GRAND-CENTRAL-STATION.MIT.EDU [18.7.21.82]) by fort-point-station.mit.edu (8.12.4/8.9.2) with ESMTP id h39KuWhb004205; Wed, 9 Apr 2003 16:57:06 -0400 (EDT)
Received: from melbourne-city-street.mit.edu (MELBOURNE-CITY-STREET.MIT.EDU [18.7.21.86]) by grand-central-station.mit.edu (8.12.4/8.9.2) with ESMTP id h39KqpV1004985; Wed, 9 Apr 2003 16:52:51 -0400 (EDT)
Received: from kikki.mit.edu (KIKKI.MIT.EDU [18.18.1.142]) ) by melbourne-city-street.mit.edu (8.12.4/8.12.4) with ESMTP id h39KqoU8018427; Wed, 9 Apr 2003 16:52:51 -0400 (EDT)
Received: (from warlord@localhost) by kikki.mit.edu (8.9.3p2) id QAA20208; Wed, 9 Apr 2003 16:52:50 -0400 (EDT)
To: Rob Austein <sra+namedroppers@hactrn.net>
Cc: namedroppers@ops.ietf.org
Subject: Re: DNSSECbis Q-07: Discuss preconfigured trusted DSs in addition to preconfigured trusted KEYs?
References: <20030331132915.GA2912@atoom.net> <20030409015556.6CF3B18ED@thrintun.hactrn.net> <20030409030333.E8E6518ED@thrintun.hactrn.net> <20030409200750.440EC18E6@thrintun.hactrn.net>
From: Derek Atkins <warlord@MIT.EDU>
Date: Wed, 09 Apr 2003 16:52:50 -0400
In-Reply-To: <20030409200750.440EC18E6@thrintun.hactrn.net>
Message-ID: <sjmbrzfv1el.fsf@kikki.mit.edu>
Lines: 91
User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.1
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-Spam-Status: No, hits=-36.5 required=5.0 tests=BAYES_01,EMAIL_ATTRIBUTION,IN_REP_TO,QUOTED_EMAIL_TEXT, RCVD_IN_NJABL,RCVD_IN_OSIRUSOFT_COM, RCVD_IN_RELAYS_ORDB_ORG,REFERENCES,REPLY_WITH_QUOTES, USER_AGENT_GNUS_UA,X_NJABL_OPEN_PROXY autolearn=ham version=2.50
X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp)
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
Effectively what you are saying is that you want to store a hash of the trusted key rather than the key itself. I'm not sure what I think about this. On the face of it, it should work just fine. However you're now trusting the hash algorithm to root your key. -derek Rob Austein <sra+namedroppers@hactrn.net> writes: > DNSSECbis Q-07: > > Should the DNSSECbis documents discuss use of preconfigured trusted > DSs in addition to to preconfigured trusted KEYs? > > Discussion: > > As currently written, the DNSSECbis documents (specifically, > -protocol) only talk about how to establish a chain of trust > starting with preconfigured trusted keys. At least one member of > the dnssec-editors team believes that this is just an oversight, > since section 2.4.1 of -delegation-signer-13 specifically mentions > the possibility of using DS RRs as a means of listing trusted keys > in configuration files. > > Message from the DNSOP WG mailing list attached below for context. > > Miek has kindly volunteered to work with the editors on wording. > > > --[[message/rfc822] > Date: Tue, 08 Apr 2003 21:55:56 -0400 > From: Rob Austein <sra+dnsop@hactrn.net> > To: dnsop@cafax.se > Subject: Re: preconfigured keys or ds's > References: <20030331132915.GA2912@atoom.net> > MIME-Version: 1.0 (generated by SEMI 1.14.4 - "Hosorogi") > Content-Type: text/plain; charset=US-ASCII > Message-Id: <20030409015556.6CF3B18ED@thrintun.hactrn.net> > > At Mon, 31 Mar 2003 15:29:15 +0200, Miek Gieben wrote: > > > > I would like to see the following documented, but I don't know for sure > > if it is a dnssec or dnsop issue: > > > > The preconfigured keys for resolvers are large and are hard to compare > > and read (by humans). DS records on the other hand are much smaller > > and easier to handle. I think it would be better to preconfigure > > DS records in stead of zone keys for resolvers. This is also how > > my perl resolver works. > > <hat dnsop-wg-co-chair=off dnssec-editors-team-member=off> > > This sounds like a reasonable implementation choice. > > </hat> > > > Where to put this? In the dnssec drafts or in a seperate dnsop BCP? > > <hat dnsop-wg-co-chair=off dnssec-editors-team-member=on> > > The current DNSSECbis drafts don't talk about using trusted DS RRs > as a starting point, only trusted KEYs. Given the last paragraph of > section 2.4.1 of draft-ietf-dnsext-delegation-signer-13.txt, this > looks like an oversight (probably mine, since I was probably the > last person to work on the relevant text in the DNSSECbis drafts). > > So the DNSSECbis spec needs fixing, and I don't expect anybody to > argue against the fix, but for process reasons it'd be best to post > an explanation to namedroppers first, so I'll do that. > > </hat> > > <hat dnsop-wg-co-chair=on dnssec-editors-team-member=off> > > Because of the above, at least part of this is a DNSEXT issue. > > </hat> > > -- > to unsubscribe send a message to namedroppers-request@ops.ietf.org with > the word 'unsubscribe' in a single line as the message text body. > archive: <http://ops.ietf.org/lists/namedroppers/> -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH warlord@MIT.EDU PGP key available -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/namedroppers/>
- Re: DNSSECbis Q-07: Discuss preconfigured trusted… Derek Atkins
- Re: DNSSECbis Q-07: Discuss preconfigured trusted… Rob Austein
- Re: DNSSECbis Q-07: Discuss preconfigured trusted… Ólafur Guðmundsson
- Re: DNSSECbis Q-07: Discuss preconfigured trusted… Miek Gieben
- Re: DNSSECbis Q-07: Discuss preconfigured trusted… Miek Gieben
- Re: DNSSECbis Q-07: Discuss preconfigured trusted… Derek Atkins
- Re: DNSSECbis Q-07: Discuss preconfigured trusted… Derek Atkins