IETF Logo Mail Archive

Re: DNSSECbis Q-07: Discuss preconfigured trusted DSs in addition to preconfigured trusted KEYs?

Derek Atkins <warlord@MIT.EDU> Wed, 09 April 2003 21:03 UTC

Received: from psg.com (mailnull@psg.com [147.28.0.62]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA14571 for <dnsext-archive@lists.ietf.org>; Wed, 9 Apr 2003 17:03:35 -0400 (EDT)
Received: from lserv by psg.com with local (Exim 3.36 #1) id 193MdB-000GAs-00 for namedroppers-data@psg.com; Wed, 09 Apr 2003 20:57:17 +0000
Received: from fort-point-station.mit.edu ([18.7.7.76]) by psg.com with esmtp (Exim 3.36 #1) id 193Md5-000GAe-00 for namedroppers@ops.ietf.org; Wed, 09 Apr 2003 13:57:11 -0700
Received: from grand-central-station.mit.edu (GRAND-CENTRAL-STATION.MIT.EDU [18.7.21.82]) by fort-point-station.mit.edu (8.12.4/8.9.2) with ESMTP id h39KuWhb004205; Wed, 9 Apr 2003 16:57:06 -0400 (EDT)
Received: from melbourne-city-street.mit.edu (MELBOURNE-CITY-STREET.MIT.EDU [18.7.21.86]) by grand-central-station.mit.edu (8.12.4/8.9.2) with ESMTP id h39KqpV1004985; Wed, 9 Apr 2003 16:52:51 -0400 (EDT)
Received: from kikki.mit.edu (KIKKI.MIT.EDU [18.18.1.142]) ) by melbourne-city-street.mit.edu (8.12.4/8.12.4) with ESMTP id h39KqoU8018427; Wed, 9 Apr 2003 16:52:51 -0400 (EDT)
Received: (from warlord@localhost) by kikki.mit.edu (8.9.3p2) id QAA20208; Wed, 9 Apr 2003 16:52:50 -0400 (EDT)
To: Rob Austein <sra+namedroppers@hactrn.net>
Cc: namedroppers@ops.ietf.org
Subject: Re: DNSSECbis Q-07: Discuss preconfigured trusted DSs in addition to preconfigured trusted KEYs?
References: <20030331132915.GA2912@atoom.net> <20030409015556.6CF3B18ED@thrintun.hactrn.net> <20030409030333.E8E6518ED@thrintun.hactrn.net> <20030409200750.440EC18E6@thrintun.hactrn.net>
From: Derek Atkins <warlord@MIT.EDU>
Date: Wed, 09 Apr 2003 16:52:50 -0400
In-Reply-To: <20030409200750.440EC18E6@thrintun.hactrn.net>
Message-ID: <sjmbrzfv1el.fsf@kikki.mit.edu>
Lines: 91
User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.1
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-Spam-Status: No, hits=-36.5 required=5.0 tests=BAYES_01,EMAIL_ATTRIBUTION,IN_REP_TO,QUOTED_EMAIL_TEXT, RCVD_IN_NJABL,RCVD_IN_OSIRUSOFT_COM, RCVD_IN_RELAYS_ORDB_ORG,REFERENCES,REPLY_WITH_QUOTES, USER_AGENT_GNUS_UA,X_NJABL_OPEN_PROXY autolearn=ham version=2.50
X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp)
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk

Effectively what you are saying is that you want to store
a hash of the trusted key rather than the key itself.
I'm not sure what I think about this.

On the face of it, it should work just fine.  However
you're now trusting the hash algorithm to root your
key.

-derek

Rob Austein <sra+namedroppers@hactrn.net> writes:

> DNSSECbis Q-07:
> 
>    Should the DNSSECbis documents discuss use of preconfigured trusted
>    DSs in addition to to preconfigured trusted KEYs?
> 
> Discussion:
> 
>    As currently written, the DNSSECbis documents (specifically,
>    -protocol) only talk about how to establish a chain of trust
>    starting with preconfigured trusted keys.  At least one member of
>    the dnssec-editors team believes that this is just an oversight,
>    since section 2.4.1 of -delegation-signer-13 specifically mentions
>    the possibility of using DS RRs as a means of listing trusted keys
>    in configuration files.
> 
>    Message from the DNSOP WG mailing list attached below for context.
> 
>    Miek has kindly volunteered to work with the editors on wording.
> 
> 
> --[[message/rfc822]
> Date: Tue, 08 Apr 2003 21:55:56 -0400
> From: Rob Austein <sra+dnsop@hactrn.net>
> To: dnsop@cafax.se
> Subject: Re: preconfigured keys or ds's
> References: <20030331132915.GA2912@atoom.net>
> MIME-Version: 1.0 (generated by SEMI 1.14.4 - "Hosorogi")
> Content-Type: text/plain; charset=US-ASCII
> Message-Id: <20030409015556.6CF3B18ED@thrintun.hactrn.net>
> 
> At Mon, 31 Mar 2003 15:29:15 +0200, Miek Gieben wrote:
> > 
> > I would like to see the following documented, but I don't know for sure
> > if it is a dnssec or dnsop issue:
> > 
> > The preconfigured keys for resolvers are large and are hard to compare
> > and read (by humans). DS records on the other hand are much smaller
> > and easier to handle. I think it would be better to preconfigure
> > DS records in stead of zone keys for resolvers. This is also how
> > my perl resolver works.
> 
> <hat dnsop-wg-co-chair=off dnssec-editors-team-member=off>
> 
>   This sounds like a reasonable implementation choice.
> 
> </hat>
> 
> > Where to put this? In the dnssec drafts or in a seperate dnsop BCP?
> 
> <hat dnsop-wg-co-chair=off dnssec-editors-team-member=on>
> 
>   The current DNSSECbis drafts don't talk about using trusted DS RRs
>   as a starting point, only trusted KEYs.  Given the last paragraph of
>   section 2.4.1 of draft-ietf-dnsext-delegation-signer-13.txt, this
>   looks like an oversight (probably mine, since I was probably the
>   last person to work on the relevant text in the DNSSECbis drafts).
> 
>   So the DNSSECbis spec needs fixing, and I don't expect anybody to
>   argue against the fix, but for process reasons it'd be best to post
>   an explanation to namedroppers first, so I'll do that.
> 
> </hat>
> 
> <hat dnsop-wg-co-chair=on dnssec-editors-team-member=off>
> 
>   Because of the above, at least part of this is a DNSEXT issue.
> 
> </hat>
> 
> --
> to unsubscribe send a message to namedroppers-request@ops.ietf.org with
> the word 'unsubscribe' in a single line as the message text body.
> archive: <http://ops.ietf.org/lists/namedroppers/>

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.23.0 | Report a Bug | By Email