IETF Logo Mail Archive

Re: [dnsext] historal root keys for upgrade path?

Brian Dickson <brian.peter.dickson@gmail.com> Tue, 25 January 2011 21:56 UTC

Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C27903A68AA for <dnsext@core3.amsl.com>; Tue, 25 Jan 2011 13:56:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.771
X-Spam-Level:
X-Spam-Status: No, score=-2.771 tagged_above=-999 required=5 tests=[AWL=0.228, BAYES_00=-2.599, J_CHICKENPOX_44=0.6, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eyTx5zOjS5+E for <dnsext@core3.amsl.com>; Tue, 25 Jan 2011 13:56:32 -0800 (PST)
Received: from mail-fx0-f44.google.com (mail-fx0-f44.google.com [209.85.161.44]) by core3.amsl.com (Postfix) with ESMTP id 9FF543A6890 for <dnsext@ietf.org>; Tue, 25 Jan 2011 13:56:31 -0800 (PST)
Received: by fxm9 with SMTP id 9so293115fxm.31 for <dnsext@ietf.org>; Tue, 25 Jan 2011 13:59:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=vX8B2BND9cpPmFwoUPgDVBEhoQV0DyKu6DoBpIbQrbs=; b=NlpICCykkzcdHYoPPNtsSWGxxhaTMZfO2AfxYOPrNlCFxQ6FXaw4BJ4k/9EfeV8nXP gV0yKWFkNiWf4gGyEOvYuhPZYMbeVwTpy0Gpz+7KDowtbPw/5Y7jTx6NzOs6ZBZixisH mWBYjOetPzwdjj183Ut8aD4bfgHhQklbM2cm0=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=mMvgI+te/y558QzBnaIST4liH1ffLNOfUAK+tWKktufcCw9LO1TfREHoRwE2N6cRZl P7p8U8UHiDCjJwu4Y/DTc+5yHk1ABamQu+1P+r+0m/nR1QBKKAW3jZOgjllMCrON7RGL gitHQD9JHNpPI/C+4R105nLOy9BOk2gpdoW50=
MIME-Version: 1.0
Received: by 10.223.93.139 with SMTP id v11mr6273771fam.132.1295992133999; Tue, 25 Jan 2011 13:48:53 -0800 (PST)
Received: by 10.223.108.71 with HTTP; Tue, 25 Jan 2011 13:48:53 -0800 (PST)
In-Reply-To: <alpine.LFD.1.10.1101251545410.30991@newtla.xelerance.com>
References: <alpine.LFD.1.10.1101251250040.30991@newtla.xelerance.com> <4D3F233C.7000900@vpnc.org> <alpine.LFD.1.10.1101251510140.30991@newtla.xelerance.com> <4D3F3286.8040102@vpnc.org> <alpine.LFD.1.10.1101251545410.30991@newtla.xelerance.com>
Date: Tue, 25 Jan 2011 17:48:53 -0400
Message-ID: <AANLkTiniGQZ0PkFOsSjEiyX02gLUEVAAYxneFwNWf0sL@mail.gmail.com>
From: Brian Dickson <brian.peter.dickson@gmail.com>
To: Paul Wouters <paul@xelerance.com>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: Paul Hoffman <paul.hoffman@vpnc.org>, dnsext@ietf.org
Subject: Re: [dnsext] historal root keys for upgrade path?
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Jan 2011 21:56:32 -0000

Here's an idea, which relies on "conventions" rather than "standards".
I.e. can be implemented unilaterally by $vendor, independent of anything else.

The basic idea is that DNSSEC relies on verification, and doesn't
*really* care where
the answer itself comes from.

And thus, anyone can run their own "copy" of any zone, even the root
zone, just by mirroring/copying/caching.

The scheme is, have copies of the root zone at $IPn inside $vendor's IP space.
Whenever the root zone key rolls, increment the last octet of $IPn
(thus $IP(n+1) = $IPn + 1).

The old root zone copy authenticates okay, and this creates a suitable
trust anchor for rootzone.$vendor.$tld.

The content of rootzone.$vendor.$tld is a set of new hints and copy of
the root zone trust anchor.

Following the new hints to $IPn+1 permits the new trust anchor to be verified.

I'm not sure, but I *think* this works (modulo errors or omissions).

It might be necessary to have the bootstrap start with a static trust
anchor and set of root hints inside rootzone.$vendor.$tld...

Brian

On Tue, Jan 25, 2011 at 4:47 PM, Paul Wouters <paul@xelerance.com> wrote:
> On Tue, 25 Jan 2011, Paul Hoffman wrote:
>
>>> The anser seems to be "yes". It also means that some devices will fail
>>> due to
>>> firewall rules if this updating happens outside of the DNS scope.
>>
>> I don't understand this. I proposed that the updating procedure use fixed
>> IP addresses; are you saying that there are firewalls that prevent such
>> communication unless there was a DNS lookup first?
>
> I dount many switches/routers deployed at $customer can just access a random
> $vendor IP, yes.
>
>>>> Bootstrapping is hard, but once you have done it, you can reuse the
>>>> trust logic you used to do it again.
>>>
>>> Not neccessarilly. Bootstreap happens on a desk at the sysadmin office,
>>> not
>>> neccessarilly on the switch in the production environment....
>>
>> There is no reason why it can't happen at the switch itself, assuming that
>> you have not turned off the "trust the vendor to bootstrap DNSSEC" option in
>> the switch's config.
>
> But dong tftp,http or even ssh is a much different ACL then "doing more DNS
> through the $company assigned forwarder".
>
> Paul
> _______________________________________________
> dnsext mailing list
> dnsext@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsext
>

v2.23.0 | Report a Bug | By Email