IETF Logo Mail Archive

Re: [dnsext] Historical root keys: The Large Router Vendor Speaks

Paul Hoffman <paul.hoffman@vpnc.org> Fri, 28 January 2011 16:55 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 00F383A67B0 for <dnsext@core3.amsl.com>; Fri, 28 Jan 2011 08:55:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.745
X-Spam-Level:
X-Spam-Status: No, score=-101.745 tagged_above=-999 required=5 tests=[AWL=0.301, BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IrXK0QWoo-RN for <dnsext@core3.amsl.com>; Fri, 28 Jan 2011 08:55:16 -0800 (PST)
Received: from hoffman.proper.com (Hoffman.Proper.COM [207.182.41.81]) by core3.amsl.com (Postfix) with ESMTP id 0D5853A67AE for <dnsext@ietf.org>; Fri, 28 Jan 2011 08:55:15 -0800 (PST)
Received: from MacBook-08.local (75-101-30-90.dsl.dynamic.sonic.net [75.101.30.90]) (authenticated bits=0) by hoffman.proper.com (8.14.4/8.14.3) with ESMTP id p0SGvxQh023111 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Fri, 28 Jan 2011 09:58:00 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
Message-ID: <4D42F597.8090006@vpnc.org>
Date: Fri, 28 Jan 2011 08:57:59 -0800
From: Paul Hoffman <paul.hoffman@vpnc.org>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7
MIME-Version: 1.0
To: dnsext@ietf.org
References: <4D41D3E2.6060107@cisco.com> <3125F45F-7594-498F-AFA3-D2D738A228F5@hopcount.ca>
In-Reply-To: <3125F45F-7594-498F-AFA3-D2D738A228F5@hopcount.ca>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [dnsext] Historical root keys: The Large Router Vendor Speaks
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Jan 2011 16:55:20 -0000

Is there a reason that we are only focusing on one of the multiple 
proposals that this person proposed? Path II was:

  II. Provide our own key update service. This might be DNS-based or
      HTTP-based. It would provide either:

      a. The entire historical chain of DNS root KSKs, with older keys
	signing newer ones, so that the device could pick up from
	whatever key it had, OR

      b. Just the current root key, signed with a key validated by
	Cisco's private X.509 PKI (the same PKI we use to sign
         software), OR

      c. The chain of (a) further signed with a key from (b).

      We are obviously capable of this. We also obviously think it's
      inferior to (I).

It is not clear that it is inferior to (I) if doing (I) makes the entire 
system more fragile by adding another moving part.

I think (II)(b) looks quite sane, easy to do right now, and if this 
community ever agrees to a safe way to do (I) *and* implements it, doing 
a firmware update to switch over to it would not be hard. I would not 
hold my breath, though.

We're talking pre-loaded trust anchors here. They have the same power as 
pre-loaded software. If (II)(b) works for your software, it should work 
just fine for your trust anchors.

v2.23.0 | Report a Bug | By Email