IETF Logo Mail Archive

Re: [dnsext] historal root keys for upgrade path?

Joe Abley <jabley@hopcount.ca> Sun, 30 January 2011 19:47 UTC

Return-Path: <jabley@hopcount.ca>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 48E463A67D1 for <dnsext@core3.amsl.com>; Sun, 30 Jan 2011 11:47:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.57
X-Spam-Level:
X-Spam-Status: No, score=-102.57 tagged_above=-999 required=5 tests=[AWL=0.029, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b57E3J7S2Rxj for <dnsext@core3.amsl.com>; Sun, 30 Jan 2011 11:47:24 -0800 (PST)
Received: from monster.hopcount.ca (monster.hopcount.ca [216.235.14.38]) by core3.amsl.com (Postfix) with ESMTP id 6E7E83A67DA for <dnsext@ietf.org>; Sun, 30 Jan 2011 11:47:24 -0800 (PST)
Received: from [199.212.90.21] (helo=dh21.r2.owls.hopcount.ca) by monster.hopcount.ca with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.71 (FreeBSD)) (envelope-from <jabley@hopcount.ca>) id 1PjdMH-000FRD-Oz; Sun, 30 Jan 2011 19:54:51 +0000
Mime-Version: 1.0 (Apple Message framework v1082)
Content-Type: text/plain; charset="us-ascii"
From: Joe Abley <jabley@hopcount.ca>
In-Reply-To: <583A62B0-0DBF-469A-AF8A-B81DEDD1E7E2@dotat.at>
Date: Sun, 30 Jan 2011 14:50:30 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <86B1D38A-C274-4335-B30E-3C5C0DF05C38@hopcount.ca>
References: <alpine.LFD.1.10.1101251250040.30991@newtla.xelerance.com> <17A80F45-52CB-43F6-BD4A-3488821F6933@hopcount.ca> <3A1DEE95-8C8E-4C89-97EB-6D8F799ADE25@virtualized.org> <583A62B0-0DBF-469A-AF8A-B81DEDD1E7E2@dotat.at>
To: Tony Finch <dot@dotat.at>
X-Mailer: Apple Mail (2.1082)
X-SA-Exim-Connect-IP: 199.212.90.21
X-SA-Exim-Mail-From: jabley@hopcount.ca
X-SA-Exim-Scanned: No (on monster.hopcount.ca); SAEximRunCond expanded to false
Cc: dnsext List <dnsext@ietf.org>
Subject: Re: [dnsext] historal root keys for upgrade path?
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 30 Jan 2011 19:47:25 -0000

On 2011-01-30, at 14:45, Tony Finch wrote:

> On 28 Jan 2011, at 06:06, David Conrad <drc@virtualized.org> wrote:
>> 
> 
>> I don't think that's a risk. If a key is rolled because of a known compromise, it simply means you can't safely chain from the old-but-installed-key to the current-but-not-yet-installed key.  Presumably, when a key is known to be compromised, the chain from old to current keys would be broken such that automated systems would require human intervention.
> 
> If you implement RFC5011 you can maintain a chain of trust in the face of N-1 key compromises where N is the number of keys in the trust anchor.

I thought this whole thread was about how to handle an initial bootstrap, e.g. in a new device, in a device that has been off-line for longer than the 5011 key introduction period, or in the event that an emergency key roll results in a change in KSK without 5011 timing or publishing semantics.


Joe

v2.23.0 | Report a Bug | By Email