IETF Logo Mail Archive

Re: [dnsext] historal root keys for upgrade path?

Joe Abley <jabley@hopcount.ca> Tue, 01 February 2011 02:39 UTC

Return-Path: <jabley@hopcount.ca>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C3B473A6CBD for <dnsext@core3.amsl.com>; Mon, 31 Jan 2011 18:39:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.576
X-Spam-Level:
X-Spam-Status: No, score=-102.576 tagged_above=-999 required=5 tests=[AWL=0.023, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pmQK3Kc2NSh8 for <dnsext@core3.amsl.com>; Mon, 31 Jan 2011 18:39:03 -0800 (PST)
Received: from monster.hopcount.ca (monster.hopcount.ca [216.235.14.38]) by core3.amsl.com (Postfix) with ESMTP id D9A2C3A68F1 for <dnsext@ietf.org>; Mon, 31 Jan 2011 18:39:02 -0800 (PST)
Received: from [199.212.90.21] (helo=dh21.r2.owls.hopcount.ca) by monster.hopcount.ca with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.71 (FreeBSD)) (envelope-from <jabley@hopcount.ca>) id 1Pk6GC-000OGv-EK; Tue, 01 Feb 2011 02:46:33 +0000
Mime-Version: 1.0 (Apple Message framework v1082)
Content-Type: text/plain; charset="us-ascii"
From: Joe Abley <jabley@hopcount.ca>
In-Reply-To: <AANLkTi=9RKWJiv_oOaAMnW-eLZz1ZkbC4QO2VRoigoB7@mail.gmail.com>
Date: Mon, 31 Jan 2011 21:42:08 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <A46E3BD6-8468-44B2-9A80-73845E53E170@hopcount.ca>
References: <alpine.LFD.1.10.1101251250040.30991@newtla.xelerance.com> <17A80F45-52CB-43F6-BD4A-3488821F6933@hopcount.ca> <3A1DEE95-8C8E-4C89-97EB-6D8F799ADE25@virtualized.org> <583A62B0-0DBF-469A-AF8A-B81DEDD1E7E2@dotat.at> <86B1D38A-C274-4335-B30E-3C5C0DF05C38@hopcount.ca> <4D45DE93.9090508@vpnc.org> <AANLkTinbjRebooyqWMpZ2oTudruoDSGqgaXXr35WPYVH@mail.gmail.com> <AANLkTikiqe2K4S-dNsyQZ-xp71J4bM11SsahwpxfDKCX@mail.gmail.com> <4C747F08-A9E8-46E6-AE76-0A999A16D276@hopcount.ca> <AANLkTinOtx88vK3mz-w=uw1CnsKwm=c-nTDOsj=5JAPY@mail.gmail.com> <B4F822D3-F4D6-4657-B299-075B89B5CC86@hopcount.ca> <899F4D8E-2E75-44C3-A001-612582209C86@icsi.berkeley.edu> <63AEECED-2D62-4FC4-81C8-87464D37A72E@hopcount.ca> <AANLkTimKdySsgKLB8Q4fgPOGV5VO2Vgy7sXQBa3S9MoG@mail.gmail.com> <09DC661D-5974-44A4-BF58-E5152945B60B@hopcount.ca> <AANLkTi=9RKWJiv_oOaAMnW-eLZz1ZkbC4QO2VRoigoB7@mail.gmail.com>
To: Phillip Hallam-Baker <hallam@gmail.com>
X-Mailer: Apple Mail (2.1082)
X-SA-Exim-Connect-IP: 199.212.90.21
X-SA-Exim-Mail-From: jabley@hopcount.ca
X-SA-Exim-Scanned: No (on monster.hopcount.ca); SAEximRunCond expanded to false
Cc: dnsext@ietf.org, Paul Hoffman <paul.hoffman@vpnc.org>
Subject: Re: [dnsext] historal root keys for upgrade path?
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Feb 2011 02:39:03 -0000

On 2011-01-31, at 21:23, Phillip Hallam-Baker wrote:

> Regularly rolling the root does not improve security. All that is achieved is that one point of vulnerability becomes two points until such time as the original root is no longer trusted for ANY purpose.

The draft I submitted doesn't address scheduled key rolls. Rather, it addresses the problem of how a validator establishes an initial trust anchor to be used for continuing operation.

I appreciate the distinction is muddied by the fact that a validator that fails to catch a key roll with 5011 semantics is effectively left in a state where it needs to bootstrap itself again.

> If you change the management rules to require a permanent chain of roots to be kept you have precisely the same exposure to the legacy root plus the additional exposure incurred through establishing a second root and the distribution mechanism.

Indeed. The proposal I posted doesn't establish a second root; it uses established ones.

> Without wanting to put too fine a point on the matter, the only way you are going to be able to rely on an ICANN issued root key in twenty years time is if ICANN decides that this is something that they are going to support. And if they did decide to offer such support there are much simpler ways to do so than the draft proposed.

ICANN has committed to support the current publication mechanisms for as long as they retain the role of KSK manager; it's in the IANA functions contract with NTIA (by reference). I think we can assume that the same requirement would be imposed on any new NTIA contractor in the event that some other organisation took over the role.

What support could ICANN provide that would facilitate a simpler bootstrapping method?

(The proposal Dave and I posted seemed pretty simple to me: you pull an XML document using HTTP, then the certificates referred to by that XML doc and use one of the X.509 CA keys you already have to verify any one of them. Until you find a suitable cert, you operate without DNSSEC.)


Joe

v2.23.0 | Report a Bug | By Email