Re: another's view on zone enum & on-line signing
Edward Lewis <edlewis@arin.net> Thu, 23 September 2004 10:40 UTC
Received: from psg.com (mailnull@psg.com [147.28.0.62]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id GAA29405 for <dnsext-archive@lists.ietf.org>; Thu, 23 Sep 2004 06:40:34 -0400 (EDT)
Received: from majordom by psg.com with local (Exim 4.41 (FreeBSD)) id 1CAQza-0005Ub-80 for namedroppers-data@psg.com; Thu, 23 Sep 2004 10:38:26 +0000
Received: from [192.149.252.33] (helo=smtp1.arin.net) by psg.com with esmtp (Exim 4.41 (FreeBSD)) id 1CAQzP-0005Td-9u for namedroppers@ops.ietf.org; Thu, 23 Sep 2004 10:38:15 +0000
Received: by smtp1.arin.net (Postfix, from userid 5003) id 49CBF144725; Thu, 23 Sep 2004 06:14:43 -0400 (EDT)
Received: from mercury.arin.net (mercury.arin.net [192.149.252.131]) by smtp1.arin.net (Postfix) with ESMTP id 9443B1446E7; Thu, 23 Sep 2004 06:14:42 -0400 (EDT)
Received: from [193.0.8.231] (mercury.arin.net [127.0.0.1]) by mercury.arin.net (Postfix) with ESMTP id 45DA6CF3A8; Thu, 23 Sep 2004 06:38:12 -0400 (EDT)
Mime-Version: 1.0
X-Sender: edlewis@127.0.0.1
Message-Id: <a0602041dbd784f701cf4@[193.0.8.231]>
In-Reply-To: <1704.1095931561@gromit.rfc1035.com>
References: <1704.1095931561@gromit.rfc1035.com>
Date: Thu, 23 Sep 2004 11:38:09 +0100
To: Jim Reid <jim@rfc1035.com>
From: Edward Lewis <edlewis@arin.net>
Subject: Re: another's view on zone enum & on-line signing
Cc: Edward Lewis <edlewis@arin.net>, namedroppers@ops.ietf.org
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-Spam-Checker-Version: SpamAssassin 2.64 (2004-01-11) on psg.com
X-Spam-Status: No, hits=-4.9 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=2.64
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
At 10:26 +0100 9/23/04, Jim Reid wrote: >>>>>> "Edward" == Edward Lewis <edlewis@arin.net> writes: > > >> At 16:28 +0000 9/22/04, Paul Vixie wrote: > >> word on the street is, online signing isn't allowed in the > >> dnssec-bis spec. > > Edward> What about a signed zone that is dynamically updated - > Edward> doesn't that physically require on-line signing? > >I suppose a throwaway zone signing key could be on-line for on the fly >signing of the updates and a strong key signing key kept off-line. Back in the day...there was a discussion like this... Let's assume that you have a zone with a mix of critical data and (for lack of a better word) vanity data. Critical would be the address record of your mail server. Vanity would be a CNAME to the entry you are using at a conference. E.g. ---> smtp AAAA <ip addr> marco.polo CNAME host-ripe49-139.example.net. Since the smtp(-owned) record is critical, I'll sign it with key A, which is off-line and is 2048 bits long. The latter record is dynamically added when I pop up the laptop, the key signing it is on-line and 512 bits long. So - the smtp is signed "more" securely than marco.polo. Or so I think. There are a couple of problems. One is - what if the attacker can make an update request to change smtp. This would take just "breaking" through whatever ACL's are involved (IP, tsig key, TKEY, other policy, etc.). The result is that smtp new's address is signed with the on-line key. Another possibility is that the attacker gains the access to the private key (it is exposed). In that case, the attacker can generate a new smtp record and slip that into the zone. (Assuming that the attacker also has broken the host's security.) To defend against the breaking of dynamic update policy we (Olafur, Brian, and I) toyed with the idea of using RFC 2065 KEY RR strength bits (signatory bits). The idea was that no on-line SIG could usurp an off-line SIG. I think that in trying to come up with a "strength scale" we encountered problems, I admit that my memory is foggy about this. Probably because we saw the possibility of illicitly learning the on-line key as an insurmountable problem. (If Olafur and/or Brian want to add to this, please do. We had a lot of discussions back then that never made it out of the office and into recorded messages. ;) The benefits of public mail list discussions and archives - discussions survive employment changes.) Ultimately we determined (!= "and that's the way it is") that without a way to express to resolver/verifiers a policy that includes "these records can only be signed with this kind of key" and "those with the weaker key" it is useless for the server to use more than one key (per algorithm at a time). (Yes, key replacement/rollover, etc. are times for multiple keys, but I'm not worried about that now.) If we were to try now to differentiate between the keys a server uses - we'd have to 1) hardcode into the verifier algorithm a policy, or 2) once again raise the the SEC RR: http://www.potaroo.net/ietf/all-ids//draft-ietf-dnsind-sec-rr-00.txt (Note the last paragraph before section 2.) BTW, we'd also have to specify that the SEC RR (set) would have to be signed off-line - otherwise the first record I'd replace is the SEC RR. ;) In summary - unless some basic assumptions have changed (e.g., the trust model), I am quite pessimistic that differentiating between on-line and off-line keys is beneficial. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis +1-703-227-9854 ARIN Research Engineer "I can't go to Miami. I'm expecting calls from telemarketers." - Grandpa Simpson. -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/namedroppers/>
- Re: another's view on zone enum & on-line signing Paul Vixie
- Re: another's view on zone enum & on-line signing Jim Reid
- Re: another's view on zone enum & on-line signing Michael Richardson
- Re: another's view on zone enum & on-line signing Edward Lewis
- Re: another's view on zone enum & on-line signing Robert Elz
- Re: another's view on zone enum & on-line signing Edward Lewis