Re: [dnsext] draft-jabley-dnsop-validator-bootstrap-00

Phillip Hallam-Baker <> Tue, 01 February 2011 00:37 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 516133A6CA0; Mon, 31 Jan 2011 16:37:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.859
X-Spam-Status: No, score=-2.859 tagged_above=-999 required=5 tests=[AWL=-0.501, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1, SARE_LWSHORTT=1.24]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 4YBdIWvMSYj6; Mon, 31 Jan 2011 16:37:21 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 046D93A6C97; Mon, 31 Jan 2011 16:37:20 -0800 (PST)
Received: by yxt33 with SMTP id 33so2574172yxt.31 for <multiple recipients>; Mon, 31 Jan 2011 16:40:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=A5kVdQ+FkrqJPw6YPmcJr6TRCBPBn32ZtVwMCxs9VVA=; b=eG2Os0Rj7RTkU8Q3TA1lOc6+ix1VeLRJwqgRnAQm/GAiAY0lcbJRBBoEeC4r62RnoE MCdr4U9kr9jPxA68HEnXpNqBBCoFFRG5x4gzJZeY0rN4gHszhIn4JS2Ai4tNWoYoN+CS elqywC3T8b0HVudTXoxvA3o+WD+29ZIpYVcAw=
DomainKey-Signature: a=rsa-sha1; c=nofws;; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=bbkRGOyquEq2ckHyJnjvvKkgH1cT/ztITRYR0t2pfPNWcyQJ5U0Ck7g+Ux5ICbffWw wU7D86HYewgMtvuldysi/0OA/Zsthsxex8M5hZOFQGCjNgrN2Kb7lHWP+VHMmQgLICB7 yZhWfJ78JuLQ1ZdjTX2GBtq1qce1RGOrEyf1s=
MIME-Version: 1.0
Received: by with SMTP id 7mr4332571anf.256.1296520835864; Mon, 31 Jan 2011 16:40:35 -0800 (PST)
Received: by with HTTP; Mon, 31 Jan 2011 16:40:35 -0800 (PST)
In-Reply-To: <>
References: <> <> <>
Date: Mon, 31 Jan 2011 19:40:35 -0500
Message-ID: <>
From: Phillip Hallam-Baker <>
To: Joe Abley <>
Content-Type: multipart/alternative; boundary=0016e642d3badd99a6049b2dc72a
Cc: " WG" <>, Knight Dave <>, dnsext List <>
Subject: Re: [dnsext] draft-jabley-dnsop-validator-bootstrap-00
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 01 Feb 2011 00:37:22 -0000

On Mon, Jan 31, 2011 at 5:14 PM, Joe Abley <> wrote:

> > Either way, it's a local trust anchor... and I don't see why X.509
> > keys are any less compromisable than DNS keys...
> The difference is that X.509 keys, as deployed by CAs, have expected
> lifetimes measured in decades. Right now we don't know what the expected
> lifetime of the root zone KSK is.

To be precise here, there is no difference in the likelihood that the keys
will be compromised.

The difference is that the X.509 protocol is designed to support keys that
are persistent over long periods (decades) and DNSSEC is not.

In particular an X.509 self-signed certificate is an assertion that the key
holder will maintain and use the associated private key in accordance with
the specified practices for the specified length of time.

You can easily find out how long Comodo or Symantec or whoever is going to
maintain their SSL CA roots, the information is right there in the cert
store and is irrevocable in that the CA can extend the time period (through
recertification) but cannot reduce it.

My advice to Cisco would be to use their existing root to sign the published
CSR for the DNS root KSK in the short term at least.

In the longer term we are going to have to have a look at the problem at a
higher level and work out how we are going to solve it in a scalable way
across all the platforms that involve a root key.

We are starting to make quite a little collection of industry forums that
are doing this root key management as a sideline.