IETF Logo Mail Archive

Re: [dnsext] historal root keys for upgrade path?

Phillip Hallam-Baker <hallam@gmail.com> Mon, 31 January 2011 19:34 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0BFF03A6C58 for <dnsext@core3.amsl.com>; Mon, 31 Jan 2011 11:34:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.477
X-Spam-Level:
X-Spam-Status: No, score=-3.477 tagged_above=-999 required=5 tests=[AWL=0.121, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LcJka991Kzpm for <dnsext@core3.amsl.com>; Mon, 31 Jan 2011 11:34:41 -0800 (PST)
Received: from mail-yi0-f44.google.com (mail-yi0-f44.google.com [209.85.218.44]) by core3.amsl.com (Postfix) with ESMTP id 998BE3A6C40 for <dnsext@ietf.org>; Mon, 31 Jan 2011 11:34:41 -0800 (PST)
Received: by yie19 with SMTP id 19so2452709yie.31 for <dnsext@ietf.org>; Mon, 31 Jan 2011 11:37:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=/clOmxsAZQf+Wx8ih/saONiF08WtXmOjaOCUcMjUhS0=; b=L4TbtGACHKl4vl/8bPAOj38uRPhGcaGjthZ7viWbbEi2mSj0uBlyHnN4R8Mwe3gBJs rmtwdpRLN7KMSPK4lRkn6RXJFsrE59Vqn+axvKrKN40KBnfJv/5j8Qw9lAD29BN8ORKb VWazoDZVpAAkpI0eTUwiRXkoe/ct8+K1KOgk0=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=jeXyx98x+mT9b6SqVlyzoe01r40KLqTn2LcQjQEhQ0m3BInYyN6CbycvJV/h/xqHfM ZFM64rmBEfs4slGLG0etwhw/YEN797MEe6ZW37TiRsAacNLdmd4JEbkhpRFzZ9P8DnXI FLldNR/4XcQwESHj6npnZvY6lE1h4xIUl3aHM=
MIME-Version: 1.0
Received: by 10.100.48.3 with SMTP id v3mr4242685anv.154.1296502676066; Mon, 31 Jan 2011 11:37:56 -0800 (PST)
Received: by 10.100.109.16 with HTTP; Mon, 31 Jan 2011 11:37:55 -0800 (PST)
In-Reply-To: <B4F822D3-F4D6-4657-B299-075B89B5CC86@hopcount.ca>
References: <alpine.LFD.1.10.1101251250040.30991@newtla.xelerance.com> <17A80F45-52CB-43F6-BD4A-3488821F6933@hopcount.ca> <3A1DEE95-8C8E-4C89-97EB-6D8F799ADE25@virtualized.org> <583A62B0-0DBF-469A-AF8A-B81DEDD1E7E2@dotat.at> <86B1D38A-C274-4335-B30E-3C5C0DF05C38@hopcount.ca> <4D45DE93.9090508@vpnc.org> <AANLkTinbjRebooyqWMpZ2oTudruoDSGqgaXXr35WPYVH@mail.gmail.com> <AANLkTikiqe2K4S-dNsyQZ-xp71J4bM11SsahwpxfDKCX@mail.gmail.com> <4C747F08-A9E8-46E6-AE76-0A999A16D276@hopcount.ca> <AANLkTinOtx88vK3mz-w=uw1CnsKwm=c-nTDOsj=5JAPY@mail.gmail.com> <B4F822D3-F4D6-4657-B299-075B89B5CC86@hopcount.ca>
Date: Mon, 31 Jan 2011 14:37:55 -0500
Message-ID: <AANLkTi=BtqV3XF-yXhDBNd7hPCbJCWKuS-WsO=_nf6g3@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Joe Abley <jabley@hopcount.ca>
Content-Type: multipart/alternative; boundary="0016e645b8c4751132049b298d0c"
Cc: dnsext@ietf.org, Paul Hoffman <paul.hoffman@vpnc.org>
Subject: Re: [dnsext] historal root keys for upgrade path?
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Jan 2011 19:34:43 -0000

On Mon, Jan 31, 2011 at 2:20 PM, Joe Abley <jabley@hopcount.ca> wrote:

>
> On 2011-01-31, at 13:22, Brian Dickson wrote:
>
> > On Mon, Jan 31, 2011 at 9:24 AM, Joe Abley <jabley@hopcount.ca> wrote:
> >>
> >> Since we have a published DPS, let's refer to that rather than pulling
> numbers out of e-mail threads.
> >>
> >> https://www.iana.org/dnssec/icann-dps.txt
> >
> > Thanks for pointing that out.
> >
> > Having read it, it appears that any new RZ KSK is pre-published and
> > signed by the old KSK for about 50 days only.
>
> For a scheduled KSK roll, yes. Note that that's not what we're talking
> about.


That is the one that I was talking about.

If we ever got to the stage where we did an emergency roll we are in unknown
territory. Its like planning for what to do in case of civil war in the US.
So many other things would have to change before it was a possibility that
planning is futile.


ICANN can eliminate the problem of rollovers for scheduled rolls by
announcing that it will never roll the key except in an emergency.

We faced this problem in the PKI world and found that 20 year roots were a
better solution. So far the only issues caused have been due to doubts as to
the security of the cryptographic algorithm which in turn is perhaps
excusable given that the state of cryptography was not as good in the 1990s
as it is today [*]

I know that it is fashionable to roll keys every so often. But in the case
of a root key it causes more problems than it solves.


[*] Use of MD5 is discouraged for new signatures but it is not yet
compromised in a way that invalidates MD5 signed roots.
-- 
Website: http://hallambaker.com/

v2.23.0 | Report a Bug | By Email