IETF Logo Mail Archive

Re: [DNSOP] Simplified Updates of DNS Security Trust Anchors, for rolling the root key

John Dickinson <jad@sinodun.com> Tue, 30 June 2015 13:35 UTC

Return-Path: <jad@sinodun.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 53FBB1A9234 for <dnsop@ietfa.amsl.com>; Tue, 30 Jun 2015 06:35:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Mmxt0eEYmLjm for <dnsop@ietfa.amsl.com>; Tue, 30 Jun 2015 06:35:10 -0700 (PDT)
Received: from shcp01.hosting.zen.net.uk (shcp01.hosting.zen.net.uk [88.98.24.67]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2C1AA1AD05D for <dnsop@ietf.org>; Tue, 30 Jun 2015 06:34:30 -0700 (PDT)
Received: from [213.219.49.160] (port=16137 helo=jads-MacBook-Air.local) by shcp01.hosting.zen.net.uk with esmtpsa (TLSv1:DHE-RSA-AES128-SHA:128) (Exim 4.85) (envelope-from <jad@sinodun.com>) id 1Z9vg6-00083j-97 for dnsop@ietf.org; Tue, 30 Jun 2015 14:34:27 +0100
Message-ID: <55929AE2.50105@sinodun.com>
Date: Tue, 30 Jun 2015 14:34:26 +0100
From: John Dickinson <jad@sinodun.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: dnsop@ietf.org
References: <CAHw9_iKmhA+f8QyuLkWeXQDfwprydVaGkR+LVJACGtsTB0+Pfw@mail.gmail.com>
In-Reply-To: <CAHw9_iKmhA+f8QyuLkWeXQDfwprydVaGkR+LVJACGtsTB0+Pfw@mail.gmail.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
X-OutGoing-Spam-Status: No, score=-1.0
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - shcp01.hosting.zen.net.uk
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - sinodun.com
X-Get-Message-Sender-Via: shcp01.hosting.zen.net.uk: authenticated_id: jad@sinodun.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/-ioUExkJf4lDMJUAAJZl-sbtYE0>
Subject: Re: [DNSOP] Simplified Updates of DNS Security Trust Anchors, for rolling the root key
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jun 2015 13:35:12 -0000


On 29/06/2015 21:48, Warren Kumari wrote:
> I'd appreciate any feedback, the draft announcment is here:
> Name:           draft-wkumari-dnsop-trust-management
> Revision:       00
> Title:          Simplified Updates of DNS Security (DNSSEC) Trust Anchors
> Document date:  2015-06-29
> Group:          Individual Submission
> Pages:          8
> URL:
> https://www.ietf.org/internet-drafts/draft-wkumari-dnsop-trust-management-00.txt
> Status:
> https://datatracker.ietf.org/doc/draft-wkumari-dnsop-trust-management/
> Htmlized:
> https://tools.ietf.org/html/draft-wkumari-dnsop-trust-management-00
>
Hi,

This draft appears to be trying to solve several problems.
1. Signalling by a validator to an authoritative server which keys it 
knows about.
2. Signalling by an authoritative server the mechanism it is using to 
roll it's keys
3. Defining an alternative to 5011 with a different mechanism to roll keys.

This seems a big ask for one draft.

I have been planning to write a draft to address 1 by having validators 
send the DS of known TA's in an edns0 option code. This info, could then 
be logged by the authoritative nameservers.

For problem 2 I was going to suggest advice to implementers of 
validators to (by default) treat all TA's as potentially 5011. A non 
5011 TA is just one that is never seen to do 5011 stuff.

Given the above, My feeling is that there is no need to propose an 
alternative to 5011 unless it adds a significant increase in 
security/ease of use.

In addition, if I have understood your intent correctly, I have a few 
questions regarding the security of your proposed mechanism.

Assuming the traditional large (strong) KSK used as trust anchor and 
smaller ZSK scenario.
It appears that the TDS RRSet will be signed only by the smaller ZSK. 
Doesn't this effectively create a circular dependency that effectively 
reduces the security of the zone down to the strength of the ZSK?

You mention nothing like the add hold down timer in 5011. There seems to 
be good justification its need in 5011.

regards
John

v2.23.0 | Report a Bug | By Email