Re: [DNSOP] Simplified Updates of DNS Security Trust Anchors, for rolling the root key
John Dickinson <jad@sinodun.com> Tue, 30 June 2015 13:35 UTC
Return-Path: <jad@sinodun.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 53FBB1A9234 for <dnsop@ietfa.amsl.com>; Tue, 30 Jun 2015 06:35:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Mmxt0eEYmLjm for <dnsop@ietfa.amsl.com>; Tue, 30 Jun 2015 06:35:10 -0700 (PDT)
Received: from shcp01.hosting.zen.net.uk (shcp01.hosting.zen.net.uk [88.98.24.67]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2C1AA1AD05D for <dnsop@ietf.org>; Tue, 30 Jun 2015 06:34:30 -0700 (PDT)
Received: from [213.219.49.160] (port=16137 helo=jads-MacBook-Air.local) by shcp01.hosting.zen.net.uk with esmtpsa (TLSv1:DHE-RSA-AES128-SHA:128) (Exim 4.85) (envelope-from <jad@sinodun.com>) id 1Z9vg6-00083j-97 for dnsop@ietf.org; Tue, 30 Jun 2015 14:34:27 +0100
Message-ID: <55929AE2.50105@sinodun.com>
Date: Tue, 30 Jun 2015 14:34:26 +0100
From: John Dickinson <jad@sinodun.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: dnsop@ietf.org
References: <CAHw9_iKmhA+f8QyuLkWeXQDfwprydVaGkR+LVJACGtsTB0+Pfw@mail.gmail.com>
In-Reply-To: <CAHw9_iKmhA+f8QyuLkWeXQDfwprydVaGkR+LVJACGtsTB0+Pfw@mail.gmail.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
X-OutGoing-Spam-Status: No, score=-1.0
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - shcp01.hosting.zen.net.uk
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - sinodun.com
X-Get-Message-Sender-Via: shcp01.hosting.zen.net.uk: authenticated_id: jad@sinodun.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/-ioUExkJf4lDMJUAAJZl-sbtYE0>
Subject: Re: [DNSOP] Simplified Updates of DNS Security Trust Anchors, for rolling the root key
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jun 2015 13:35:12 -0000
On 29/06/2015 21:48, Warren Kumari wrote: > I'd appreciate any feedback, the draft announcment is here: > Name: draft-wkumari-dnsop-trust-management > Revision: 00 > Title: Simplified Updates of DNS Security (DNSSEC) Trust Anchors > Document date: 2015-06-29 > Group: Individual Submission > Pages: 8 > URL: > https://www.ietf.org/internet-drafts/draft-wkumari-dnsop-trust-management-00.txt > Status: > https://datatracker.ietf.org/doc/draft-wkumari-dnsop-trust-management/ > Htmlized: > https://tools.ietf.org/html/draft-wkumari-dnsop-trust-management-00 > Hi, This draft appears to be trying to solve several problems. 1. Signalling by a validator to an authoritative server which keys it knows about. 2. Signalling by an authoritative server the mechanism it is using to roll it's keys 3. Defining an alternative to 5011 with a different mechanism to roll keys. This seems a big ask for one draft. I have been planning to write a draft to address 1 by having validators send the DS of known TA's in an edns0 option code. This info, could then be logged by the authoritative nameservers. For problem 2 I was going to suggest advice to implementers of validators to (by default) treat all TA's as potentially 5011. A non 5011 TA is just one that is never seen to do 5011 stuff. Given the above, My feeling is that there is no need to propose an alternative to 5011 unless it adds a significant increase in security/ease of use. In addition, if I have understood your intent correctly, I have a few questions regarding the security of your proposed mechanism. Assuming the traditional large (strong) KSK used as trust anchor and smaller ZSK scenario. It appears that the TDS RRSet will be signed only by the smaller ZSK. Doesn't this effectively create a circular dependency that effectively reduces the security of the zone down to the strength of the ZSK? You mention nothing like the add hold down timer in 5011. There seems to be good justification its need in 5011. regards John
- [DNSOP] Simplified Updates of DNS Security Trust … Warren Kumari
- Re: [DNSOP] Simplified Updates of DNS Security Tr… Ralf Weber
- Re: [DNSOP] Simplified Updates of DNS Security Tr… manning
- Re: [DNSOP] Simplified Updates of DNS Security Tr… David Conrad
- Re: [DNSOP] Simplified Updates of DNS Security Tr… Olafur Gudmundsson
- Re: [DNSOP] Simplified Updates of DNS Security Tr… Warren Kumari
- Re: [DNSOP] Simplified Updates of DNS Security Tr… Warren Kumari
- Re: [DNSOP] Simplified Updates of DNS Security Tr… Paul Vixie
- Re: [DNSOP] Simplified Updates of DNS Security Tr… Olafur Gudmundsson
- Re: [DNSOP] Simplified Updates of DNS Security Tr… manning
- Re: [DNSOP] Simplified Updates of DNS Security Tr… David Conrad
- Re: [DNSOP] Simplified Updates of DNS Security Tr… manning
- Re: [DNSOP] Simplified Updates of DNS Security Tr… Tony Finch
- Re: [DNSOP] Simplified Updates of DNS Security Tr… Olafur Gudmundsson
- Re: [DNSOP] Simplified Updates of DNS Security Tr… John Dickinson
- Re: [DNSOP] Simplified Updates of DNS Security Tr… Tony Finch
- Re: [DNSOP] Simplified Updates of DNS Security Tr… manning
- Re: [DNSOP] Simplified Updates of DNS Security Tr… Tony Finch
- Re: [DNSOP] Simplified Updates of DNS Security Tr… Edward Lewis
- Re: [DNSOP] Simplified Updates of DNS Security Tr… Warren Kumari
- Re: [DNSOP] Simplified Updates of DNS Security Tr… Warren Kumari
- Re: [DNSOP] Simplified Updates of DNS Security Tr… Paul Wouters
- Re: [DNSOP] Simplified Updates of DNS Security Tr… Tony Finch
- Re: [DNSOP] Simplified Updates of DNS Security Tr… Bob Harold