Re: [DNSOP] Simplified Updates of DNS Security Trust Anchors, for rolling the root key
Tony Finch <dot@dotat.at> Tue, 30 June 2015 12:53 UTC
Return-Path: <fanf2@hermes.cam.ac.uk>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 41F011A907E for <dnsop@ietfa.amsl.com>; Tue, 30 Jun 2015 05:53:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.511
X-Spam-Level:
X-Spam-Status: No, score=-1.511 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RJVwF3Ny2_9o for <dnsop@ietfa.amsl.com>; Tue, 30 Jun 2015 05:53:07 -0700 (PDT)
Received: from ppsw-50.csi.cam.ac.uk (ppsw-50.csi.cam.ac.uk [131.111.8.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E3E5C1A9054 for <dnsop@ietf.org>; Tue, 30 Jun 2015 05:53:06 -0700 (PDT)
X-Cam-AntiVirus: no malware found
X-Cam-ScannerInfo: http://www.cam.ac.uk/cs/email/scanner/
Received: from hermes-1.csi.cam.ac.uk ([131.111.8.51]:56011) by ppsw-50.csi.cam.ac.uk (smtp.hermes.cam.ac.uk [131.111.8.158]:25) with esmtpa (EXTERNAL:fanf2) id 1Z9v27-0006gQ-ru (Exim 4.82_3-c0e5623) (return-path <fanf2@hermes.cam.ac.uk>); Tue, 30 Jun 2015 13:53:03 +0100
Received: from fanf2 by hermes-1.csi.cam.ac.uk (hermes.cam.ac.uk) with local id 1Z9v27-0002q9-Ky (Exim 4.72) (return-path <fanf2@hermes.cam.ac.uk>); Tue, 30 Jun 2015 13:53:03 +0100
Date: Tue, 30 Jun 2015 13:53:03 +0100
From: Tony Finch <dot@dotat.at>
X-X-Sender: fanf2@hermes-1.csi.cam.ac.uk
To: Olafur Gudmundsson <olafur@cloudflare.com>
In-Reply-To: <CAN6NTqzTS9TYZ9C3gAkHFjZ_hpH7svnHgZZhhGMff3DVEb62Tw@mail.gmail.com>
Message-ID: <alpine.LSU.2.00.1506301341240.3128@hermes-1.csi.cam.ac.uk>
References: <CAHw9_iKmhA+f8QyuLkWeXQDfwprydVaGkR+LVJACGtsTB0+Pfw@mail.gmail.com> <CAN6NTqzTS9TYZ9C3gAkHFjZ_hpH7svnHgZZhhGMff3DVEb62Tw@mail.gmail.com>
User-Agent: Alpine 2.00 (LSU 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Sender: Tony Finch <fanf2@hermes.cam.ac.uk>
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/03dxcZ5rXO0u5FQiaII46_NuLws>
Cc: dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] Simplified Updates of DNS Security Trust Anchors, for rolling the root key
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jun 2015 12:53:09 -0000
Olafur Gudmundsson <olafur@cloudflare.com> wrote: > There is much simpler way. > Just add record to the rootzone that is only signed by the new key. > If resolver returns AD bit it has the new key. I don't think this works. If the new key is published in the root zone's DNSKEY RRset then it will be signed by the old key, so a validator will have a trust path from a stale trust anchor down to the special record (just like it does for records signed by ZSKs). If the new key is not published in the root zone, then you are assuming that the validator uses DNSKEY records for its trust anchor configuration (but some validators use DS records) and that the validator will allow any RRset to be signed by the trust anchor (but RFC 4035 section 5 suggests only using the trust anchor to validate the apex DNSKEY RRset). Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/ Shannon, Rockall, Malin: South 5 to 7, occasionally gale 8 at first in Rockall, decreasing 3 or 4. Moderate or rough, occasionally very rough except in Malin. Rain then fog patches. Moderate, occasionally very poor.
- [DNSOP] Simplified Updates of DNS Security Trust … Warren Kumari
- Re: [DNSOP] Simplified Updates of DNS Security Tr… Ralf Weber
- Re: [DNSOP] Simplified Updates of DNS Security Tr… manning
- Re: [DNSOP] Simplified Updates of DNS Security Tr… David Conrad
- Re: [DNSOP] Simplified Updates of DNS Security Tr… Olafur Gudmundsson
- Re: [DNSOP] Simplified Updates of DNS Security Tr… Warren Kumari
- Re: [DNSOP] Simplified Updates of DNS Security Tr… Warren Kumari
- Re: [DNSOP] Simplified Updates of DNS Security Tr… Paul Vixie
- Re: [DNSOP] Simplified Updates of DNS Security Tr… Olafur Gudmundsson
- Re: [DNSOP] Simplified Updates of DNS Security Tr… manning
- Re: [DNSOP] Simplified Updates of DNS Security Tr… David Conrad
- Re: [DNSOP] Simplified Updates of DNS Security Tr… manning
- Re: [DNSOP] Simplified Updates of DNS Security Tr… Tony Finch
- Re: [DNSOP] Simplified Updates of DNS Security Tr… Olafur Gudmundsson
- Re: [DNSOP] Simplified Updates of DNS Security Tr… John Dickinson
- Re: [DNSOP] Simplified Updates of DNS Security Tr… Tony Finch
- Re: [DNSOP] Simplified Updates of DNS Security Tr… manning
- Re: [DNSOP] Simplified Updates of DNS Security Tr… Tony Finch
- Re: [DNSOP] Simplified Updates of DNS Security Tr… Edward Lewis
- Re: [DNSOP] Simplified Updates of DNS Security Tr… Warren Kumari
- Re: [DNSOP] Simplified Updates of DNS Security Tr… Warren Kumari
- Re: [DNSOP] Simplified Updates of DNS Security Tr… Paul Wouters
- Re: [DNSOP] Simplified Updates of DNS Security Tr… Tony Finch
- Re: [DNSOP] Simplified Updates of DNS Security Tr… Bob Harold