IETF Logo Mail Archive

Re: [DNSOP] [dnsext] Why ZSK rollover is a Bad Idea (tm)

Paul Hoffman <paul.hoffman@vpnc.org> Wed, 07 October 2009 15:24 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DEF9D28C188 for <dnsop@core3.amsl.com>; Wed, 7 Oct 2009 08:24:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.237
X-Spam-Level:
X-Spam-Status: No, score=-5.237 tagged_above=-999 required=5 tests=[AWL=0.809, BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z8ecLVtA7Hgb for <dnsop@core3.amsl.com>; Wed, 7 Oct 2009 08:24:14 -0700 (PDT)
Received: from balder-227.proper.com (Balder-227.Proper.COM [192.245.12.227]) by core3.amsl.com (Postfix) with ESMTP id 264D228C15F for <dnsop@ietf.org>; Wed, 7 Oct 2009 08:23:47 -0700 (PDT)
Received: from [10.20.30.158] (75-101-30-90.dsl.dynamic.sonic.net [75.101.30.90]) (authenticated bits=0) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n97FPNNI004503 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 7 Oct 2009 08:25:23 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
Mime-Version: 1.0
Message-Id: <p06240835c6f262857f02@[10.20.30.158]>
In-Reply-To: <712BBDEE-25FF-4E2E-A9E5-49E49162D41D@hopcount.ca>
References: <1C586E51-D77C-406C-9B89-47276A9B41B2@ICSI.Berkeley.EDU> <p06240812c6f160ac1fb2@10.20.30.158> <d3aa5d00910061408y191bf863p48a6ec703553b67e@mail.gmail.com> <FB20C78E-3A72-409C-8406-2B8A00923783@NLnetLabs.nl> <712BBDEE-25FF-4E2E-A9E5-49E49162D41D@hopcount.ca>
Date: Wed, 07 Oct 2009 08:25:21 -0700
To: Joe Abley <jabley@hopcount.ca>
From: Paul Hoffman <paul.hoffman@vpnc.org>
Content-Type: text/plain; charset="us-ascii"
Cc: Eric Rescorla <ekr@rtfm.com>, dnsop WG <dnsop@ietf.org>
Subject: Re: [DNSOP] [dnsext] Why ZSK rollover is a Bad Idea (tm)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Oct 2009 15:24:15 -0000

At 2:22 PM +0100 10/7/09, Joe Abley wrote:
>From this perspective we might roll a ZSK more frequently than a KSK because the ZSK needs to be stored on-line to facilitate re-signing when the zone changes. With the KSK we have the option of keeping it off-line, and arguably the risk of compromise is consequently lower. Regular testing of the machinery is still important, however.

Please define "on-line" and "off-line". In the deployments I have heard of, both types of keys are stored with the same security procedures, but the ZSK might be stored in a physically different location (or not). The operational aspects of using the two keys are nearly identical.

--Paul Hoffman, Director
--VPN Consortium

v2.45.0 | Report a Bug | By Email | System Status