Re: [DNSOP] Why ZSK rollover is a Bad Idea (tm)
Doug Barton <dougb@dougbarton.us> Thu, 08 October 2009 06:12 UTC
Return-Path: <dougb@dougbarton.us>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BA39328C1FD for <dnsop@core3.amsl.com>; Wed, 7 Oct 2009 23:12:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.389
X-Spam-Level:
X-Spam-Status: No, score=-0.389 tagged_above=-999 required=5 tests=[AWL=-0.390, BAYES_50=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DKaJRu5cneEw for <dnsop@core3.amsl.com>; Wed, 7 Oct 2009 23:12:32 -0700 (PDT)
Received: from mail2.fluidhosting.com (mx21.fluidhosting.com [204.14.89.4]) by core3.amsl.com (Postfix) with ESMTP id 79D9128C1EE for <dnsop@ietf.org>; Wed, 7 Oct 2009 23:12:32 -0700 (PDT)
Received: (qmail 20615 invoked by uid 399); 8 Oct 2009 06:14:12 -0000
Received: from localhost (HELO foreign.dougb.net) (dougb@dougbarton.us@127.0.0.1) by localhost with ESMTPAM; 8 Oct 2009 06:14:12 -0000
X-Originating-IP: 127.0.0.1
X-Sender: dougb@dougbarton.us
Message-ID: <4ACD8333.7050806@dougbarton.us>
Date: Wed, 07 Oct 2009 23:14:11 -0700
From: Doug Barton <dougb@dougbarton.us>
Organization: http://SupersetSolutions.com/
User-Agent: Thunderbird 2.0.0.23 (X11/20090822)
MIME-Version: 1.0
To: Roy Arends <roy@dnss.ec>
References: <1C586E51-D77C-406C-9B89-47276A9B41B2@ICSI.Berkeley.EDU> <p06240812c6f160ac1fb2@10.20.30.158> <d3aa5d00910061408y191bf863p48a6ec703553b67e@mail.gmail.com> <FB20C78E-3A72-409C-8406-2B8A00923783@NLnetLabs.nl> <712BBDEE-25FF-4E2E-A9E5-49E49162D41D@hopcount.ca> <005603A4-31C0-49E0-894F-3FAEB38D7D92@dnss.ec>
In-Reply-To: <005603A4-31C0-49E0-894F-3FAEB38D7D92@dnss.ec>
X-Enigmail-Version: 0.96.0
OpenPGP: id=D5B2F0FB
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: dnsop WG <dnsop@ietf.org>
Subject: Re: [DNSOP] Why ZSK rollover is a Bad Idea (tm)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Oct 2009 06:12:33 -0000
Roy Arends wrote: > I find it worrying that folks intend to test or practice operational > procedures by doing it often on a live production system. What if that > test or practice fails? "Whoops, we were testing it on the live system, > we failed, good thing we called it a test" > > There is also a risk involved by rolling keys over regularly. Especially > when the schedule is publicly announced. "If your attack fails, we will > have write access to the keystore _every month_, on the 1st, at exactly > 3 am cest". > > I fail to see the operational benefit of "Frequent Rollover Syndrome". Roy, I know you understand the concept that no matter how well you practice something in the QA lab you're never really _sure_ it works till you do it "in the wild." I think that at least in the early days of actual DNSSEC deployment (which we have barely stepped into atm) it's very reasonable to exercise all parts of the system now, under (relatively) controlled conditions so that down the road if we reach a point where we are forced to do an emergency key rollover on an "important" zone we'll have some level of comfort (or at least know where to look for things to break). Down the road I tend to agree with you that "frequent" KSK rollover will probably not have much benefit, but if I were administering a zone for which DNSSEC was critical I'd probably do it once a year just to keep all parts of the machine lubricated. Doug -- Improve the effectiveness of your Internet presence with a domain name makeover! http://SupersetSolutions.com/
- Re: [DNSOP] [dnsext] Why ZSK rollover is a Bad Id… Olaf Kolkman
- Re: [DNSOP] [dnsext] Why ZSK rollover is a Bad Id… Olaf Kolkman
- Re: [DNSOP] Why ZSK rollover is a Bad Idea (tm) Chris Thompson
- Re: [DNSOP] [dnsext] Why ZSK rollover is a Bad Id… Joe Abley
- Re: [DNSOP] [dnsext] Why ZSK rollover is a Bad Id… Thierry Moreau
- Re: [DNSOP] [dnsext] Why ZSK rollover is a Bad Id… Roy Arends
- Re: [DNSOP] [dnsext] Why ZSK rollover is a Bad Id… Joe Abley
- Re: [DNSOP] [dnsext] Why ZSK rollover is a Bad Id… Paul Hoffman
- Re: [DNSOP] [dnsext] Why ZSK rollover is a Bad Id… Eric Rescorla
- Re: [DNSOP] [dnsext] Why ZSK rollover is a Bad Id… Joe Abley
- Re: [DNSOP] Why ZSK rollover is a Bad Idea (tm) Doug Barton
- Re: [DNSOP] [dnsext] Why ZSK rollover is a Bad Id… Olaf Kolkman
- Re: [DNSOP] Why ZSK rollover is a Bad Idea (tm) Todd Glassey