IETF Logo Mail Archive

Re: [DNSOP] draft-yoneya-dnssec-kskro-failure-recovery-01

Phil Regnauld <regnauld@nsrc.org> Thu, 06 September 2012 09:08 UTC

Return-Path: <regnauld@x0.dk>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0870421F856F for <dnsop@ietfa.amsl.com>; Thu, 6 Sep 2012 02:08:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gUeVtIE5Ve5l for <dnsop@ietfa.amsl.com>; Thu, 6 Sep 2012 02:08:42 -0700 (PDT)
Received: from moof.catpipe.net (moof.catpipe.net [194.28.252.64]) by ietfa.amsl.com (Postfix) with ESMTP id 7A61B21F855D for <dnsop@ietf.org>; Thu, 6 Sep 2012 02:08:41 -0700 (PDT)
Received: from localhost (moof.catpipe.net [194.28.252.64]) by localhost.catpipe.net (Postfix) with ESMTP id 531FB4CEEB3; Thu, 6 Sep 2012 11:08:39 +0200 (CEST)
Received: from moof.catpipe.net ([194.28.252.64]) by localhost (moof.catpipe.net [194.28.252.64]) (amavisd-new, port 10024) with ESMTP id RoPu+CJ5DSUg; Thu, 6 Sep 2012 11:08:39 +0200 (CEST)
Received: from macbook.bluepipe.net (x0.dk [194.19.205.214]) (Authenticated sender: relayuser) by moof.catpipe.net (Postfix) with ESMTPA id 7E2DB4CEEB9; Thu, 6 Sep 2012 11:08:38 +0200 (CEST)
Received: by macbook.bluepipe.net (Postfix, from userid 1001) id CD64D19FA188; Thu, 6 Sep 2012 11:08:39 +0200 (CEST)
Date: Thu, 06 Sep 2012 11:08:39 +0200
From: Phil Regnauld <regnauld@nsrc.org>
To: Yoshiro YONEYA <yoshiro.yoneya@jprs.co.jp>
Message-ID: <20120906090839.GF83242@macbook.bluepipe.net>
References: <504789CA.6040703@nthpermutation.com> <20120906173616.f83c7580ca0c4e1439092747@jprs.co.jp>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20120906173616.f83c7580ca0c4e1439092747@jprs.co.jp>
X-Operating-System: Darwin 12.1.0 x86_64
User-Agent: Mutt/1.5.21 (2010-09-15)
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] draft-yoneya-dnssec-kskro-failure-recovery-01
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Sep 2012 09:08:43 -0000

Yoshiro YONEYA (yoshiro.yoneya) writes:
> 
> Indeed, the document is imcomplete, and need feedbacks from experiences. 

	There are indeed many ways to facilitate recovery, not all of them
	practical or realistic.

	Here's one that's more in the realm of prevention, but would faciliate
	recovery, assuming the implementation doesn't suffer from the same
	operational errors that led the zone owner to consider recovery in
	the first place, and assuming the DS-set has been completely borked
	by the parent:

	Case 6: always have a backup (fallback) DS, published alongside the
	existing (production) DS record or records (during rollover) currently
	associated with the currently active (production) KSK.
	Keep this backup KSK in a safe place, and in case of serious SNAFU with
	the existing DS-KSK couple, pull the backup KSK out of the Safe Place,
	and start signing the ZSK with that. The DS-set containing the active +
	backup KSK being by definition always published, this should allow for
	faster convergence (assuming a fairly low TTL for the DNSKEY RRset in
	the signed zone).

	The problem with the ID may be that there are so many different ways
	of doing this (hinted at by the phrase "Registration system (or zone
	generation system) of parent zone will be complicated.")...

	Phil

v2.23.0 | Report a Bug | By Email