Re: [DNSOP] draft-yoneya-dnssec-kskro-failure-recovery-01
Phil Regnauld <regnauld@nsrc.org> Thu, 06 September 2012 09:08 UTC
Return-Path: <regnauld@x0.dk>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0870421F856F for <dnsop@ietfa.amsl.com>; Thu, 6 Sep 2012 02:08:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gUeVtIE5Ve5l for <dnsop@ietfa.amsl.com>; Thu, 6 Sep 2012 02:08:42 -0700 (PDT)
Received: from moof.catpipe.net (moof.catpipe.net [194.28.252.64]) by ietfa.amsl.com (Postfix) with ESMTP id 7A61B21F855D for <dnsop@ietf.org>; Thu, 6 Sep 2012 02:08:41 -0700 (PDT)
Received: from localhost (moof.catpipe.net [194.28.252.64]) by localhost.catpipe.net (Postfix) with ESMTP id 531FB4CEEB3; Thu, 6 Sep 2012 11:08:39 +0200 (CEST)
Received: from moof.catpipe.net ([194.28.252.64]) by localhost (moof.catpipe.net [194.28.252.64]) (amavisd-new, port 10024) with ESMTP id RoPu+CJ5DSUg; Thu, 6 Sep 2012 11:08:39 +0200 (CEST)
Received: from macbook.bluepipe.net (x0.dk [194.19.205.214]) (Authenticated sender: relayuser) by moof.catpipe.net (Postfix) with ESMTPA id 7E2DB4CEEB9; Thu, 6 Sep 2012 11:08:38 +0200 (CEST)
Received: by macbook.bluepipe.net (Postfix, from userid 1001) id CD64D19FA188; Thu, 6 Sep 2012 11:08:39 +0200 (CEST)
Date: Thu, 06 Sep 2012 11:08:39 +0200
From: Phil Regnauld <regnauld@nsrc.org>
To: Yoshiro YONEYA <yoshiro.yoneya@jprs.co.jp>
Message-ID: <20120906090839.GF83242@macbook.bluepipe.net>
References: <504789CA.6040703@nthpermutation.com> <20120906173616.f83c7580ca0c4e1439092747@jprs.co.jp>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20120906173616.f83c7580ca0c4e1439092747@jprs.co.jp>
X-Operating-System: Darwin 12.1.0 x86_64
User-Agent: Mutt/1.5.21 (2010-09-15)
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] draft-yoneya-dnssec-kskro-failure-recovery-01
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Sep 2012 09:08:43 -0000
Yoshiro YONEYA (yoshiro.yoneya) writes: > > Indeed, the document is imcomplete, and need feedbacks from experiences. There are indeed many ways to facilitate recovery, not all of them practical or realistic. Here's one that's more in the realm of prevention, but would faciliate recovery, assuming the implementation doesn't suffer from the same operational errors that led the zone owner to consider recovery in the first place, and assuming the DS-set has been completely borked by the parent: Case 6: always have a backup (fallback) DS, published alongside the existing (production) DS record or records (during rollover) currently associated with the currently active (production) KSK. Keep this backup KSK in a safe place, and in case of serious SNAFU with the existing DS-KSK couple, pull the backup KSK out of the Safe Place, and start signing the ZSK with that. The DS-set containing the active + backup KSK being by definition always published, this should allow for faster convergence (assuming a fairly low TTL for the DNSKEY RRset in the signed zone). The problem with the ID may be that there are so many different ways of doing this (hinted at by the phrase "Registration system (or zone generation system) of parent zone will be complicated.")... Phil
- [DNSOP] draft-yoneya-dnssec-kskro-failure-recover… Michael StJohns
- Re: [DNSOP] draft-yoneya-dnssec-kskro-failure-rec… Yoshiro YONEYA
- Re: [DNSOP] draft-yoneya-dnssec-kskro-failure-rec… Phil Regnauld
- Re: [DNSOP] draft-yoneya-dnssec-kskro-failure-rec… Paul Wouters
- Re: [DNSOP] draft-yoneya-dnssec-kskro-failure-rec… Yoshiro YONEYA
- Re: [DNSOP] draft-yoneya-dnssec-kskro-failure-rec… Yoshiro YONEYA
- Re: [DNSOP] draft-yoneya-dnssec-kskro-failure-rec… Paul Wouters