IETF Logo Mail Archive

Re: [DNSOP] Simplified Updates of DNS Security Trust Anchors, for rolling the root key

Tony Finch <dot@dotat.at> Tue, 30 June 2015 13:57 UTC

Return-Path: <fanf2@hermes.cam.ac.uk>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 172C91A016C for <dnsop@ietfa.amsl.com>; Tue, 30 Jun 2015 06:57:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m6dI4-PyYBih for <dnsop@ietfa.amsl.com>; Tue, 30 Jun 2015 06:57:50 -0700 (PDT)
Received: from ppsw-40.csi.cam.ac.uk (ppsw-40.csi.cam.ac.uk [131.111.8.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 90B021A0687 for <dnsop@ietf.org>; Tue, 30 Jun 2015 06:57:43 -0700 (PDT)
X-Cam-AntiVirus: no malware found
X-Cam-ScannerInfo: http://www.cam.ac.uk/cs/email/scanner/
Received: from hermes-1.csi.cam.ac.uk ([131.111.8.51]:39258) by ppsw-40.csi.cam.ac.uk (smtp.hermes.cam.ac.uk [131.111.8.156]:25) with esmtpa (EXTERNAL:fanf2) id 1Z9w2f-0004gx-ke (Exim 4.82_3-c0e5623) (return-path <fanf2@hermes.cam.ac.uk>); Tue, 30 Jun 2015 14:57:41 +0100
Received: from fanf2 by hermes-1.csi.cam.ac.uk (hermes.cam.ac.uk) with local id 1Z9w2f-0000Rv-C1 (Exim 4.72) (return-path <fanf2@hermes.cam.ac.uk>); Tue, 30 Jun 2015 14:57:41 +0100
Date: Tue, 30 Jun 2015 14:57:41 +0100
From: Tony Finch <dot@dotat.at>
X-X-Sender: fanf2@hermes-1.csi.cam.ac.uk
To: John Dickinson <jad@sinodun.com>
In-Reply-To: <55929AE2.50105@sinodun.com>
Message-ID: <alpine.LSU.2.00.1506301453160.32296@hermes-1.csi.cam.ac.uk>
References: <CAHw9_iKmhA+f8QyuLkWeXQDfwprydVaGkR+LVJACGtsTB0+Pfw@mail.gmail.com> <55929AE2.50105@sinodun.com>
User-Agent: Alpine 2.00 (LSU 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Sender: Tony Finch <fanf2@hermes.cam.ac.uk>
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/9_kEoDwfBjuY1w6LCAjuJrTli-0>
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] Simplified Updates of DNS Security Trust Anchors, for rolling the root key
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jun 2015 13:57:54 -0000

John Dickinson <jad@sinodun.com> wrote:
>
> I have been planning to write a draft to address 1 by having validators send
> the DS of known TA's in an edns0 option code. This info, could then be logged
> by the authoritative nameservers.

Good idea, though just the key tags should be enough. (I think key
management software ensures that tags don't collide.) If you only include
the EDNS option when querying for the DNSKEY RRset then that tells the
server which zone to the trust anchor key tags belong to.

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
Forties, Cromarty, Forth, Tyne, Dogger: South or southeast 4 or 5, increasing
6 at times. Slight or moderate. Mainly fair. Moderate or good.

v2.23.0 | Report a Bug | By Email