Re: [DNSOP] how to delete obsolete DS for obsolete DNSKEY using CDS/CDNSKEY
Warren Kumari <warren@kumari.net> Thu, 06 February 2014 19:13 UTC
Return-Path: <warren@kumari.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E3991A0445 for <dnsop@ietfa.amsl.com>; Thu, 6 Feb 2014 11:13:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VQk4Wm9rIS-X for <dnsop@ietfa.amsl.com>; Thu, 6 Feb 2014 11:13:07 -0800 (PST)
Received: from mail-wi0-f177.google.com (mail-wi0-f177.google.com [209.85.212.177]) by ietfa.amsl.com (Postfix) with ESMTP id 4A5C51A03E4 for <dnsop@ietf.org>; Thu, 6 Feb 2014 11:13:07 -0800 (PST)
Received: by mail-wi0-f177.google.com with SMTP id e4so145242wiv.4 for <dnsop@ietf.org>; Thu, 06 Feb 2014 11:13:05 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=JsQkHHicn1pM6KK/6xDVCY8fnu38tB1CE5F4dG4W9Gs=; b=WZ0kbKoFofxziroNs0vADVZrUWyJDAYC/G8lfoD44+WuAvVIWKLnANMbbOu1X+QI8M Our+H06hxt76/fOj0dE85QHrCDaPCv1CWlULeNs0fZFSjrbfZ04kE3ESTXwE3Bvdtky/ zs9js6PJaZ6BNvPpch3WFR+FPhtRPz1AtGthv5j8lSe4gGh8E2XHgRWegl3ejGAN9Cqi zIvhnwZHetDjlV4JOFD9p/H6WkZVKSo6jkOUd49V2k2kqdp1lOoPYFfdRxLPJTySkpSx sfQPY6hEQc4Rmsu7+x0bR3+yd6jFtR8Mjg8sh8s793cHJuGU5YTAxiLUG05GpOW03rM5 sq5A==
X-Gm-Message-State: ALoCoQmwnzMgsUS/F27JGaAF+Wbi0yh449l9E3t1Lr5TKJA81ACbbgi/gulK2u/35yATuVwuXDpM
MIME-Version: 1.0
X-Received: by 10.194.84.144 with SMTP id z16mr7275908wjy.23.1391713985677; Thu, 06 Feb 2014 11:13:05 -0800 (PST)
Received: by 10.194.54.167 with HTTP; Thu, 6 Feb 2014 11:13:05 -0800 (PST)
X-Originating-IP: [98.244.98.35]
In-Reply-To: <CAJE_bqe95pn8rHvK3UffPDn+_rGYiq2G5sfdgqisH4JG7gFjBA@mail.gmail.com>
References: <CAJE_bqe95pn8rHvK3UffPDn+_rGYiq2G5sfdgqisH4JG7gFjBA@mail.gmail.com>
Date: Thu, 06 Feb 2014 14:13:05 -0500
Message-ID: <CAHw9_i+Jt4Ok+CddheGT_nA=e4srgbUSQy98GeQ9qGn_Cncjag@mail.gmail.com>
From: Warren Kumari <warren@kumari.net>
To: 神明達哉 <jinmei@wide.ad.jp>
Content-Type: text/plain; charset="ISO-2022-JP"
Content-Transfer-Encoding: 7bit
Cc: dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] how to delete obsolete DS for obsolete DNSKEY using CDS/CDNSKEY
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Feb 2014 19:13:10 -0000
On Thu, Feb 6, 2014 at 1:29 PM, 神明達哉 <jinmei@wide.ad.jp> wrote: > I have one quick question about CDS/CDNSKEY: what's the (or "an") > expected operation for the parent to remove a DS RR of a child that > was obsolete and is now removed from the child zone? > > This point is not clear to me on a quick rescan of > draft-ietf-dnsop-delegation-trust-maintainance-02. > > According to Section 3: > > The CDS / CDNSKEY record is published in the child zone and gives the > child control of what is published for it in the parental zone. The > CDS / CDNSKEY RRset expresses what the child would like the DS RRset > to look like after the change; [...] > > it could read the child would remove the CDS or CDSKEY for the > now-removed DNSKEY, but it may contradict Section 4.1: > > Absence of CDS / CDNSKEY in child signals "No change" to the current > DS set. > > (BTW: this sentence is a bit ambiguous to me. Does this mean there's > no CDS/CDNSKEY RR for the apex name, or the absence of CDS/CDNSKEY for > a specific DNSKEY?) Hmmm... What we were trying to say is that the parent publishes verbatim what the child says. So, lets say that at time T things look like this: Parent: example.com. 300 IN DS 31589 8 1 123456..... Child: example.com. 300 IN CDS 31589 8 1 123456...... [ The parent and child are in sync ] At time T+1 the child decides to perform a key rollover, so they generate a new DNSKEY, compute the DS, etc. Parent: example.com. 300 IN DS 31589 8 1 123456..... Child: example.com. 300 IN CDS 31589 8 1 123456...... example.com. 300 IN CDS 31589 8 1 789ABC...... [ The parent still has not updated yet ] At time T+2 the parent performs the CDS action (either they polled, or the person operating the child logged onto the web interface and clicked a button): The parent sees that what the child has published does not match with the parent currently has, and so the parent copies the contents from the child. Now things look like: Parent: example.com. 300 IN DS 31589 8 1 123456...... example.com. 300 IN DS 31589 8 1 789ABC...... Child: example.com. 300 IN CDS 31589 8 1 123456...... example.com. 300 IN CDS 31589 8 1 789ABC...... [ The parent and child are now in sync / agreement again ] At time T+3 the child sees that the parent has published the new key information ( and the standard keyroll stuff has all happened (records are signed with new key, waited for old TTLs to expire, etc)) and so wants to remove the old key. ** This is, as far as I understand, what you were asking about) The child now publishes just the new key info. They stop publishing the old one. Parent: example.com. 300 IN DS 31589 8 1 123456...... example.com. 300 IN DS 31589 8 1 789ABC...... Child: example.com. 300 IN CDS 31589 8 1 789ABC...... [ Child is only publishing new record / they stop publishing the old one ] At time T+4 the parent checks agin (it polls, the human clicks the button on the web page, some other trigger happens, etc): It sees that what the child has published does not match what the parent currently has, and so it copies the contents from the child. Parent: example.com. 300 IN DS 31589 8 1 789ABC...... Child: example.com. 300 IN CDS 31589 8 1 789ABC...... [ The child and parent are back in sync. The old key (123456...) is no longer in use anywhere. ] The CDS RR set says, in effect, "Please replace *all* of the key information for me with *this* set of info." > > and also Section 5: > > When the Parent DS is "in-sync" with the CDS, the Child DNS Operator > MAY delete the CDS RRset. > > i.e., if the child may delete a CDS for a new DNSKEY after > synchronization, clearly it cannot use the removal of CDS as an > indication of the removal of DNSKEY. It at any point during this process the parent contacts the child and does NOT find any CDS records, it simply does nothing. This means that you can use this to update / replace / remove existing DS records (if you have keys A, B, C and D and want to stop using C, you simply publish A, B, D), but you cannot remove *all* DS records / go unsigned. > > Am I missing some part of the draft that answers my question, or is > this actually out of scope of CDS/CDNSKEY? I think that it in in the draft, but we need to be clearer that the CDS/CDNSKEY *RRset* that the child publishes should be published in the parent exactly (after transforming DNSKEYs to DS if needed). This isn't a "please add record X" or "please remove record Y", it is "Please publish this *list*" We specifically want to remove the need for the parent to maintain state, etc. > > p.s. apologize in advance this was already discussed; I don't remember > all previous discussions of the proposal. Me neither! :-) W > > -- > JINMEI, Tatuya > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop
- [DNSOP] how to delete obsolete DS for obsolete DN… 神明達哉
- Re: [DNSOP] how to delete obsolete DS for obsolet… Warren Kumari
- Re: [DNSOP] how to delete obsolete DS for obsolet… Tony Finch
- Re: [DNSOP] how to delete obsolete DS for obsolet… 神明達哉
- Re: [DNSOP] how to delete obsolete DS for obsolet… Doug Barton
- Re: [DNSOP] how to delete obsolete DS for obsolet… Warren Kumari
- Re: [DNSOP] how to delete obsolete DS for obsolet… Doug Barton
- Re: [DNSOP] how to delete obsolete DS for obsolet… Olafur Gudmundsson
- [DNSOP] DNSKEY Flags vs. CDS/CDNSKEY Mukund Sivaraman
- Re: [DNSOP] how to delete obsolete DS for obsolet… Warren Kumari
- Re: [DNSOP] DNSKEY Flags vs. CDS/CDNSKEY Joe Abley
- Re: [DNSOP] how to delete obsolete DS for obsolet… Joe Abley
- Re: [DNSOP] how to delete obsolete DS for obsolet… Warren Kumari
- Re: [DNSOP] how to delete obsolete DS for obsolet… Joe Abley
- Re: [DNSOP] DNSKEY Flags vs. CDS/CDNSKEY Paul Wouters
- Re: [DNSOP] DNSKEY Flags vs. CDS/CDNSKEY Olafur Gudmundsson
- Re: [DNSOP] how to delete obsolete DS for obsolet… JINMEI Tatuya / 神明達哉
- Re: [DNSOP] how to delete obsolete DS for obsolet… JINMEI Tatuya / 神明達哉