[DNSOP] Updated KSK Sentinel document

Warren Kumari <warren@kumari.net> Mon, 12 February 2018 20:29 UTC

Return-Path: <warren@kumari.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 15109126FDC for <dnsop@ietfa.amsl.com>; Mon, 12 Feb 2018 12:29:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id uJ5jCdENFamO for <dnsop@ietfa.amsl.com>; Mon, 12 Feb 2018 12:29:34 -0800 (PST)
Received: from mail-wr0-x232.google.com (mail-wr0-x232.google.com [IPv6:2a00:1450:400c:c0c::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DABEE126B72 for <dnsop@ietf.org>; Mon, 12 Feb 2018 12:29:33 -0800 (PST)
Received: by mail-wr0-x232.google.com with SMTP id y3so16512919wrh.3 for <dnsop@ietf.org>; Mon, 12 Feb 2018 12:29:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=sYY2l63i47XHnLitUg2mkgeZYysSDgqLgFoepMdtlRk=; b=JgSkRkyCXzmIHKMxeErJivC7fhyxRN94DczrXnkeJe47kTgEWUvsLWZWZ7IhuFrRm5 SoJQpq8r2ONiJv6pCOrPjfhDZIWRxFfaog8nszG/hju9KMd6hia3+awdA8/Tw2GqnebE dPUM2wHscP3RQXvyVjLD4W/Hk5YNRrWzNgXIUPK7ydMOkYwB4fM1Xdgkk45VGI5fJSJB BHxVpj7W44ji6eaar5f6/K2+sz/F6tN/W/bqnwuAfsuMH3uhTMbZUnSWezGZx3MzwK7P rsYieJbdLS05afMSoD90Iga+IN8fAwOP7kAenBby+52jXaqlD6R3MfkwhLu2FfrfIYTk Lclw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=sYY2l63i47XHnLitUg2mkgeZYysSDgqLgFoepMdtlRk=; b=SOECG5o7EJYPvjhr5/kweoGjwHU0fhpUFudMR3pTYh7N2t3vohtGy5BPMgFLasOtTw ohKQK9vxgfPvcAcUaqLdGi8LOkTJuElCSyZWndAtFBoshORFUWSs5SmiGzbcQTUn7pbS wgF9RwKYsfjmyh3Tj9TGqhqOgQsIuAWSRpUOJEnirT6TYiIxLi9HUZF4S1W4ZpgG1l5A litPR85H4eJF9ZBa3f3QfF8Lng2EgERvtEmgUs50wvgV8+Cq+06XTPkFUrsJVmLHnLVb eJuzSVDABtUCnNXbmKLN1QuOOm/sjE+X/x51v9NEExVE1Gknt48SfalincRw/pWTW+cF NQVQ==
X-Gm-Message-State: APf1xPBBTZ4Lm/AUIvpV/tmBT4jNOm+hsmKEzcGKoebok++bKp8FGv+p 0U7AcNkwDvdllVkIZfhonA/2QzAYvTA0xLrjFn523rAk0/A=
X-Google-Smtp-Source: AH8x2279kY+rVuZ1IX7A08dWHaiFVWepATOVGEQlvGdLxV45WlpqGq5iOQZhHyNBtO9rQBtSS9HoYzAQrg2f5LxGCDo=
X-Received: by with SMTP id d7mr11667478wre.184.1518467371539; Mon, 12 Feb 2018 12:29:31 -0800 (PST)
MIME-Version: 1.0
Received: by with HTTP; Mon, 12 Feb 2018 12:28:50 -0800 (PST)
From: Warren Kumari <warren@kumari.net>
Date: Mon, 12 Feb 2018 15:28:50 -0500
Message-ID: <CAHw9_iJ5Dr0sHw3EkWyHeAVDDb3k=8C6XOfrA02-_bQzd4n2Sg@mail.gmail.com>
To: dnsop <dnsop@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/AT0l9E1HX9fANC9Ipy2fmeJUXlM>
Subject: [DNSOP] Updated KSK Sentinel document
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Feb 2018 20:29:36 -0000

<author hat only>

Hi all,

Sorry it has taken so long to get a new version of this document
posted - you deserve better.

Anyway, we've finally posted an updated version -

This version includes a (hopefully easily understood) description of
how this would actually be used, and not just "here's a protocol, k,
thnx, bye!". I've tried to layout what each party does, and how it all
fits together - please let me know if it isn't clear. This section is
towards the top of the document - we will likely make it an Appendix
before publication.

I've also updated it to use the kskroll-sentinel-is-ta-<id> format. It
is easy to change again in the future, but this seemed to be what the
working group liked. I also updated my demo implementation
(http://www.ksk-test.net) to use this naming scheme.

This version also clarifies that the test is "Is the Key ID a DNSSEC
root KSK?" Originally my view was that it should be "Is there *any*
key in the trust store with this keyID?", but after running some
numbers I decided that there is a significant chance of false

As I mentioned, it took an embarrassingly long time to post the update
- please let us know if we missed your comments.

I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.