Re: [DNSOP] KSK rollover
Mark Andrews <marka@isc.org> Thu, 13 May 2010 23:33 UTC
Return-Path: <marka@isc.org>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 257E43A67D6 for <dnsop@core3.amsl.com>; Thu, 13 May 2010 16:33:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.8
X-Spam-Level:
X-Spam-Status: No, score=-0.8 tagged_above=-999 required=5 tests=[AWL=-0.801, BAYES_50=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lzxxn9ebNpGX for <dnsop@core3.amsl.com>; Thu, 13 May 2010 16:33:45 -0700 (PDT)
Received: from farside.isc.org (farside.isc.org [IPv6:2001:4f8:3:bb::5]) by core3.amsl.com (Postfix) with ESMTP id 0334A3A684A for <dnsop@ietf.org>; Thu, 13 May 2010 16:33:43 -0700 (PDT)
Received: from drugs.dv.isc.org (drugs.dv.isc.org [IPv6:2001:470:1f00:820:214:22ff:fed9:fbdc]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "drugs.dv.isc.org", Issuer "ISC CA" (not verified)) by farside.isc.org (Postfix) with ESMTP id 88133EBA87; Thu, 13 May 2010 23:33:30 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (8.14.3/8.14.3) with ESMTP id o4DNXO7f088819; Fri, 14 May 2010 09:33:26 +1000 (EST) (envelope-from marka@drugs.dv.isc.org)
Message-Id: <201005132333.o4DNXO7f088819@drugs.dv.isc.org>
To: George Barwood <george.barwood@blueyonder.co.uk>
From: Mark Andrews <marka@isc.org>
References: <A865F793EED745D2B5F15A33F9467EEA@local> <A8C3C484-690B-49BB-91BC-33C339A29025@blipp.com> <44C21CD9EE514B039EAFEAFA707A2DA1@local>
In-reply-to: Your message of "Thu, 13 May 2010 17:37:42 +0100." <44C21CD9EE514B039EAFEAFA707A2DA1@local>
Date: Fri, 14 May 2010 09:33:24 +1000
Sender: marka@isc.org
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] KSK rollover
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 May 2010 23:33:46 -0000
In message <44C21CD9EE514B039EAFEAFA707A2DA1@local>, "George Barwood" writes: > > ----- Original Message ----- > From: "Patrik Wallstrom" <pawal@blipp.com> > To: "George Barwood" <george.barwood@blueyonder.co.uk> > Cc: <dnsop@ietf.org> > Sent: Thursday, May 13, 2010 9:06 AM > Subject: Re: [DNSOP] KSK rollover > > > > >On May 13, 2010, at 9:56 AM, George Barwood wrote: > > >> I have been thinking about KSK rollover in my DNSSEC implementation, and i > t seems > > that there is currently no specification for KSK rollover within the DNSSE > C protocol. > >> > >> There is this expired requirements draft > >> > >> http://tools.ietf.org/wg/dnsop/draft-ietf-dnsop-key-rollover-requirements/ > >> > >> but that's all I found. > >> > >> Have I missed something? It seems to me that this is a rather vital compon > ent if > >> DNSSEC is to be widely deployed. > >> > >> Are there any plans to revive and/or implement these requirements? > > > You probably want to read the Key Timing Considerations draft: > > http://tools.ietf.org/html/draft-morris-dnsop-dnssec-key-timing-02 > > That is certainly relevant to rollover, but it doesn't specify any means by > which the new DS records can be placed in the parent zone. > > http://tools.ietf.org/html/rfc5011 "Automated Updates of DNS Security > (DNSSEC) Trust Anchors" > > has some relevance, but doesn't provide for parent notification, or for > publishing a DS record *before* the key is published in the zone, which > is I think desirable. RFC5011 really isn't applicable to this case. > The mechanism that occurs to me is to have a new RRtype, say "CDS", with > identical format to the DS record, but placed in the child zone ( and > signed by the child zone). The parent, at regular intervals, or on > receiving a notification from the child, would retrieve the contents of > the CDS RRset, and use it as the new DS RRset ( of course after validating > it using the old DS RRset ). There are lots of way to do this. * Use UPDATE to update the delegation records in the parent. This would work today it only requires a willingness to do so. This can be done securely (TSIG) and will scale. UPDATE was designed to support this. * Try to guess which keys should have DS's based on SEP bits. * Use a different RR type (DLV does this). poll/notify to incorporate. (Ed the daily delegation check could do this. :-)) * Use some epp extension. * Use a modified UPDATE which accepts and forwards to the registrar for inclusion in the zone rather than immediately updates the zone. When a registrar is not involved it is handled as a plain UPDATE. * .... > There probably needs to be consideration of how the system can recover after > a KSK is compromised, maybe there should be some minimum time interval > before a new DS record is fully trusted. I have not thought that through. > > Well, that's just my immediate thoughts, there may be a better way. > > I'm somewhat puzzled that thre is no specification, and apparently no > activity on this. There is plenty of activity. Most of it has been people looking at how to fit this into the registry/registrar model and worries about patent infringement that are claimed to have been filed for some of the above. I doubt that any thing we do in this area is truly novel but the USPO grants patents on such trivial things that its become a issue. Mark > KSK rollover is probably a fairly rare event (maybe once every few years), so > possibly the feeling is that manual procedures will be sufficient. I think a > standardized, automated in-protocol mechanism would be advisable though. > Maybe I'm wrong. > > Best regards, > George -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
- [DNSOP] KSK rollover George Barwood
- Re: [DNSOP] KSK rollover Patrik Wallstrom
- Re: [DNSOP] KSK rollover George Barwood
- Re: [DNSOP] KSK rollover Evan Hunt
- Re: [DNSOP] KSK rollover Edward Lewis
- Re: [DNSOP] KSK rollover Mark Andrews
- Re: [DNSOP] KSK rollover Joe Abley
- Re: [DNSOP] KSK rollover Joe Abley
- Re: [DNSOP] KSK rollover Mark Andrews
- Re: [DNSOP] KSK rollover Joe Abley
- Re: [DNSOP] KSK rollover Mark Andrews
- Re: [DNSOP] KSK rollover George Barwood
- Re: [DNSOP] KSK rollover Chris Thompson
- Re: [DNSOP] KSK rollover George Barwood