Re: [DNSOP] pushing updates to the parent
Paul Wouters <paul@nohats.ca> Sat, 08 March 2014 11:14 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B3D351A012A for <dnsop@ietfa.amsl.com>; Sat, 8 Mar 2014 03:14:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.547
X-Spam-Level:
X-Spam-Status: No, score=-2.547 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.547] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KpFry8_JrBl4 for <dnsop@ietfa.amsl.com>; Sat, 8 Mar 2014 03:14:23 -0800 (PST)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) by ietfa.amsl.com (Postfix) with ESMTP id 1325A1A00E8 for <dnsop@ietf.org>; Sat, 8 Mar 2014 03:14:23 -0800 (PST)
Received: from bofh.nohats.ca (bofh.nohats.ca [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 8C29E800AF; Sat, 8 Mar 2014 06:14:17 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1394277257; bh=oLnbvSy21/z7BdPztM7wMQy/icNRkmlr9r8tFKxOIrs=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=rhQ46W/dsXoU82XdK7lOxpyOsv1r9QoGEbF19UWZpRCZVymzG1lnv71/HRUTfrJG5 9Va3D2ILRbxxXJm1tl/LncyVvGgGCxCFLMhGyusWC9ZvOKK2zelDyXpbqEY6mhB8pu NHGb1xUcgpiPMMpggvnD+Tf5pHiS31Q7JHuqoJBk=
Received: from localhost (paul@localhost) by bofh.nohats.ca (8.14.7/8.14.7/Submit) with ESMTP id s28BEH9E025897; Sat, 8 Mar 2014 06:14:17 -0500
X-Authentication-Warning: bofh.nohats.ca: paul owned process doing -bs
Date: Sat, 08 Mar 2014 06:14:17 -0500
From: Paul Wouters <paul@nohats.ca>
To: Mark Andrews <marka@isc.org>
In-Reply-To: <20140308055348.7E50010CFAA9@rock.dv.isc.org>
Message-ID: <alpine.LFD.2.10.1403080550530.24909@bofh.nohats.ca>
References: <20140307100524.2F42810CD58F@rock.dv.isc.org> <3E0DC692-7BA0-4672-BB10-82B854BB69CE@hopcount.ca> <alpine.LSU.2.00.1403071025270.19416@hermes-1.csi.cam.ac.uk> <8C184518-2A56-42B6-BD63-3E50F8126664@hopcount.ca> <20140308055348.7E50010CFAA9@rock.dv.isc.org>
User-Agent: Alpine 2.10 (LFD 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsop/BxsZyfYsbgsonv3UtneAww4C4JA
Cc: dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] pushing updates to the parent
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 08 Mar 2014 11:14:27 -0000
On Sat, 8 Mar 2014, Mark Andrews wrote: > Our audience should be the CPE developer with the one "turn on > DNSSEC" button which generates the keys, signs the zone, pushes > keys upstream at the right time. It has a username/password field > for zones where it is not automatically installing KEY records as > part of the automatic delegation process. Buy router. Configure DNS. CPE uploads DS record. I forget my password, factory default the firmware, configure DNS, attempt to upload a new DS record. Either: a) authentication fails and my domain remains broken b) it works, meaning any CPE compromise will lead to massive DNSSEC circumvention. Neither are desirable, and why people wanted the update systems to be bootstrapped externally and did not want to allow the update mechanism to change the security status of zones. > The second audience is the DNSSEC Key management tool developer which > has a policy file which says "roll the key for this zone monthly/yearly" > and just ensures it happens. This works with any of the proposals, once you boostrap via EPP. I don't know many people who want to bypass the bootstrap. > nsupdate is how one does it today because the other bits of software > that will use the method have not yet been written because we (the > IETF) haven't provided them with a full standardised solution which > works everywhere. I think we have. But registrars don't provide a unified method for updating that information to _their_ customers. They could easilly setup their own EPP channel to talk to their registrants and avoid using custom website GUIs. Some, like gkg.net, provide nice and simple JSON API's, but the location and format is not standarised (but could easilly be if registrars want that). ICANN did well in enforcing the location for registrant facing services like WHOIS for the new GTLDs. Perhaps it can extend this for other registrant-facing services like DS update. Using EPP here would make a lot of sense. > nsupdate is the proof of concept tool. It is the fill the gap tool > until the others are written. It is the fix it tool. nsupdate can never fix the bootstrap. The initial authorization that allows signed zone content to be trusted by the registrar to make domain registry modifications but involve a human. > However in all cases we have RRR and non-RRR managed zone and the tools > need to work with all of them. The initial bootstrap problem is the same for RRR and non-RRR, unless parent and child are under teh same administratiev control, in which case it should already be handled. (A previous DNS signer product I worked on fully automated rollovers if parent and child were managed by it) > We also have nameservers that are being renumbered that need to > push new glue records for themselves to the parent zones. This > will happen with both signed and unsigned zones and their is no > "scraping" solution that works for this senario. You still need an authorization step there for the RRR case. I believe, and I think the WG concensus was the same, that the best way for that authorization step was to use out of band EPP using the KSK. In other words, once you get the KSK at the registrar, you can use signed records within your zone for signaling without requiring another set of credentials. nsupdate requires a new set of credentials, as well as a new API as to where to send the nsupdate to, possibly with new firewall holes. It requires dynamic zones or custom software pretending to run dynamic zones to take the update. The domain owner would need to keep another secret on their "live nsupdate machine" apart from the private KSK key. Using zone data for signaling also works for the non-RRR use cases. These were all reasons for the WG to agree on signed zone content as an authorization method for parent updates. Paul
- [DNSOP] CPE devices doing DNSSEC Mark Andrews
- Re: [DNSOP] CPE devices doing DNSSEC Joe Abley
- Re: [DNSOP] pushing updates to the parent Tony Finch
- Re: [DNSOP] pushing updates to the parent Joe Abley
- Re: [DNSOP] CPE devices doing DNSSEC Paul Hoffman
- Re: [DNSOP] pushing updates to the parent Mark Andrews
- Re: [DNSOP] CPE devices doing DNSSEC Mark Andrews
- Re: [DNSOP] pushing updates to the parent Paul Wouters
- Re: [DNSOP] CPE devices doing DNSSEC Jim Reid
- Re: [DNSOP] CPE devices doing DNSSEC Patrik Fältström
- Re: [DNSOP] CPE devices doing DNSSEC Patrik Fältström
- Re: [DNSOP] CPE devices doing DNSSEC Patrik Wallstrom
- Re: [DNSOP] CPE devices doing DNSSEC Patrik Fältström
- Re: [DNSOP] CPE devices doing DNSSEC Patrik Wallstrom
- Re: [DNSOP] CPE devices doing DNSSEC Patrik Fältström
- Re: [DNSOP] CPE devices doing DNSSEC Patrik Fältström
- Re: [DNSOP] CPE devices doing DNSSEC Patrick Mevzek
- Re: [DNSOP] CPE devices doing DNSSEC Patrick Mevzek
- Re: [DNSOP] pushing updates to the parent Mark Andrews
- Re: [DNSOP] pushing updates to the parent Paul Wouters