Re: [DNSOP] signalling mandatory DNSSEC in the parent zone

Ulrich Wisser <ulrich@wisser.se> Tue, 02 March 2021 13:16 UTC

Return-Path: <ulrich@wisser.se>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B3CC83A17CD for <dnsop@ietfa.amsl.com>; Tue, 2 Mar 2021 05:16:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=wisser.se
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6-NP5yFJfIXb for <dnsop@ietfa.amsl.com>; Tue, 2 Mar 2021 05:16:11 -0800 (PST)
Received: from mout-p-202.mailbox.org (mout-p-202.mailbox.org [IPv6:2001:67c:2050::465:202]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5088C3A17CC for <dnsop@ietf.org>; Tue, 2 Mar 2021 05:16:10 -0800 (PST)
Received: from smtp1.mailbox.org (smtp1.mailbox.org [80.241.60.240]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-202.mailbox.org (Postfix) with ESMTPS id 4Dqd1M5RrYzQj4q; Tue, 2 Mar 2021 14:16:07 +0100 (CET)
X-Virus-Scanned: amavisd-new at heinlein-support.de
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wisser.se; s=MBO0001; t=1614690965; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=rPx0ykBT56T1QZQaTsrSy3ft/ypDP8Ojzv2XhYdmxDU=; b=dL6njfqPFd/jliqB1MSA3KMLZ6b0sKw6s8gWMyDScwEUbiMR0qYPdjKr/ZZKilEqN4t/ZO cucGVo8qe6xfN27PRJRl7f7fap67vGkh5uFKQXDn11JN5Qnsbb7BMRTWJ7GA5vN1/2znDv 0btgq4OUXB/ZkXuDFbLNenorYr/BgGOQlSQ8LVQut4HFwTb3M8aF2kG93GUrKHcPksZ9On TW2nDMS3unuf/TkrKHaLOup0Ws9O6KU65MXCELi1/aywyMvJBDOa82elplAZSlmBLsjijM ZD2bbrfmGreT+FC9hPepfd66Igt/bfFedxtseIP7MSd2Ty46AruW3qbzj3Lqsw==
Received: from smtp1.mailbox.org ([80.241.60.240]) by hefe.heinlein-support.de (hefe.heinlein-support.de [91.198.250.172]) (amavisd-new, port 10030) with ESMTP id pdUAHre4DC8X; Tue, 2 Mar 2021 14:16:02 +0100 (CET)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0
From: Ulrich Wisser <ulrich@wisser.se>
In-Reply-To: <430E9927-D129-4872-BC1D-BF1F8E924B63@isc.org>
Date: Tue, 2 Mar 2021 14:16:00 +0100
Cc: dnsop@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <9A903D5A-7F39-4C29-AA66-973E4EC8BB6D@wisser.se>
References: <20210301.205459.413147497474184552.he@uninett.no> <DE24E067-C0D3-4E26-B7FB-EF8311AE5E0A@isc.org> <5D1D786F-216A-4AD3-840E-CAFE5CA49B6C@wisser.se> <4577DCF6-9D72-4D46-90DD-F289F112E639@isc.org> <0FD37A06-9DD4-46EB-BBB9-C480155CC9F1@wisser.se> <430E9927-D129-4872-BC1D-BF1F8E924B63@isc.org>
To: Mark Andrews <marka@isc.org>
X-MBO-SPAM-Probability:
X-Rspamd-Score: -6.17 / 15.00 / 15.00
X-Rspamd-Queue-Id: 6BE63186F
X-Rspamd-UID: 2cc1fe
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/CKAu5A6P-50VA3cWi_466bMPm04>
Subject: Re: [DNSOP] signalling mandatory DNSSEC in the parent zone
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Mar 2021 13:16:14 -0000


> On 2 Mar 2021, at 13:46, Mark Andrews <marka@isc.org> wrote:
> 
> 
>> On 2 Mar 2021, at 23:06, Ulrich Wisser <ulrich@wisser.se> wrote:
>> 
>> 
>> 
>>> On 2 Mar 2021, at 12:55, Mark Andrews <marka@isc.org> wrote:
>>> 
>>> 
>>> 
>>>> On 2 Mar 2021, at 22:52, Ulrich Wisser <ulrich@wisser.se> wrote:
>>>> 
>>>> @Håvard No, that isn’t sufficient. A resolver could have the old DNSKEY set in cache but get signatures from the new servers. This can be solved by cross signing the ZSK -> put the ZSK of the other provider in the respective DNSKEY set, no need to exchange private keys, only the DNSKEY records. Then you will always have a validation path.
>>>> 
>>>> @Mark, that is exactly what I am talking about, a forced algorithm change can only work, when both operators cooperate and if we insist on lax-validation. We need both!
>>> 
>>> It doesn’t even work then as there the signatures of the non DNSKEY records are of the wrong algorithm.
>> 
>> Why would the signatures of the non DNSKEY RRset need to be of the same algorithm as the KSK?
>> Lax-validation says that “any validation path” should be accepted. 
>> 
>> example.com. DS 123 8 2 xxx
>> 
>> example.com. DNSKEY 257 3 8 xxx
>> Example.com. DNSKEY 256 3 8 yyy
>> example.com. DNSKEY 256 3 13 zzz
>> example.com. RRSIG DNSKEY 8 …
>> 
>> www.example.com. TXT “example”
>> www.example.com. RRSIG TXT 13 …
>> 
>> In my eyes there is a clear validation path to the www rr.
> 
> It leads to bogus in a server that *only* support algorithm 8 because THERE IS NOT AN RRSIG OF WITH ALGORITHM 8 

I understand that RRSIGs are missing, but what does “bogus in a server” mean? 

> 
>>>> Cooperation is of course another problem.There is no incentive for the “losing” operator to cooperate. And because today moving a secure domain is a complex manual task, no-one is interested in helping out. We could make this much easier with the right support in protocol and software. Shumon and I will talk on this next week.
>>>> 
>>>> /Ulrich
>>>> 
>>>> 
>>>>> On 1 Mar 2021, at 20:58, Mark Andrews <marka@isc.org> wrote:
>>>>> 
>>>>> Throw a forced algorithm change in on top where neither provider is willing to sign with the other providers algorithm. 
>>>>> 
>>>>> -- 
>>>>> Mark Andrews
>>>>> 
>>>>>> On 2 Mar 2021, at 06:55, Havard Eidnes <he=40uninett.no@dmarc.ietf.org> wrote:
>>>>>> 
>>>>>> 
>>>>>>> 
>>>>>>> - Switching providers while staying secure requires
>>>>>>> inter-provider cooperation, including publishing ZSKs from
>>>>>>> both providers in the DNSKEY RRSET served by both providers.
>>>>>> 
>>>>>> What?
>>>>>> 
>>>>>> Maybe I just don't understand the context or conditions here, but
>>>>>> ...
>>>>>> 
>>>>>> Isn't it possible to stand up a new signing and publishing setup
>>>>>> with new ZSKs and new KSKs, and have both the old DS record
>>>>>> pointing to the old setup's KSK and a new DS record pointing to
>>>>>> the KSK of the new setup registered in the parent zone, and then
>>>>>> change the actual delegation (NS records), while still retaining
>>>>>> both the two DS records for a while until the data from the old
>>>>>> setup has timed out?
>>>>>> 
>>>>>> There is then no need to share the secret part of the KSKs or the
>>>>>> ZSKs between the old and the new providers, or to include both
>>>>>> the new and the old ZSKs in the zone.
>>>>>> 
>>>>>> Regards,
>>>>>> 
>>>>>> - Håvard
>>>>>> 
>>>>>> _______________________________________________
>>>>>> DNSOP mailing list
>>>>>> DNSOP@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/dnsop
>>>>> 
>>>>> _______________________________________________
>>>>> DNSOP mailing list
>>>>> DNSOP@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/dnsop
>>>> 
>>> 
>>> -- 
>>> Mark Andrews, ISC
>>> 1 Seymour St., Dundas Valley, NSW 2117, Australia
>>> PHONE: +61 2 9871 4742              INTERNET: marka@isc.org
>>> 
>> 
> 
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742              INTERNET: marka@isc.org
>