IETF Logo Mail Archive

Re: [DNSOP] fragile dnssec, was Fwd: New Version

Matthew Pounsett <matt@conundrum.com> Thu, 17 August 2017 11:33 UTC

Return-Path: <matt@conundrum.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C05E13213D for <dnsop@ietfa.amsl.com>; Thu, 17 Aug 2017 04:33:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=conundrum-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N1-DO6PIRLz1 for <dnsop@ietfa.amsl.com>; Thu, 17 Aug 2017 04:33:08 -0700 (PDT)
Received: from mail-io0-x232.google.com (mail-io0-x232.google.com [IPv6:2607:f8b0:4001:c06::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BBA04126DD9 for <dnsop@ietf.org>; Thu, 17 Aug 2017 04:33:08 -0700 (PDT)
Received: by mail-io0-x232.google.com with SMTP id c74so21974322iod.4 for <dnsop@ietf.org>; Thu, 17 Aug 2017 04:33:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=conundrum-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=p2u0HrWWcC4d+CpGKjQhu1BRfRtLDl6lvmaRWTZ/KUA=; b=FJxCJFmxPJBPlQXk5c2i6lc4jRBgvOIGZZjDNGDsiWNdWUa6UKvnLjSpq3n3PgehRS sTWqQ5usIlJf12O3XpSdAqJe+p6qhb07uSaQ362ZUJHr7BGLzxiagwrXlcwS0xw7D11W hmbhLjbS0dwf7SYwLuqX5oNL01woePMfvMGN2KJL4vPnspOFB0AXGiW9hvlMcHcrDI8X sCpASiOG8uViV/0CuPqV5sKImkQlINPo6Kkyx8ZEQb/yfg6dqnfUd/0c77x77/26n7QD LnpKBqPXqYCWrPhpVLlqDQw9hE57qPHf4W+b4wusyoa6EHvWYpJA2bWOCbGD0wPD5zob P+eA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=p2u0HrWWcC4d+CpGKjQhu1BRfRtLDl6lvmaRWTZ/KUA=; b=SVy93WluUJc3yjEJVbG8tZqcXYT7WmJOp/rI3vq0f3ZsojDIZUJOGYa9Nou8D3ZYeJ FKO+jjjqeyqFtmpq3+oOdahakwb9jYyHBZK6YfkNm53La3H7fJXVHH6UZJU43dRUXZa2 VgwQnmYxINtChpTCOWKcBLKLlg+SgkQicm0hoqGxkW7VrmN0b/tCOGmxIT463iBxEY8S NbXGGetX5R60dyVuVYZiwNrT4dEcr4ixBYNWxwLzDeOfUUGK7NmhTT9nrZjLPClJyNQw +Kn9R9FYsXGNOSKu2rJ9988luUpBVSeM281G6kh2r72otojnhyXiwxWlJwoDhti/uwKW IzJw==
X-Gm-Message-State: AHYfb5ieL8iRci9fxTu/5l6GujAzFFu1pIAUAhxL9Y1iXTpTnCAzECo3 RrMfjryp22WdZbeWfDk/u/WOyuD4r9BF3XrAcA==
X-Received: by 10.107.59.207 with SMTP id i198mr4830267ioa.198.1502969587645; Thu, 17 Aug 2017 04:33:07 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.2.8.215 with HTTP; Thu, 17 Aug 2017 04:33:07 -0700 (PDT)
In-Reply-To: <20170816230917.4475.qmail@ary.lan>
References: <20170816071920.BA2C98287EA4@rock.dv.isc.org> <20170816230917.4475.qmail@ary.lan>
From: Matthew Pounsett <matt@conundrum.com>
Date: Thu, 17 Aug 2017 07:33:07 -0400
Message-ID: <CAAiTEH9=sz_PE2QrJiM9gFxrVnUrVcuHcimut3cXxsC7ndE8GA@mail.gmail.com>
To: John Levine <johnl@taugh.com>
Cc: dnsop <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c06a4986161860556f160d9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/CoI1rWb2cbix0dcDXygKZbdfYcs>
Subject: Re: [DNSOP] fragile dnssec, was Fwd: New Version
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Aug 2017 11:33:11 -0000

On 16 August 2017 at 19:09, John Levine <johnl@taugh.com> wrote:

> In article <20170816071920.BA2C98287EA4@rock.dv.isc.org> you write:
> >> A colleague says "If TLDs allowed UPDATE messages to be processed most
> >> of the issues with DNSSEC would go away. At the moment we have a whole
> >> series of kludges because people are scared of signed update messages."
>
> Someone is wildly overoptimistic.
>
> The problem I run into over and over again is that I run someone's DNS
> and other services, but I am not the registrant and I am not the
> registrar, I just run the DNS.  Either I have to walk the registrant
> through the process of installing DNSSEC keys, or she has to give me
> her registrar account password, neither of which scales.  Slightly
> more automatic processing of updates for which I do not have the
> credentials will not help.
>
>
Have a look at:
<
https://datatracker.ietf.org/doc/draft-ietf-regext-dnsoperator-to-rrr-protocol/
>

It allows a registrar (or a registry in some ccTLD environments) to do
CDS/CDNSKEY without having to constantly scan their registrants' name
servers, and provides some advice on how to safely bootstrap DNSSEC using
CDS/CDNSKEY.

There's currently a registrar implementation at Gandi, enabled for the TLDs
for which they do DNSSEC (I believe it's beta, so you have to speak to
their support to find the API URI), and registry implementations at CIRA
(.ca) and APNIC (for their reverse zones).  The CZ.NIC folks have also
started building it into Fred, their open source registry software.

There are a few more changes the draft will go through before it's ready
for last call, but the API it describes should remain largely unchanged
from this point onward.

v2.23.0 | Report a Bug | By Email