IETF Logo Mail Archive

Re: [DNSOP] Updated KSK Sentinel document

Warren Kumari <warren@kumari.net> Tue, 13 February 2018 19:02 UTC

Return-Path: <warren@kumari.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E0F39126E3A for <dnsop@ietfa.amsl.com>; Tue, 13 Feb 2018 11:02:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iCjxkdnkQO7b for <dnsop@ietfa.amsl.com>; Tue, 13 Feb 2018 11:02:56 -0800 (PST)
Received: from mail-wm0-x230.google.com (mail-wm0-x230.google.com [IPv6:2a00:1450:400c:c09::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AC0B1127735 for <dnsop@ietf.org>; Tue, 13 Feb 2018 11:02:55 -0800 (PST)
Received: by mail-wm0-x230.google.com with SMTP id i186so17941473wmi.4 for <dnsop@ietf.org>; Tue, 13 Feb 2018 11:02:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=KTZlNuTvro5z0/nAd45/TydSw+vCPreHYtvU/x132lg=; b=1Id5E+JOZ+FsCPgsgKW4fdT8d+kbsC2Su2CBzsjzxPi+07/mfr3vSm1eXp3aZHJYZH zD/d6DouzBRFI80O9lKhAK66XVd4WOm3S5nhG9syOizSv3ik54QtR5llCMlZskHPC4BZ 7+GmfSp+vPNjpdaQVAk+jCooXMdsNDtYtGfbKfyuVs+D96zdCT/qFB/a1FTQkzTxzM+5 yo0ELkbf0sPiA0Ptwhe7Adi1AqQTCTg/IdhLzZxoHLSivwo+E+bD6oCsaBMMviRBPITq CzPv9M3+HSx4wyP5Flf+MQ/unaYQj/tOE910rxaw2ZdW1fWzH9Dv3TGPe7sYNt6H+NZE cjJw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=KTZlNuTvro5z0/nAd45/TydSw+vCPreHYtvU/x132lg=; b=iJpfqlPT9IvXjc9rMZzBfoBsaZ7l79BRNghaySxmNRxpQ2kVS9K2cJaFjzJ7Tc9e6t 8iPaG40b/JKnvXh3fiwdhOFe1GyGv/nHuAXNMPl9TBB/k6xDFAdxIo6RIUJXi/KAaVZ5 FO5OZyiFad4Xecm2y5B409mqIlocTQ3/b9iCH+JbCxd5/JZhiDjpSK1E7eX8jcpxiY61 S7WgT8GLWbKbTKXAkqSQpgnA6lVRiz2jPfXh1txGU8PvfvzNGnwtktUEBx9XQRVKEtRq 7ubqVxLRxgO9s5wAUGEkKcmmCieW4Saa2ky68TWjhXuQqK+J/wxacE9ErsaiZlVelgBl EcEw==
X-Gm-Message-State: APf1xPDErhXM+8A7cBxD2R+rz6wfwIh0msf+vyKD3M57wMwDh17z4Bfx kx2oHva1VTSHxRicNSyvGCuRr+2dl/qfeM4BEgShvA==
X-Google-Smtp-Source: AH8x226vOGXNcpGgIBzED6VP4jgIhTbILL8cv0XucCMwqfxJ3GvdygvnDTC/3zhCQVyDZgZ3kkhfkS2f9mZNrx3Hx4I=
X-Received: by 10.28.184.82 with SMTP id i79mr2151597wmf.6.1518548573711; Tue, 13 Feb 2018 11:02:53 -0800 (PST)
MIME-Version: 1.0
Received: by 10.223.152.242 with HTTP; Tue, 13 Feb 2018 11:02:12 -0800 (PST)
In-Reply-To: <DBD75FF7-8208-4DFD-B77B-D67680C6F908@verisign.com>
References: <CAHw9_iJ5Dr0sHw3EkWyHeAVDDb3k=8C6XOfrA02-_bQzd4n2Sg@mail.gmail.com> <CA+nkc8AeY2+Azw7Rk-y4s5Gfp=amYZNiN=_kxtetgS9s8kcEYg@mail.gmail.com> <DBD75FF7-8208-4DFD-B77B-D67680C6F908@verisign.com>
From: Warren Kumari <warren@kumari.net>
Date: Tue, 13 Feb 2018 14:02:12 -0500
Message-ID: <CAHw9_iLBsAjF1eUG2K=jVbf4uNct65YdiQXSzUCG+Oq=e81FcA@mail.gmail.com>
To: "Wessels, Duane" <dwessels@verisign.com>
Cc: Bob Harold <rharolde@umich.edu>, dnsop <dnsop@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/E5tnQBbCtmKOfQTpzmQOFZKddbA>
Subject: Re: [DNSOP] Updated KSK Sentinel document
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Feb 2018 19:02:58 -0000

On Tue, Feb 13, 2018 at 1:49 PM, Wessels, Duane <dwessels@verisign.com> wrote:
>
>> On Feb 13, 2018, at 9:10 AM, Bob Harold <rharolde@umich.edu> wrote:
>>
>> If an entry could be put in the root zone, that is signed only with the new key, then could users query that and always get a yes/no answer to whether they will be affected?
>
> This doesn't work because when the new key is published in the zone (and signed by the old key, as it must be),

Yup - this is the critical bit -- a number of us keep going down the
"Oooh! This is easy, we just publish Im-only-signed-with-2222. in the
root, and then people who cannot resolve that know that they don't
have 2222". And then killjoys like yourself point out that DNSSEC
doesn't actually work like that.... :-)

W

>then the new key becomes trusted by the validator.  Thus, there is still a valid chain-of-trust to those records for those with only the old TA.
>
> DW
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop



-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf

v2.23.0 | Report a Bug | By Email