Re: [DNSOP] RFC 6781 and double signature KSK rollover
Matthijs Mekking <matthijs@pletterpet.nl> Tue, 25 October 2016 10:35 UTC
Return-Path: <matthijs@pletterpet.nl>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4A90F1294AA for <dnsop@ietfa.amsl.com>; Tue, 25 Oct 2016 03:35:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MwZtQ8PwclGB for <dnsop@ietfa.amsl.com>; Tue, 25 Oct 2016 03:35:04 -0700 (PDT)
Received: from dicht.nlnetlabs.nl (dicht.nlnetlabs.nl [IPv6:2a04:b900::1:0:0:10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2E66012945B for <dnsop@ietf.org>; Tue, 25 Oct 2016 03:35:03 -0700 (PDT)
Received: from [193.0.27.110] (dhcp-27-110.ripemtg.ripe.net [193.0.27.110]) by dicht.nlnetlabs.nl (Postfix) with ESMTPSA id A2FDCD06C; Tue, 25 Oct 2016 12:35:00 +0200 (CEST)
Authentication-Results: dicht.nlnetlabs.nl; dmarc=none header.from=pletterpet.nl
To: Marcos Sanz <sanz@denic.de>, "dnsop@ietf.org" <dnsop@ietf.org>
References: <OF5B3B3222.83E22422-ONC1258056.00536355-C1258056.0056B9D8@notes.denic.de>
From: Matthijs Mekking <matthijs@pletterpet.nl>
Message-ID: <d8285e11-9d99-227d-e0cd-0210abdf431a@pletterpet.nl>
Date: Tue, 25 Oct 2016 12:34:57 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0
MIME-Version: 1.0
In-Reply-To: <OF5B3B3222.83E22422-ONC1258056.00536355-C1258056.0056B9D8@notes.denic.de>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/FRk7cA0v5KgHuQvXLV3Jh4fOtpo>
Subject: Re: [DNSOP] RFC 6781 and double signature KSK rollover
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Oct 2016 10:35:08 -0000
Hi Marco, On 24-10-16 17:47, Marcos Sanz wrote: > Hi all, > > my attention has been brought to the KSK rollover double-signature style > described in 6781 and what I think is a mistake/oblivion there. Section > 4.1.2 states > >> initial: Initial version of the zone. The parental DS points to >> DNSKEY_K_1. Before the rollover starts, the child will have to >> verify what the TTL is of the DS RR that points to DNSKEY_K_1 -- >> it is needed during the rollover, and we refer to the value as >> TTL_DS. >> >> new DNSKEY: During the "new DNSKEY" phase, the zone administrator >> generates a second KSK, DNSKEY_K_2. The key is provided to the >> parent, and the child will have to wait until a new DS RR has been >> generated that points to DNSKEY_K_2. After that DS RR has been >> published on all servers authoritative for the parent's zone, the >> zone administrator has to wait at least TTL_DS to make sure that >> the old DS RR has expired from caches. >> >> DS change: The parent replaces DS_K_1 with DS_K_2. > > In that description it looks as if the only relevant TTL during the > rollover is that of the old DS RR. In my eyes though, the replacement of > the DS at the parent shouldn't happen before having waited at least the > TTL of DNSKEY_K_1 itself. Otherwise validation errors might occur > (mismatch between a cached DNSKEY_K_1 and the DS_K_2 at the parent). You are right: DS_K_2 may only be provided to the parent *after* the TTL of DNSKEY_K_1 has passed. RFC 7583 has more accurate timings for rollovers. The corresponding timeline is described in section 3.3.1. Best regards, Matthijs > > I've seen TLDs doing their KSK rollover the way I describe (so it looks as > it is standard operational practice), but the RFC doesn't reflect that. > There are no errata filed for the RFC so far either. > > Any thoughts on that? > > Best, > Marcos > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop >
- [DNSOP] RFC 6781 and double signature KSK rollover Marcos Sanz
- Re: [DNSOP] RFC 6781 and double signature KSK rol… Matthijs Mekking
- Re: [DNSOP] RFC 6781 and double signature KSK rol… Marc Groeneweg
- Re: [DNSOP] RFC 6781 and double signature KSK rol… Marcos Sanz
- Re: [DNSOP] RFC 6781 and double signature KSK rol… Marcos Sanz
- Re: [DNSOP] RFC 6781 and double signature KSK rol… Matthijs Mekking
- Re: [DNSOP] RFC 6781 and double signature KSK rol… tjw ietf