IETF Logo Mail Archive

Re: [DNSOP] Simplified Updates of DNS Security Trust Anchors, for rolling the root key

Olafur Gudmundsson <ogud@ogud.com> Tue, 30 June 2015 13:09 UTC

Return-Path: <ogud@ogud.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1136E1A8AA4 for <dnsop@ietfa.amsl.com>; Tue, 30 Jun 2015 06:09:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GllUNvQ2fh5s for <dnsop@ietfa.amsl.com>; Tue, 30 Jun 2015 06:09:45 -0700 (PDT)
Received: from smtp93.iad3a.emailsrvr.com (smtp93.iad3a.emailsrvr.com [173.203.187.93]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F2EA71ACECC for <dnsop@ietf.org>; Tue, 30 Jun 2015 06:09:44 -0700 (PDT)
Received: from smtp20.relay.iad3a.emailsrvr.com (localhost.localdomain [127.0.0.1]) by smtp20.relay.iad3a.emailsrvr.com (SMTP Server) with ESMTP id 22760180490; Tue, 30 Jun 2015 09:09:44 -0400 (EDT)
Received: by smtp20.relay.iad3a.emailsrvr.com (Authenticated sender: ogud-AT-ogud.com) with ESMTPSA id D8F14180126; Tue, 30 Jun 2015 09:09:42 -0400 (EDT)
X-Sender-Id: ogud@ogud.com
Received: from [10.0.0.26] (c-73-159-10-46.hsd1.ma.comcast.net [73.159.10.46]) (using TLSv1 with cipher DHE-RSA-AES256-SHA) by 0.0.0.0:587 (trex/5.4.2); Tue, 30 Jun 2015 13:09:44 GMT
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
From: Olafur Gudmundsson <ogud@ogud.com>
In-Reply-To: <alpine.LSU.2.00.1506301341240.3128@hermes-1.csi.cam.ac.uk>
Date: Tue, 30 Jun 2015 09:09:42 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <8D2179D9-9963-4FA6-9EF8-94D80BD52183@ogud.com>
References: <CAHw9_iKmhA+f8QyuLkWeXQDfwprydVaGkR+LVJACGtsTB0+Pfw@mail.gmail.com> <CAN6NTqzTS9TYZ9C3gAkHFjZ_hpH7svnHgZZhhGMff3DVEb62Tw@mail.gmail.com> <alpine.LSU.2.00.1506301341240.3128@hermes-1.csi.cam.ac.uk>
To: Tony Finch <dot@dotat.at>
X-Mailer: Apple Mail (2.2098)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/HjI9MgwvkMVAeYc9y_9Iys6AmeY>
Cc: Olafur Gudmundsson <olafur@cloudflare.com>, dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] Simplified Updates of DNS Security Trust Anchors, for rolling the root key
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jun 2015 13:09:48 -0000

> On Jun 30, 2015, at 8:53 AM, Tony Finch <dot@dotat.at> wrote:
> 
> Olafur Gudmundsson <olafur@cloudflare.com> wrote:
> 
>> There is much simpler way.
>> Just add record to the rootzone that is only signed by the new key.
>> If resolver returns AD bit it has the new key.
> 
> I don't think this works.


> 
> If the new key is published in the root zone's DNSKEY RRset then it will
> be signed by the old key, so a validator will have a trust path from a
> stale trust anchor down to the special record (just like it does for
> records signed by ZSKs).
> 

> If the new key is not published in the root zone, then you are assuming
> that the validator uses DNSKEY records for its trust anchor configuration
> (but some validators use DS records) and that the validator will allow any
> RRset to be signed by the trust anchor (but RFC 4035 section 5 suggests
> only using the trust anchor to validate the apex DNSKEY RRset).
> 

I think it works some of the time i.e. 
if one or more of the following are true 
a) If the trust anchor is maintained by operator and operator saw advertisement and acted upon 
b) if the new key is advertised by 5011 protocol long before it is rolled and then removed 
c) If the New key is advertised via CDNSKEY and is picked up via trust anchor maintenance 
but most importantly: 

d) the Trust anchor is maintained by storing the DNSKEY when possible[*]

So this is not perfect mechanism, will give us an idea how many Validators picked up the new trust anchor 
and then we can start the real propaganda campaign. 

My bullet b) is a change from the root key rollover plan that assumes that new key is added just before it is used. 
I would propose that 5011 advertising  is done multiple times before the rollover and the new key is removed during the ZSK rollover,
to allow testing. 

I do not yet propose what name or record is used for this experiment but having it an “address of an object” would be good as that
enables testing from browsers. (CNAME is just as good as an address) 
 
    Olafur

Ps: based on my quick check of unbound and Bind both store DNSKEY’s,  I do not know how Nomininum, Microsoft and/or DNSMasq store it. Large public resolvers like Google are likely to do this via configuration 

> Tony.
> -- 
> f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
> Shannon, Rockall, Malin: South 5 to 7, occasionally gale 8 at first in
> Rockall, decreasing 3 or 4. Moderate or rough, occasionally very rough except
> in Malin. Rain then fog patches. Moderate, occasionally very poor.
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

v2.23.0 | Report a Bug | By Email