Re: [DNSOP] The DNSSEC club and surprises (was Re: New draft: Algorithm Negotiation in DNSSEC)

Warren Kumari <warren@kumari.net> Fri, 21 July 2017 11:47 UTC

Return-Path: <warren@kumari.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA2C21317B1 for <dnsop@ietfa.amsl.com>; Fri, 21 Jul 2017 04:47:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8xhW6kv4F7_l for <dnsop@ietfa.amsl.com>; Fri, 21 Jul 2017 04:47:40 -0700 (PDT)
Received: from mail-ua0-x22d.google.com (mail-ua0-x22d.google.com [IPv6:2607:f8b0:400c:c08::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 07A5913157A for <dnsop@ietf.org>; Fri, 21 Jul 2017 04:47:39 -0700 (PDT)
Received: by mail-ua0-x22d.google.com with SMTP id d29so34050948uai.2 for <dnsop@ietf.org>; Fri, 21 Jul 2017 04:47:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=LPvtPZ9/25aXg58UteOzSG1nBn1/4aj8dC2sRGNmZ8E=; b=SfhBUZRO4XOtUH3UFNutxOa3UKc6gD2aepafUgNHc5mg9Dc7CXN9DKC74NNDRvdAZU +1iEw1dBpMu6giuomIWJwZf6Muct9plf0FdmixnvfQQg0h/kClBtCdFnCgdnWfEJ+FDi 0Dj7fwRZOaa15d1uiBcesdUsOkDNZN2yQguaCoo1fJKNFncxAmiRer01vtNhwxMNBuRN WmnZwqxlxpGAatQhXj79R3WUIUkIuXJyp444ACofOL3/GbJpsi9cTGqgjxnFIJdcFoFq cZNQfW+p3Lvv7ZEC4+NyiJN6Cq7WWC8VD6x/iDw2dVwD8FBj7GURYTj245MSsdWaU7A5 ghUA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=LPvtPZ9/25aXg58UteOzSG1nBn1/4aj8dC2sRGNmZ8E=; b=HbSPM9R+iekRGMDZOCQljpcn7Rp0CZf6i34zY7Q5FiyI58SvRMfb+ucJ+zT5+hz+dJ zbA3nvZSbV6JZsbUzMQ+dtHo0A158oDEIUPWEVC73y3QemJMY1yP1MXRjclq8YMO+8zt 42txDHdlcXA6UDGjj3MdujFahkyjaOfYoh8iO8Zm2JYbfnXmkq/2Xrn1Kv7SVYobO8CT cIbdreLiqLklDQ8Nrzw07/XGUlhmnFXHO02qBtE4fIHARzdSJnncNw/k2DEhWWML7EFf seaScABAS7E1IOispv0nVC2Y1c7IMLn3wz6GqhW2O4WArsIf0mchoOVwUF+d9UJEQefc M+KA==
X-Gm-Message-State: AIVw1119kEpENPT3o3wNqOMippUGNXN1A9cGimTsCvN5vCOSsqKW3QIA Eu0C/U6S7qKlPF0bzrqPm5B+mg/5qIDmy90=
X-Received: by 10.31.234.3 with SMTP id i3mr4011332vkh.115.1500637658920; Fri, 21 Jul 2017 04:47:38 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.159.32.72 with HTTP; Fri, 21 Jul 2017 04:46:58 -0700 (PDT)
In-Reply-To: <alpine.DEB.2.11.1707211229310.4413@grey.csi.cam.ac.uk>
References: <CAHPuVdUVQqvFZJFV4D88cg4fGfFqxnzAwj1VRr6oK7Y1n9hDUw@mail.gmail.com> <CAN6NTqwi62xGtLnjNtV-CDCBKBV1TVEsCjbGUvtf_nxmcZEapw@mail.gmail.com> <CAHPuVdWisdPS3ezBsGSyX7Uh7Yw3HHcTaHHz3y9xA+Fow7G4Yw@mail.gmail.com> <20170720150809.qv6nbwsite7icu45@mx4.yitter.info> <alpine.DEB.2.11.1707211229310.4413@grey.csi.cam.ac.uk>
From: Warren Kumari <warren@kumari.net>
Date: Fri, 21 Jul 2017 13:46:58 +0200
Message-ID: <CAHw9_iKnXzXp6RDx+H8Ui5FUdpVjWzbnNJb-Y9+EjEaJEEKP7A@mail.gmail.com>
To: Tony Finch <dot@dotat.at>
Cc: Andrew Sullivan <ajs@anvilwalrusden.com>, dnsop <dnsop@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/IfZiLqZQ-N-F7JfckAEN1T8ib04>
Subject: Re: [DNSOP] The DNSSEC club and surprises (was Re: New draft: Algorithm Negotiation in DNSSEC)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Jul 2017 11:47:42 -0000

On Fri, Jul 21, 2017 at 1:36 PM, Tony Finch <dot@dotat.at> wrote:
> Andrew Sullivan <ajs@anvilwalrusden.com> wrote:
>>
>> For instance, people also express astonishment that DNSKEYs don't
>> expire.  Everyone always has to be reminded that signatures expire, and
>> if you want to expire keys you take them out of the zone.
>
> I agree with your message.
>
> It might be useful to explain this DNSKEY oddity by comparison with x.509
> certificates. In particular, it's the cert that expires, not the key, and
> when you renew a cert you can re-use the same key.


Yeah, you *can* reuse the same key, but (I suspect) most don't -- from
what I've seen, then general process is:
1: Erk! My cert is about to / has just expired!!!
2: Search for and follow some online recipe related to "make ssl certificate"
3: ????
4: Go back to sleep.

I think that (but would be happy to be proven wrong) that most
certificate renewals[0] involve a change of keys too.

W
[0]: Well, "legacy certs", excluding sexy new things like LE / ACME, etc.

>
> Tony.
> --
> f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/  -  I xn--zr8h punycode
> Portland, Plymouth, North Biscay: Southerly or southwesterly 6 to gale 8
> veering westerly or southwesterly 4 or 5, occasionally 6 later. Moderate or
> rough. Rain or showers. Good, occasionally poor.
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop



-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf