Re: [DNSOP] Call for Adoption for draft-wessels-edns-key-tag

Matthijs Mekking <matthijs@pletterpet.nl> Tue, 01 December 2015 07:49 UTC

Return-Path: <matthijs@pletterpet.nl>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C4DF21A8876 for <dnsop@ietfa.amsl.com>; Mon, 30 Nov 2015 23:49:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.195
X-Spam-Level:
X-Spam-Status: No, score=0.195 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_NL=0.55, HOST_EQ_NL=1.545] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E3uJvgf7dsOU for <dnsop@ietfa.amsl.com>; Mon, 30 Nov 2015 23:49:45 -0800 (PST)
Received: from dicht.nlnetlabs.nl (dicht.nlnetlabs.nl [IPv6:2a04:b900::1:0:0:10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D00BB1A8872 for <dnsop@ietf.org>; Mon, 30 Nov 2015 23:49:44 -0800 (PST)
Received: from [IPv6:2001:981:19be:1:40a7:9e77:47d:f68d] (unknown [IPv6:2001:981:19be:1:40a7:9e77:47d:f68d]) by dicht.nlnetlabs.nl (Postfix) with ESMTPSA id D7AD540BF for <dnsop@ietf.org>; Tue, 1 Dec 2015 08:49:41 +0100 (CET)
Authentication-Results: dicht.nlnetlabs.nl; dmarc=none header.from=pletterpet.nl
To: IETF DNSOP <dnsop@ietf.org>
References: <5659A1DB.5090102@gmail.com>
From: Matthijs Mekking <matthijs@pletterpet.nl>
X-Enigmail-Draft-Status: N1110
Message-ID: <565D5114.6040507@pletterpet.nl>
Date: Tue, 1 Dec 2015 08:49:40 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <5659A1DB.5090102@gmail.com>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/InbYOVZuo_pPSQc1EgCkzqK4Rx4>
Subject: Re: [DNSOP] Call for Adoption for draft-wessels-edns-key-tag
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Dec 2015 07:49:46 -0000

All,

I think this is a nice approach for gaining confidence in a rollover of
a key that acts as a trust anchor. It can even be used to detect
validators that have missed the rollover.

I would however be cautious with using the information as an event
trigger. The draft says

   The goal of these
   options is to signal new trust anchor uptake in client code to allow
   zone administrators to know when it is possible to complete a key
   rollover in a DNSSEC-signed zone.

Since the zone administrator can impossibly know whether all validators
have signalled its trust anchor, you cannot use this information to
speed up a key rollover.

Also, the zone administrator already knows when to complete the key
rollover by calculating the appropriate interval times (ttl,
propagation, etc). This signalling does not add anything to that knowledge.

Then some words about the uniqueness of key tags. The draft already
mentions it briefly, but just within the same zone. Since the queries
will visit various name servers, authoritative for different zones, how
do you deal with such key tag clashes. For example, a validator has the
root key set as a trust anchor, and the root and myzone.nl both have
DNSSEC keys with tag 12345. Does the zone administrator of myzone.nl now
also believe that its key is installed as a trust anchor?

Also, like the draft also mentioned, these queries can be created by
anyone and there is no way of authenticating the validator, so anyone
can signal key tags to give a zone administrator a false sense of
confidence. How could an administrator act on that such that valid
signalling stays useful?

To summarize, I am arguing that perhaps more bits than just the keytag
must be signalled, and that more words should be spend on how to deal
with the malicious key (tag) signalling.

Best regards,
  Matthijs




On 28-11-15 13:45, Tim Wicinski wrote:
> 
> This starts a Call for Adoption for draft-wessels-edns-key-tag
> 
> The draft is available here:
> https://datatracker.ietf.org/doc/draft-wessels-edns-key-tag/
> 
> There was unanimous support this during the meeting in Yokohama, so this
> is more of a formality, unless we hear strong negative reaction.
> 
> However, please indicate if you are willing to contribute text, review,
> etc.
> 
> Since there was unanimous support for this draft, I am going with a one
> week Call for Adoption. Please feel free to protest if anyone feels this
> is out of line.
> 
> This call for adoption ends 7 December 2015.
> 
> Thanks,
> tim wicinski
> DNSOP co-chair
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop