IETF Logo Mail Archive

Re: [DNSOP] New Version Notification for draft-kumari-ogud-dnsop-cds-02.txt

Patrik Fältström <paf@frobbit.se> Tue, 09 July 2013 08:05 UTC

Return-Path: <paf@frobbit.se>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 97CF821F9AA7 for <dnsop@ietfa.amsl.com>; Tue, 9 Jul 2013 01:05:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.299
X-Spam-Level:
X-Spam-Status: No, score=-2.299 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, MIME_8BIT_HEADER=0.3]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t4LRBl0Yc4RI for <dnsop@ietfa.amsl.com>; Tue, 9 Jul 2013 01:05:19 -0700 (PDT)
Received: from mail.frobbit.se (mail.frobbit.se [IPv6:2a02:80:3ffe::176]) by ietfa.amsl.com (Postfix) with ESMTP id C8B4821F9AA2 for <dnsop@ietf.org>; Tue, 9 Jul 2013 01:05:18 -0700 (PDT)
Received: from [192.165.72.14] (unknown [192.165.72.14]) by mail.frobbit.se (Postfix) with ESMTPSA id 5F9FA22003; Tue, 9 Jul 2013 10:05:17 +0200 (CEST)
Content-Type: multipart/signed; boundary="Apple-Mail=_60D6E87C-3D4A-4C3F-A05B-6140696AE292"; protocol="application/pgp-signature"; micalg="pgp-sha1"
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: Patrik Fältström <paf@frobbit.se>
In-Reply-To: <51DBBFBD.5020300@sidn.nl>
Date: Tue, 09 Jul 2013 10:05:17 +0200
Message-Id: <791FD3EC-91F6-448E-80D7-DC607A02AA2B@frobbit.se>
References: <20130617165829.2638.88322.idtracker@ietfa.amsl.com> <DD7454F5-6B16-4EBA-A380-C51E2302E5E9@kumari.net> <alpine.LFD.2.10.1306171417150.18979@bofh.nohats.ca> <0lsj0b2kk5.fsf@wjh.hardakers.net> <51C96B62.9030401@nlnetlabs.nl> <2350A43B-088E-4BEA-9317-98B8372C74BE@ogud.com> <51D18336.5010401@nlnetlabs.nl> <9245734C-D614-41C4-B2FC-C39D6DAAA5C3@ogud.com> <8E20305A-4B51-4714-B339-0C5703E75828@sinodun.com> <A82661B1-414B-435C-B359-53BC0F17EEA3@ogud.com> <33496ED6-4D88-485B-8369-566B2A1FC7C0@frobbit.se> <51DBBFBD.5020300@sidn.nl>
To: Antoin Verschuren <antoin.verschuren@sidn.nl>
X-Mailer: Apple Mail (2.1508)
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] New Version Notification for draft-kumari-ogud-dnsop-cds-02.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Jul 2013 08:05:19 -0000

On 9 jul 2013, at 09:46, Antoin Verschuren <antoin.verschuren@sidn.nl> wrote:

> Signed PGP part
> Op 08-07-13 20:28, Patrik Fältström schreef:
> 
> > One such situation is what is to happen when NS records changes in
> > the parent zone.
> > 
> > An immediate reaction is that change of NS records should trigger
> > fetch of CDS record from the child zone so that the new DS can be
> > included in the new version of the zone that have the new NS
> > records. Careful thinking should say whether that is a correct
> > thinking of me.
> 
> Why would DS records change when NS records change?
> I guess you're thinking only one scenario here, and that is when NS
> records change, the DNS operator of the master changes and the zone
> will get different key material. But this is not the general case,
> only the most difficult one to solve. Only changing one slave NS by
> another does not change the operator maintaining the key material.

I am only saying change of the NS record should _trigger_ a fetch of the CDS. If the CDS has not changed, then the DNSSEC data in the parent should not change.

> Changing the operator maintaining the key material does happen, and
> when it does, changing the DS after changing the NS will not help you
> autoprovision. The zone will get bogus if you change the DS after
> changing the NS, and so no CDS change can be validated at all.

The registry get an EPP update via a secure channel to change the NS. They can at that time (before the new zone is published) issue queries for CDS at the suggested new target of the NS, and if the CDS exists there they can fetch the CDS, see if key material changed, and incorporate the data in the zone that is to be published.

> Changing the key material operator needs pre-publishing of the new key
> material in the zone of the losing operator for the NS change to be
> validated. The new NS RRset in the child is signed with the new key
> material only.
> I know you all wish the world was simpler, but it isn't, We've tried.

For newcomers to this discussion, Antoin and myself is in the middle of this discussion about how to do a change of DNS operator (and because of that change of maintainer of key material) in reality. We have, as you can see, different opinion on the topic :-)

> > And a third if the auth servers queried at should be the ones that
> > there are NS records for in the parent zone or the NS records that
> > exists in the child zone.
> 
> I agree with Andrew here that the NS RRset in the child zone is
> authoritative, but it can only be used if validated.

But it can be validated thanks to the trust in the epp channel.

> > Lastly, I think it should be very clear not only what the priority
> > is between different versions of CDS records, but also between CDS
> > records and epp commands. If different registries implement
> > different policies here, the world might risk being much messier
> > than what we want.
> 
> Exactly my statement.

   Patrik

v2.23.0 | Report a Bug | By Email