Re: [DNSOP] KSK rollover choices

Paul Vixie <paul@redbarn.org> Wed, 31 October 2018 18:54 UTC

Return-Path: <paul@redbarn.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F74A128BCC for <dnsop@ietfa.amsl.com>; Wed, 31 Oct 2018 11:54:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jAJnokkTblHb for <dnsop@ietfa.amsl.com>; Wed, 31 Oct 2018 11:54:52 -0700 (PDT)
Received: from family.redbarn.org (family.redbarn.org [IPv6:2001:559:8000:cd::5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 740E41277C8 for <dnsop@ietf.org>; Wed, 31 Oct 2018 11:54:52 -0700 (PDT)
Received: from [IPv6:2001:559:8000:c9:250a:9e06:4b64:de0e] (unknown [IPv6:2001:559:8000:c9:250a:9e06:4b64:de0e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id 373C5892C6; Wed, 31 Oct 2018 18:54:50 +0000 (UTC)
Message-ID: <5BD9FA76.2000504@redbarn.org>
Date: Wed, 31 Oct 2018 11:54:46 -0700
From: Paul Vixie <paul@redbarn.org>
User-Agent: Postbox 5.0.25 (Windows/20180328)
MIME-Version: 1.0
To: Jim Reid <jim@rfc1035.com>
CC: Mark Andrews <marka@isc.org>, dnsop WG <dnsop@ietf.org>
References: <00E03DAE-9403-49B2-8489-6F7F35D18534@icann.org> <CAJhMdTP-bh1yeOOCS+08rAMhkgyk6yZa9tpQvZ36rR7N=RoQow@mail.gmail.com> <23511.13515.365128.519464@gro.dd.org> <23511.14092.990015.593983@gro.dd.org> <CABf5zv+1XFPWaaX1x=W5pAK7rC4HYQ2OsQ4vvoADgKaQufjmBw@mail.gmail.com> <A800B089-EC3C-4DEF-95FD-3314ACB311A5@hopcount.ca> <CABf5zvL=VJdzJybYGR6pQFpapS=A9nQuPK-+vR2T7cptRkx5AQ@mail.gmail.com> <alpine.DEB.2.20.1810301103240.24450@grey.csi.cam.ac.uk> <A54BF075-89AB-4460-B0B8-15BA18C5DC18@isc.org> <E67B15B3-76EB-4857-B400-4CEAA4E46E78@rfc1035.com> <3C97B346-B042-41D3-8E32-CFE17F305DE1@isc.org> <5E17B5C8-C385-4BFD-95A5-4A55669967AC@rfc1035.com>
In-Reply-To: <5E17B5C8-C385-4BFD-95A5-4A55669967AC@rfc1035.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/ME9dJJCQMG4L_lCMJEHIYkQEQHA>
Subject: Re: [DNSOP] KSK rollover choices
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Oct 2018 18:54:54 -0000


Jim Reid wrote:
>
>> On 31 Oct 2018, at 00:27, Mark Andrews<marka@isc.org>  wrote:
>>
>> Bootstrap is still a issue.  Over fast TA rolling makes it more of
>> a issue.
>
> Indeed. And that's the underlying problem that needs to be fixed IMO
> - for instance when/if there's an emergency rollover.

bootstrappers should have https access to a complete history of root 
ksk, each one signed by its predecessor. this doesn't handle revocation, 
but nothing in dnssec handles revocation, and that's by design, and so 
i'm inclined not to worry about it.

but that's the backup plan. the primary expectation is, devices which 
come off the shelf after a dnssec ksk roll will have some means of 
reaching and trusting their manufacturer's software update service, 
which will offer them a current ksk for validation.

manufacturers who don't last long enough to do this, or who for whatever 
other reason don't do this, will be shipping future bricks. and i'm fine 
with that, since it's in their power to do the right thing, which is the 
best we can offer.

-- 
P Vixie