Re: [DNSOP] Why new code/old keys? Re: [Ext] Re: sentinel and timing?
Matt Larson <matt@kahlerlarson.org> Thu, 08 February 2018 15:24 UTC
Return-Path: <matt@kahlerlarson.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DEF6712D955 for <dnsop@ietfa.amsl.com>; Thu, 8 Feb 2018 07:24:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.14
X-Spam-Level:
X-Spam-Status: No, score=-1.14 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_NEUTRAL=0.779, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XiZd2F3TCjx5 for <dnsop@ietfa.amsl.com>; Thu, 8 Feb 2018 07:24:43 -0800 (PST)
Received: from smtp69.ord1c.emailsrvr.com (smtp69.ord1c.emailsrvr.com [108.166.43.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 868E012AF83 for <dnsop@ietf.org>; Thu, 8 Feb 2018 07:24:43 -0800 (PST)
Received: from smtp25.relay.ord1c.emailsrvr.com (localhost [127.0.0.1]) by smtp25.relay.ord1c.emailsrvr.com (SMTP Server) with ESMTP id AAA8A20421; Thu, 8 Feb 2018 10:24:38 -0500 (EST)
X-Auth-ID: matt@kahlerlarson.org
Received: by smtp25.relay.ord1c.emailsrvr.com (Authenticated sender: matt-AT-kahlerlarson.org) with ESMTPSA id 4293220354; Thu, 8 Feb 2018 10:24:38 -0500 (EST)
X-Sender-Id: matt@kahlerlarson.org
Received: from [172.20.10.3] (155.sub-174-205-21.myvzw.com [174.205.21.155]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384) by 0.0.0.0:465 (trex/5.7.12); Thu, 08 Feb 2018 10:24:38 -0500
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: Matt Larson <matt@kahlerlarson.org>
In-Reply-To: <A03DAC63-E005-4811-B706-B0284273DE6B@hopcount.ca>
Date: Thu, 08 Feb 2018 10:24:36 -0500
X-Mao-Original-Outgoing-Id: 539796276.816186-86945194a069516e747ca0b534d4b3d7
Content-Transfer-Encoding: quoted-printable
Message-Id: <32CB34DD-D682-42D7-B869-5A03057FCCC1@kahlerlarson.org>
References: <564E7616-6B47-48E2-B3DC-68A22032F441@icann.org> <20180208.152419.74654265.sthaug@nethelp.no> <A03DAC63-E005-4811-B706-B0284273DE6B@hopcount.ca>
To: Joe Abley <jabley@hopcount.ca>, sthaug@nethelp.no, Ed Lewis <edward.lewis@icann.org>, dnsop WG <dnsop@ietf.org>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/MGB1WAkD2jrhW_1xg7-DKnwmbrg>
Subject: Re: [DNSOP] Why new code/old keys? Re: [Ext] Re: sentinel and timing?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Feb 2018 15:24:45 -0000
> On Feb 8, 2018, at 9:43 AM, Joe Abley <jabley@hopcount.ca> wrote: > > > >> On 8 Feb 2018, at 09:24, sthaug@nethelp.no wrote: >> >>> If just to spread rumors, I heard the following as early as November, 2016. One of the issues is that operators update code without updating configuration files. I.e., a BIND upgraded today might be using a configuration file from the pre-managed-key days. >> >> Speaking only for myself - I have done many BIND upgrades without config >> file changes (and I basically expect this to work). > > The problem is that until the first KSK rollover, > > best current practice for configuring DNSSEC validation in 2008 (without RFC5011) > > and > > best current practice for configuring DNSSEC validation in 2018 (with RFC5011) > > are functionally identical; there's no failure evident from using trusted-keys vs. managed-keys in your configuration, and BIND9's fastidious backwards compatibility means that old configurations continue to work even if "best current practice" with respect to the facilities implemented in BIND9 have changed. I would love to see BIND's trusted-keys syntax deprecated. Not the ability to configure a trust anchor statically, mind you, just the syntax. Changing the syntax and refusing to start with trusted-key in the configuration file would force those who are dragging old config files behind them unchanged to update. Maybe something like this: managed-keys { "." initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0="; managed no; // Behave as if this were "trusted-keys" }; (But please let's not bikeshed the syntax of a possible implementation...) Matt
- Re: [DNSOP] Why new code/old keys? Re: [Ext] Re: … sthaug
- [DNSOP] Why new code/old keys? Re: [Ext] Re: sent… Edward Lewis
- Re: [DNSOP] Why new code/old keys? Re: [Ext] Re: … Ray Bellis
- Re: [DNSOP] Why new code/old keys? Re: [Ext] Re: … Joe Abley
- Re: [DNSOP] Why new code/old keys? Re: [Ext] Re: … Matt Larson
- Re: [DNSOP] Why new code/old keys? Re: [Ext] Re: … Paul Vixie
- Re: [DNSOP] Why new code/old keys? Re: [Ext] Re: … sthaug
- Re: [DNSOP] Why new code/old keys? Re: [Ext] Re: … Paul Vixie
- Re: [DNSOP] Why new code/old keys? Re: [Ext] Re: … Matt Larson
- Re: [DNSOP] Why new code/old keys? Re: [Ext] Re: … Paul Vixie
- Re: [DNSOP] Why new code/old keys? Re: [Ext] Re: … Mukund Sivaraman
- Re: [DNSOP] Why new code/old keys? Re: [Ext] Re: … Mark Andrews