Re: [DNSOP] Emergency KSK Rollover for locally secure zones.

"Wessels, Duane" <dwessels@verisign.com> Thu, 03 August 2017 20:06 UTC

Return-Path: <dwessels@verisign.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 97CEC131D1D for <dnsop@ietfa.amsl.com>; Thu, 3 Aug 2017 13:06:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.302
X-Spam-Level:
X-Spam-Status: No, score=-4.302 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rCoBDLyz86wy for <dnsop@ietfa.amsl.com>; Thu, 3 Aug 2017 13:06:49 -0700 (PDT)
Received: from mail1.verisign.com (mail1.verisign.com [72.13.63.30]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 98476131C7F for <dnsop@ietf.org>; Thu, 3 Aug 2017 13:06:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=627; q=dns/txt; s=VRSN; t=1501790809; h=from:to:cc:date:message-id:references:in-reply-to: content-id:content-transfer-encoding:mime-version:subject; bh=fdmEA0CNx0rUkZhNH32rpqxxH/Q2W0BgwZfEFIt4+3I=; b=Qxl+yGJ5HD6RVG83Q40va8XcaLD1ZPowLbMikwHkhDA4+EFBI7NKzi7d WiJJEpnBiLxhaHaljZxbC69C40o5WXtCYuvSdnFC9pNp/bEkBI0XZ+RmI OoCDnbpa0ZiItMGi4//sgLpMxZi/deD+dSfZScPpoawVrI6e622Iutmw4 rxxnyqHP6MI+/ryr05js9IM1YTWx0Meqj+buIWpU5laOWAxIqo/uO4G61 yhxN/pa97KpctsbwOfeRqssd0rwEmNanIPMiRTYuuXPBKwBNM1d3Nj8bN qLonPWXkczcsn0fTvo7X/z04LC58K8k7XosbYglJ+625Npu5EjbdQtaby w==;
X-IronPort-AV: E=Sophos;i="5.41,317,1498521600"; d="scan'208";a="4162873"
IronPort-PHdr: =?us-ascii?q?9a23=3AtcBUTR17p8t0Sqd0smDT+DRfVm0co7zxezQtwd8Z?= =?us-ascii?q?seIRKvad9pjvdHbS+e9qxAeQG96Ku7Qc06L/iOPJYSQ4+5GPsXQPItRndiQuro?= =?us-ascii?q?EopTEmG9OPEkbhLfTnPGQQFcVGU0J5rTngaRAGUMnxaEfPrXKs8DUcBgvwNRZv?= =?us-ascii?q?JuTyB4Xek9m72/q89pDXYAhEniaxba9vJxiqsAvdsdUbj5F/Iagr0BvJpXVIe+?= =?us-ascii?q?VSxWx2IF+Yggjx6MSt8pN96ipco/0u+dJOXqX8ZKQ4UKdXDC86PGAv5c3krgfM?= =?us-ascii?q?QA2S7XYBSGoWkx5IAw/Y7BHmW5r6ryX3uvZh1CScIMb7Vq4/Vyi84Kh3SR/okC?= =?us-ascii?q?YHOCA/8GHLkcx7kaZXrAu8qxBj34LYZYeYP+d8cKzAZ9MXXWpPUNhMWSxdDI2y?= =?us-ascii?q?bIUPAOgAPelEoIfyqEADrQenBQmpGO/j1iNEimHw0KYn0+ohCwbG3Ak4Et4AsH?= =?us-ascii?q?vbss71NLwMXuCx16nE1SjIYf1L2Tjn7ojHbB4tquyLUL1tf8ve11IvFxjbgVWU?= =?us-ascii?q?sozoJC2V2foXs2ia9OpgVO2vi2g9pw5tpTivw94hh4/UjYwW0lDJ7Th1zJovKd?= =?us-ascii?q?GlSkN2b8SoHIZQuiyULYd6XMwvTm5wtCon1rEKo4O3cSoWxJg92hLSZP+Kf5KV?= =?us-ascii?q?7h/gUuuaPC12i2h/eL2lgha/6U2gyurhWcaqyFtKtS9FksXUtnAKyhzT9tCLSv?= =?us-ascii?q?tj8Uel3jaCzxvc6vtCIUwpkaraJJshzaQxlpoXtkTDAzP2lFnrgKOMaEUr5PKo?= =?us-ascii?q?6+X8YrXnqZ+cMZV4hR35MqQrgsC/AOI4PRYSX2WD5OiwyKfv8VD7TbhElPE6j6?= =?us-ascii?q?nUvZ7AKcgFqaO0DBdZ0oM55Ba+Czem3s4YnX4CLF9dZR2GgZbmO0rVIP/mCfe/?= =?us-ascii?q?mE+hkCl1yPDcP73hGZTNLnfFkLv7Ybl97EtcxBIpzd9D/5JUFq0BIPXrV0Dsst?= =?us-ascii?q?zYFRg5MxSvzubmFtp9yo0eVXiIAq+DP6PYqUWI6f43I+mQeI8Vvy7wJOI/6P7o?= =?us-ascii?q?kXA5mUUSfa2m0JYMc3+4A+5qLFuEbnrx0Z89FjIjtww1TOXuwHiLVT5Ue2y7F/?= =?us-ascii?q?Y17zcwCIuiUa/JW8agjKHXjwmhGZgDLF9LEUuBFWysP6mZUvEBImrGLtBsiScJ?= =?us-ascii?q?UaOJVYI71Aqvuwm8wL1ieLmHshYEvI7ugYAmr9bYkgs/oHktV5yQ?=
X-IPAS-Result: =?us-ascii?q?A2EFAQDXgYNZ//SZrQpdDg0BAQEDAQEBCQEBARYBAQEDAQE?= =?us-ascii?q?BCQEBAYUnB44IkVQilhUOggSFRwKEfRgBAQEBAQEBAQEBAQKBEIIzJAGCQAEBA?= =?us-ascii?q?QECATo/BQsCAQgNCx4QMiUCBA4FG4oMr3+LRAEBAQEBAQQBAQEBAQEBASCDKIN?= =?us-ascii?q?Pgg0LgnGEQAESAR+DQ4IxBZ93BgKWIhiQOYlejCMfgTgLdxVbAYR/gUk/docVg?= =?us-ascii?q?SOBDwEBAQ?=
Received: from brn1wnexcas01.vcorp.ad.vrsn.com (brn1wnexcas01 [10.173.152.205]) by brn1lxmailout01.verisign.com (8.13.8/8.13.8) with ESMTP id v73K6mUp012762 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Thu, 3 Aug 2017 16:06:48 -0400
Received: from BRN1WNEXMBX01.vcorp.ad.vrsn.com ([::1]) by brn1wnexcas01.vcorp.ad.vrsn.com ([::1]) with mapi id 14.03.0301.000; Thu, 3 Aug 2017 16:06:47 -0400
From: "Wessels, Duane" <dwessels@verisign.com>
To: Aanchal Malhotra <aanchal4@bu.edu>
CC: "dnsop@ietf.org" <dnsop@ietf.org>
Thread-Topic: [EXTERNAL] Re: [DNSOP] Emergency KSK Rollover for locally secure zones.
Thread-Index: AQHTDJLnzWOD/u3mWEKUgRN2+IFyGKJzUfiA
Date: Thu, 3 Aug 2017 20:06:47 +0000
Message-ID: <16161C24-1E34-4180-8A07-FE6F78DCEB81@verisign.com>
References: <CAMbs7ks-ZZ-tFpnNkgNx779ct0ns24d+pzKbzQhKuAxVnMUwrA@mail.gmail.com> <2EDD433D-BD40-4A54-BE52-57BC512C5988@verisign.com> <CAMbs7kv63z8K29Hqa4vC=p8DOtiJr96js4jQUx9k7eJ2HopSfg@mail.gmail.com>
In-Reply-To: <CAMbs7kv63z8K29Hqa4vC=p8DOtiJr96js4jQUx9k7eJ2HopSfg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.170.148.18]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <6B53FC1E772EAC43B8AEB243F13EF4CF@verisign.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/NNwJytu5EzwxHlOPelWrUG6ndIA>
Subject: Re: [DNSOP] Emergency KSK Rollover for locally secure zones.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Aug 2017 20:06:51 -0000

> On Aug 3, 2017, at 12:58 PM, Aanchal Malhotra <aanchal4@bu.edu> wrote:
> 
> However, I still don't see how it would help in case of trust anchor/KSK compromise.

This is why I wrote "I don't know if you consider it a solution."

Even so, I think it could be useful, depending on the nature and scale of the zone in question.  For example, if you had to perform an emergency KSK rollover you might do something like email a group of administrators with instructions to manually update their trust anchors.  RFC 8145 would help you know how many administrators followed through on that request.

DW