IETF Logo Mail Archive

Re: [DNSOP] draft-ietf-dnsop-dnssec-trust-history - discussion

Paul Hoffman <paul.hoffman@vpnc.org> Fri, 17 September 2010 01:13 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2929F3A6BAA for <dnsop@core3.amsl.com>; Thu, 16 Sep 2010 18:13:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.278
X-Spam-Level:
X-Spam-Status: No, score=-101.278 tagged_above=-999 required=5 tests=[AWL=0.768, BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nAK91EoRC44f for <dnsop@core3.amsl.com>; Thu, 16 Sep 2010 18:13:05 -0700 (PDT)
Received: from hoffman.proper.com (Hoffman.Proper.COM [207.182.41.81]) by core3.amsl.com (Postfix) with ESMTP id BE2963A6BA2 for <dnsop@ietf.org>; Thu, 16 Sep 2010 18:13:04 -0700 (PDT)
Received: from [10.20.30.158] (75-101-30-90.dsl.dynamic.sonic.net [75.101.30.90]) (authenticated bits=0) by hoffman.proper.com (8.14.4/8.14.3) with ESMTP id o8H1CvG3084634 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 16 Sep 2010 18:12:58 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
Mime-Version: 1.0
Message-Id: <p06240843c8b86ff53ffe@[10.20.30.158]>
In-Reply-To: <569C36E4-4F05-41B2-B0B8-A4B8228F13C9@googlemail.com>
References: <569C36E4-4F05-41B2-B0B8-A4B8228F13C9@googlemail.com>
Date: Thu, 16 Sep 2010 18:12:56 -0700
To: Stephen Morris <sa.morris7@googlemail.com>, dnsop@ietf.org
From: Paul Hoffman <paul.hoffman@vpnc.org>
Content-Type: text/plain; charset="us-ascii"
Subject: Re: [DNSOP] draft-ietf-dnsop-dnssec-trust-history - discussion
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Sep 2010 01:13:06 -0000

At 12:24 PM +0100 9/10/10, Stephen Morris wrote:
>1. Is the situation addressed by the draft - that of a validator that has been offline or that has missed an (emergency) rollover needing to reconfigure itself - a problem that needs to be solved?

Yes, mostly for the former case. A subset of the "has been offline" problem is distros that come with trust anchors that are installed after one of the trust anchors has expired. That's like being offline since the distro was burned into an ISO.

>2. If the answer to (1) is yes, is the idea of using DNS the best way to do it?

Maybe, but I agree with the folks who said "but not by using keys that should have been discarded". A possibly better (and much simpler) way to do this is to somehow associate a long-lived secure URL (such as using the https: scheme) that leads to the repository of current trust anchors. This requires that the DNS server have a separate pile of trust anchors for the non-DNS scheme, and those keys need to be valid for longer than the DNS trust anchors that are expiring, of course.

--Paul Hoffman, Director
--VPN Consortium

v2.23.0 | Report a Bug | By Email