One Interaction KEY exchange
Olaf Kolkman <olaf@ripe.net> Fri, 06 April 2001 13:32 UTC
Received: from nic.cafax.se ([192.71.228.17]) by ietf.org (8.9.1a/8.9.1a) with SMTP id JAA08930 for <dnsop-archive@odin.ietf.org>; Fri, 6 Apr 2001 09:32:03 -0400 (EDT)
Received: from localhost (localhost [[UNIX: localhost]]) by nic.cafax.se (8.12.0.Beta7/8.12.0.Beta5) id f36D7nWX012362 for dnsop-outgoing; Fri, 6 Apr 2001 15:07:49 +0200 (MEST)
Received: from birch.ripe.net (birch.ripe.net [193.0.1.96]) by nic.cafax.se (8.12.0.Beta7/8.12.0.Beta5) with ESMTP id f36D7mLt012357 for <dnsop@cafax.se>; Fri, 6 Apr 2001 15:07:48 +0200 (MEST)
Received: from x50.ripe.net (x50.ripe.net [193.0.1.50]) by birch.ripe.net (8.8.8/8.8.8) with ESMTP id PAA18997; Fri, 6 Apr 2001 15:07:45 +0200 (CEST)
Received: from ripe.net (localhost.ripe.net [127.0.0.1]) by x50.ripe.net (8.8.8/8.8.5) with ESMTP id PAA00228; Fri, 6 Apr 2001 15:07:45 +0200 (CEST)
Message-Id: <200104061307.PAA00228@x50.ripe.net>
To: dnsop@cafax.se
cc: miekg@nlnetlabs.nl, ted@nlnetlabs.nl
Subject: One Interaction KEY exchange
Date: Fri, 06 Apr 2001 15:07:45 +0200
From: Olaf Kolkman <olaf@ripe.net>
Sender: owner-dnsop@cafax.se
Precedence: bulk
Ref: draft-ietf-dnsop-parent-sig-00.txt
Using the ideas from draft-ietf-dnsext-parent-stores-zone-keys-00.txt
this is an alternative to the key exchange mechanism described in
section 4 of that draft (which is the same as in
draft-ietf-dnsop-parent-sig-00.txt)
I think one can restrict the parent-child interaction even more. I get
to only 1 child parent interaction and an optional parent child
interaction. During the rollover the parent only needs to sign keys
once instead of twice.
Consider the following
1. To initiate a key rollover the child replaces the KEYold by the
KEYnew, signs KEYnew and the rest of the zone using the old and new KEY.
Then the child signals the parent to initiate the rollover.
2. The parent fetches the new key with the double signature and verifies
the SIG made with the old KEY with the old child KEY that the parent
is authoritative for. If the SIG is correct the Parent publishes the
new KEY with parental signature.
Since all child zone data is already signed with the new key that
data is also validated against the now signed KEYnew.
3. Once the child notices (or receives the optional signal by the parent)
that KEYnew has been signed the child can remove the SIG made with
KEYold. This is not a resigning exercise. A simple 'grep -v' will do.
To put this in a hopefully readable table:
__________________________________________________
KEYold is the child's old key RR
KEYnew is the child's new key RR
SIGparent(RR) is the parental signature over RR
SIGkeyold(RR) is the child signature over RR using keyold
SIGkeyold(RR) is the child signature over RR using keynew
(At all times the child has signed the complete zone with the same keys
as it signed the KEY record with.)
_______________________________________________________________________________
Time Parent state Child state Comment
_______________________________________________________________________________
0 KEYold KEYold Before key rollover
SIGparent(KEYold) SIGkeyold(KEYold)
1 KEYold KEYnew Shortly before
SIGparent(KEYold) SIGkeyold(KEYnew) rollover
SIGkeynew(KEYnew) This works
because parent
is authoritative.
2a SIGNAL to parent parent fetches KEYnew with the two sigs. It can verify
SIGkeyold(KEYnew) against the data it holds itself. then replaces KEYold
by KEYnew and signs
2b KEYnew KEYnew
SIGparent(KEYnew) SIGkeyold(KEYnew)
SIGkeynew(KEYnew)
3a SIGNAL from parent to child. Child checks signature over KEYnew and
knows it can dispose of SIGkeyold(KEYnew)
3b KEYnew KEYnew
SIGparent(KEYnew) SIGkeynew(KEYnew)
_______________________________________________________________________________
In the mentioned draft the child always publishes one KEY RR in its
KEY RRset that is signed by the parent. This is not the case in this
model still all arguments in paragraph 7 apply.
Paragraph 7:
" There are two reasons to have of the child's zone KEY not only at the
parent but also in the child's own zonefile:
1. to facilitate a key rollover
2. to prevent local lookups for local information to suffer
from possible loss of access to its outside parent
To cope with 1, secure aware resolvers MUST be aware that during a
key-rollover there may be a conflict, and that in that case the
parent always holds the active KEY set. To cope with 2, the local
resolver/caching forwarder should be pre-configured with the zone-KEY
and thus looks at its own zone as were it a secure entry-point. For
both things to work, the zone-KEY set must be selfsigned in the child
zonefile.
"
As far as I can tell this scheme is still immune for fake signals
since the Parent will only update if it finds another key at the child
then the key in it's own zone. Besides, a spoofed new keyset will not
validate since it is not signed with the verifiable SIG made with the
old key.
To cope with point 2 from par 7 the zone administrator should configure
the local resolvers and forwarding caches with the KEYnew somewhere
between step 1. and step 2a. in the table
I welcome your merciless responses :-)
- --Olaf
- -----------------------------------------------------
Olaf M. Kolkman | RIPE NCC
----------- | ---------------
RIPE NCC | Phone: +31 20 535 4444
Singel 258 | Fax: +31 20 535 4445
1016 AB Amsterdam | http://www.ripe.net
The Netherlands | OKolkman@ripe.net
- One Interaction KEY exchange Olaf Kolkman
- Re: One Interaction KEY exchange Ted Lindgreen