One Interaction KEY exchange
Olaf Kolkman <olaf@ripe.net> Fri, 06 April 2001 13:32 UTC
Received: from nic.cafax.se ([192.71.228.17]) by ietf.org (8.9.1a/8.9.1a) with SMTP id JAA08930 for <dnsop-archive@odin.ietf.org>; Fri, 6 Apr 2001 09:32:03 -0400 (EDT)
Received: from localhost (localhost [[UNIX: localhost]]) by nic.cafax.se (8.12.0.Beta7/8.12.0.Beta5) id f36D7nWX012362 for dnsop-outgoing; Fri, 6 Apr 2001 15:07:49 +0200 (MEST)
Received: from birch.ripe.net (birch.ripe.net [193.0.1.96]) by nic.cafax.se (8.12.0.Beta7/8.12.0.Beta5) with ESMTP id f36D7mLt012357 for <dnsop@cafax.se>; Fri, 6 Apr 2001 15:07:48 +0200 (MEST)
Received: from x50.ripe.net (x50.ripe.net [193.0.1.50]) by birch.ripe.net (8.8.8/8.8.8) with ESMTP id PAA18997; Fri, 6 Apr 2001 15:07:45 +0200 (CEST)
Received: from ripe.net (localhost.ripe.net [127.0.0.1]) by x50.ripe.net (8.8.8/8.8.5) with ESMTP id PAA00228; Fri, 6 Apr 2001 15:07:45 +0200 (CEST)
Message-Id: <200104061307.PAA00228@x50.ripe.net>
To: dnsop@cafax.se
cc: miekg@nlnetlabs.nl, ted@nlnetlabs.nl
Subject: One Interaction KEY exchange
Date: Fri, 06 Apr 2001 15:07:45 +0200
From: Olaf Kolkman <olaf@ripe.net>
Sender: owner-dnsop@cafax.se
Precedence: bulk
Ref: draft-ietf-dnsop-parent-sig-00.txt Using the ideas from draft-ietf-dnsext-parent-stores-zone-keys-00.txt this is an alternative to the key exchange mechanism described in section 4 of that draft (which is the same as in draft-ietf-dnsop-parent-sig-00.txt) I think one can restrict the parent-child interaction even more. I get to only 1 child parent interaction and an optional parent child interaction. During the rollover the parent only needs to sign keys once instead of twice. Consider the following 1. To initiate a key rollover the child replaces the KEYold by the KEYnew, signs KEYnew and the rest of the zone using the old and new KEY. Then the child signals the parent to initiate the rollover. 2. The parent fetches the new key with the double signature and verifies the SIG made with the old KEY with the old child KEY that the parent is authoritative for. If the SIG is correct the Parent publishes the new KEY with parental signature. Since all child zone data is already signed with the new key that data is also validated against the now signed KEYnew. 3. Once the child notices (or receives the optional signal by the parent) that KEYnew has been signed the child can remove the SIG made with KEYold. This is not a resigning exercise. A simple 'grep -v' will do. To put this in a hopefully readable table: __________________________________________________ KEYold is the child's old key RR KEYnew is the child's new key RR SIGparent(RR) is the parental signature over RR SIGkeyold(RR) is the child signature over RR using keyold SIGkeyold(RR) is the child signature over RR using keynew (At all times the child has signed the complete zone with the same keys as it signed the KEY record with.) _______________________________________________________________________________ Time Parent state Child state Comment _______________________________________________________________________________ 0 KEYold KEYold Before key rollover SIGparent(KEYold) SIGkeyold(KEYold) 1 KEYold KEYnew Shortly before SIGparent(KEYold) SIGkeyold(KEYnew) rollover SIGkeynew(KEYnew) This works because parent is authoritative. 2a SIGNAL to parent parent fetches KEYnew with the two sigs. It can verify SIGkeyold(KEYnew) against the data it holds itself. then replaces KEYold by KEYnew and signs 2b KEYnew KEYnew SIGparent(KEYnew) SIGkeyold(KEYnew) SIGkeynew(KEYnew) 3a SIGNAL from parent to child. Child checks signature over KEYnew and knows it can dispose of SIGkeyold(KEYnew) 3b KEYnew KEYnew SIGparent(KEYnew) SIGkeynew(KEYnew) _______________________________________________________________________________ In the mentioned draft the child always publishes one KEY RR in its KEY RRset that is signed by the parent. This is not the case in this model still all arguments in paragraph 7 apply. Paragraph 7: " There are two reasons to have of the child's zone KEY not only at the parent but also in the child's own zonefile: 1. to facilitate a key rollover 2. to prevent local lookups for local information to suffer from possible loss of access to its outside parent To cope with 1, secure aware resolvers MUST be aware that during a key-rollover there may be a conflict, and that in that case the parent always holds the active KEY set. To cope with 2, the local resolver/caching forwarder should be pre-configured with the zone-KEY and thus looks at its own zone as were it a secure entry-point. For both things to work, the zone-KEY set must be selfsigned in the child zonefile. " As far as I can tell this scheme is still immune for fake signals since the Parent will only update if it finds another key at the child then the key in it's own zone. Besides, a spoofed new keyset will not validate since it is not signed with the verifiable SIG made with the old key. To cope with point 2 from par 7 the zone administrator should configure the local resolvers and forwarding caches with the KEYnew somewhere between step 1. and step 2a. in the table I welcome your merciless responses :-) - --Olaf - ----------------------------------------------------- Olaf M. Kolkman | RIPE NCC ----------- | --------------- RIPE NCC | Phone: +31 20 535 4444 Singel 258 | Fax: +31 20 535 4445 1016 AB Amsterdam | http://www.ripe.net The Netherlands | OKolkman@ripe.net
- One Interaction KEY exchange Olaf Kolkman
- Re: One Interaction KEY exchange Ted Lindgreen