Re: [DNSOP] WG review of draft-ietf-homenet-dot-03

Brian Dickson <brian.peter.dickson@gmail.com> Tue, 21 March 2017 02:14 UTC

Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 17160129442 for <dnsop@ietfa.amsl.com>; Mon, 20 Mar 2017 19:14:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nnzgRph_tTg8 for <dnsop@ietfa.amsl.com>; Mon, 20 Mar 2017 19:14:36 -0700 (PDT)
Received: from mail-it0-x229.google.com (mail-it0-x229.google.com [IPv6:2607:f8b0:4001:c0b::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5B60D129435 for <dnsop@ietf.org>; Mon, 20 Mar 2017 19:14:36 -0700 (PDT)
Received: by mail-it0-x229.google.com with SMTP id y18so1970796itc.0 for <dnsop@ietf.org>; Mon, 20 Mar 2017 19:14:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=6itBjpK2A/uSwsxZR0GX00sKSjVYg4E/pwuw781/LfU=; b=dODIKHTnrEt3fYO0WKfkphuEYwSO35QZ6I9jp6PaQT8i2trCY9nVKNU1bA6/ochLfV CKJ4whdo1D9hD/5TWiEDG9J0SBBNfA5/o99WgEGrGfbIh1hS/DuaZLYg8EOAnQxAZMUm 6LtVBtchL9TBOBrHAQmpPB37PFKLqkR+lDB0qGuqR2f76L88LBiOGTnXylMC69hX9Oij WLTa/gwx0QvxxY8Rj3FK8/wONc5guKsRnMILWzJlkrl+pq3g/aoEdv2FAnsl5ckv6yfw j5FSIPGxoIUOKChP/5FBh+hr0phqXFnk4hDwT5E2M2wQZUQPZxBMhu9FaUWOKBW7lZKv JOHQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=6itBjpK2A/uSwsxZR0GX00sKSjVYg4E/pwuw781/LfU=; b=f8ggh20ZpUsoUru+3ngiYPEyvLMTs1/KudAcsnweZ7FPj70/xF+QSanXvVIxDMpsKV k8Ra2NR8lnHRhzfVODQyB8rE5ZztdPG1RwGOe3C/5bWxUZpDULpcZTuwflkUIzX7U5E9 VwjFoytua1Ug9O+I9ZIXgdvuwOeB7HgVFwQk1qTlETj/yod1LnivuUVtX/2eeniwpqC9 T6xAFQEWx7OQn8i4jHlNI1o7pyo5zWJ+ejWi9tPnT3+2W8vVTsybn2C1bE2zzO8TTzva T1fWkvtg8hv1Xm5YxLciotzLQSvRM5GJRjuUDJTsctrV9qID1NkZkLEIpXfD2HRVDB1i D9mQ==
X-Gm-Message-State: AFeK/H1jNdGu+kgc2eu8nFcczxxJr/51bFG3C6Ayj5rRa7l3YEBqTVTkPWGBfwVvyv6NHjeGWqA+oqJpzyYWow==
X-Received: by 10.36.4.67 with SMTP id 64mr560252itb.19.1490062475793; Mon, 20 Mar 2017 19:14:35 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.36.88.210 with HTTP; Mon, 20 Mar 2017 19:14:35 -0700 (PDT)
In-Reply-To: <18C28746-F113-4ABD-9896-29ECAC8C27DF@fugue.com>
References: <CAH1iCioEAfgS-Efj1OYsL1vG4STnwod=ARrtEKWsHYMCzRdq-Q@mail.gmail.com> <441D6008-B1B3-46D4-87C0-1BA8032B50DB@fugue.com> <CAH1iCip8=KajuqXL6P72aMovsaXWPeWCAWHoXUJ+tZFY4FrG9g@mail.gmail.com> <18C28746-F113-4ABD-9896-29ECAC8C27DF@fugue.com>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Mon, 20 Mar 2017 19:14:35 -0700
Message-ID: <CAH1iCirZhjpZROBALfmazyFesr7mCYsHg9pQiQhY31=zPvW31g@mail.gmail.com>
To: Ted Lemon <mellon@fugue.com>
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary=001a1140ad4e903e76054b34347a
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/OfMWAhwWSIAkC5pSVzhtexgsabU>
Subject: Re: [DNSOP] WG review of draft-ietf-homenet-dot-03
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Mar 2017 02:14:38 -0000

On Mon, Mar 20, 2017 at 6:54 PM, Ted Lemon <mellon@fugue.com> wrote:

> On Mar 20, 2017, at 9:50 PM, Brian Dickson <brian.peter.dickson@gmail.com>
> wrote:
>
> This would require an update every time the KSK is rolled, or whenever the
> RRSIG needs to be refreshed. 68 years is an inconvenient interval, so maybe
> 50 or 20 years? This is still a lot better than 1 week or 1 month.
>
>
> Isn't there some inconvenient process involved in using the KSK?   I
> suspect that in practice, this makes it harder, not easier.
>

Yes, very much so, although I'm answering from second- or third-hand
knowledge.

As I understand it, the whole process of using the KSK is a scripted,
recorded ceremony in a carefully controlled super-restricted environment,
so this would need to be added to that script.

On the plus side, if it only needs to be done on the very rare occasion
(every N years or when the KSK rolls), I think the benefit would outweigh
the initial barrier to change.

But, that is probably for the folks with direct knowledge to comment on.
I'm just putting the suggestion forward.

Brian