Re: [DNSOP] On obsoleting DNSSEC RFCs; Example from RFC 4035 (2)
Viktor Dukhovni <ietf-dane@dukhovni.org> Mon, 11 November 2019 20:48 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 93B0B120825 for <dnsop@ietfa.amsl.com>; Mon, 11 Nov 2019 12:48:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id khGz3iHQV-E9 for <dnsop@ietfa.amsl.com>; Mon, 11 Nov 2019 12:48:01 -0800 (PST)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EA233120019 for <dnsop@ietf.org>; Mon, 11 Nov 2019 12:47:59 -0800 (PST)
Received: from [192.168.1.161] (unknown [192.168.1.161]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by straasha.imrryr.org (Postfix) with ESMTPSA id 1CCD332ACD6 for <dnsop@ietf.org>; Mon, 11 Nov 2019 15:47:59 -0500 (EST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
In-Reply-To: <45da1ecde592be34b00b8fab64bcd6ee591019b4.camel@aegee.org>
Date: Mon, 11 Nov 2019 15:47:58 -0500
Content-Transfer-Encoding: quoted-printable
Reply-To: dnsop@ietf.org
Message-Id: <0DDA1F33-A4DB-44C6-9C0B-0EDDF631738C@dukhovni.org>
References: <8f5027d509619b8dd14d821eaec6d4b050e12077.camel@aegee.org> <45da1ecde592be34b00b8fab64bcd6ee591019b4.camel@aegee.org>
To: dnsop@ietf.org
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/OzcSH9Rhea8STd3uB0IMsev4bbk>
Subject: Re: [DNSOP] On obsoleting DNSSEC RFCs; Example from RFC 4035 (2)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Nov 2019 20:48:03 -0000
> On Nov 11, 2019, at 2:39 PM, Дилян Палаузов <dilyan.palauzov@aegee.org> wrote: > > Does it make sense to generate RRSIG for the ZSK and why 1/3 of the DNSSEC > enabled sites [sample size of 3], maintaining DNSSEC enabled DNS servers do it? While it makes sense to keep DNS RRsets as small as possible, to avoid UDP fragmentation issues, there is no prior restraint on signing the DNSKEY RRset also with the ZSKs. Therefore, while avoiding redundant signatures can be seen as a best-practice it is not presently a requirement. If you're looking for guidance on whether your DNSKEY RRsets should be signed also with the ZSKs, the answer is generally "no". You're typically better off signing them with just the KSKs (keys with the SEP bit set in their flags), provided it is these same KSKs that match the DS RRs in the parent zone. IIRC the SEP bit in the key flags is only a hint (generally valid) that the key is (was, or is intended to be in the future) one of the ones matching a DS RRset at the parent. Ultimately, one or more key matching the DS RRs signs the DNSKEY RRset, and one or more keys that appear in the DNSKEY RRset sign the rest of the RRsets. Algorithm agility means that validators may ignore some weaker algorithms or keys in the presence of stronger algorithms, which may necessitate signing with more than one key in some cases, to accommodate both validators that prefer stronger keys and validators that don't yet support the stronger keys. The rule of thumb is that each key algorithm that appears in the DNSKEY RRset, should also be used to sign each RRset with at least one key of that type. Thus, for example, when removing a signing algorithm, one should first remove the DS RR, then the KSK and finally the ZSK. When adding a new algorithm, first add a ZSK, then a corresponding KSK, and finally the DS. In both cases with various delays in between to allow updated records to displace stale cached data. I should perhaps also note that recently many zones employing ECDSA P-256 (algorithm 13) have dispensed with having a separate KSK and ZSK and use the KSK also for zone signing. Their DNSKEY RRset has just one key. With RSA one generally wants a 2048-bit "long-term" KSK and a shorter (1280-bit perhaps) ZSK that should be rotated more frequently. A 2048-bit ZSK would result in NSEC and especially NSEC3 response sizes that exceed recommended UDP response size limits. KSK == ZSK is a valid choice for ECDSA P-256 that also keeps the DNSKEY RRset reasonably small. The single KSK == ZSK count is quite visible in my DNSSEC survey: https://stats.dnssec-tools.org/#parameter * 3477400 algorithm 13 "KSKs" ((flags & 257) == 257) * 2016046 algorithm 13 "ZKSs" ((flags & 257) == 256) The 1.46 million domain discrepancy is domains with just one key. -- Viktor.
- [DNSOP] On obsoleting DNSSEC RFCs; Example from R… Дилян Палаузов
- Re: [DNSOP] On obsoleting DNSSEC RFCs; Example fr… Joe Abley
- Re: [DNSOP] On obsoleting DNSSEC RFCs; Example fr… Дилян Палаузов
- Re: [DNSOP] On obsoleting DNSSEC RFCs; Example fr… Viktor Dukhovni
- Re: [DNSOP] On obsoleting DNSSEC RFCs; Example fr… Tony Finch