Re: [DNSOP] Why new code/old keys? Re: [Ext] Re: sentinel and timing?
Joe Abley <jabley@hopcount.ca> Thu, 08 February 2018 14:43 UTC
Return-Path: <jabley@hopcount.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D0D4D12DA0C for <dnsop@ietfa.amsl.com>; Thu, 8 Feb 2018 06:43:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=hopcount.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wKi8Qdw-f8Zf for <dnsop@ietfa.amsl.com>; Thu, 8 Feb 2018 06:43:22 -0800 (PST)
Received: from mail-it0-x22c.google.com (mail-it0-x22c.google.com [IPv6:2607:f8b0:4001:c0b::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0846412DA09 for <dnsop@ietf.org>; Thu, 8 Feb 2018 06:43:22 -0800 (PST)
Received: by mail-it0-x22c.google.com with SMTP id p139so6807060itb.1 for <dnsop@ietf.org>; Thu, 08 Feb 2018 06:43:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hopcount.ca; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=mUe+wQeuBgor9AdSKdUwB/HqVdpVJGDSBJeSkTAaNqY=; b=hs8wmQO6oKSUUZUBMKVA6x9tftE56GNMJxR8z0MGfXh3VCX4cPn/r1X+sJ5eykbc1W 7z7V9jaPk60aQ1AZTaYowDvS1j8WdanAJVr0HutI4Fm8sqK3sss9JyGsb2dh/wClE1iE 5+mNw8vA34PAeJz/Ou/aI70wljvPedofznFYk=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=mUe+wQeuBgor9AdSKdUwB/HqVdpVJGDSBJeSkTAaNqY=; b=heDi1y1eI5M3/XboXaKz3+lCOjsunHozP5ki6eid/SaOQIWGEpFacrhdlYTPVUYlYr XWqyQ4ZuZDxEItaLzZ8yuqVkE8DEdrZgP+M4Rr6YyhwB0C3YL+zzFEYqnaIGEF6JkPSM H0jJLP+fPWDFLPRRUEPpntoH3DSSMX8ZVjGOqN4SjM4MpEJZDQMOdm/YQZpEoCglO0cC gTIQyYTRzbvBX3xksto/UCX3h56wtRBPX8+ekZUVMWDsX29HZ+9VTG9Fjy+8D9txr+Ss zPJo8Hs3Vl35ibSgGi2NyoiGJgRaogJUeOCZ2A2y7aXI7mO8PtOZX8QiB2XmVjUeUQNa nUHw==
X-Gm-Message-State: APf1xPDVSiXNFrp0uWwK5oFzQE5DSku1d07u7zvixRS1GBrD7HTn6821 tpHiQeZ9qBjiKySkC/aYfmRJBA==
X-Google-Smtp-Source: AH8x22634KIjD+BsRucpW+H7ltwwE4jB+fHf+7ngXOcjEBBDjEgQWIe06xM+cK/M32beCEQCyOu6MQ==
X-Received: by 10.36.0.23 with SMTP id 23mr1726048ita.53.1518101001265; Thu, 08 Feb 2018 06:43:21 -0800 (PST)
Received: from [199.212.92.9] (135-23-173-35.cpe.pppoe.ca. [135.23.173.35]) by smtp.gmail.com with ESMTPSA id a123sm54022ioa.78.2018.02.08.06.43.20 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 08 Feb 2018 06:43:20 -0800 (PST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
From: Joe Abley <jabley@hopcount.ca>
In-Reply-To: <20180208.152419.74654265.sthaug@nethelp.no>
Date: Thu, 08 Feb 2018 09:43:15 -0500
Cc: Ed Lewis <edward.lewis@icann.org>, dnsop@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <A03DAC63-E005-4811-B706-B0284273DE6B@hopcount.ca>
References: <564E7616-6B47-48E2-B3DC-68A22032F441@icann.org> <20180208.152419.74654265.sthaug@nethelp.no>
To: sthaug@nethelp.no
X-Mailer: Apple Mail (2.3445.5.20)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/RlKme2a8yxxhlyr9-vOsc-TDACA>
Subject: Re: [DNSOP] Why new code/old keys? Re: [Ext] Re: sentinel and timing?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Feb 2018 14:43:24 -0000
> On 8 Feb 2018, at 09:24, sthaug@nethelp.no wrote: > >> If just to spread rumors, I heard the following as early as November, 2016. One of the issues is that operators update code without updating configuration files. I.e., a BIND upgraded today might be using a configuration file from the pre-managed-key days. > > Speaking only for myself - I have done many BIND upgrades without config > file changes (and I basically expect this to work). The problem is that until the first KSK rollover, best current practice for configuring DNSSEC validation in 2008 (without RFC5011) and best current practice for configuring DNSSEC validation in 2018 (with RFC5011) are functionally identical; there's no failure evident from using trusted-keys vs. managed-keys in your configuration, and BIND9's fastidious backwards compatibility means that old configurations continue to work even if "best current practice" with respect to the facilities implemented in BIND9 have changed. Joe
- Re: [DNSOP] Why new code/old keys? Re: [Ext] Re: … sthaug
- [DNSOP] Why new code/old keys? Re: [Ext] Re: sent… Edward Lewis
- Re: [DNSOP] Why new code/old keys? Re: [Ext] Re: … Ray Bellis
- Re: [DNSOP] Why new code/old keys? Re: [Ext] Re: … Joe Abley
- Re: [DNSOP] Why new code/old keys? Re: [Ext] Re: … Matt Larson
- Re: [DNSOP] Why new code/old keys? Re: [Ext] Re: … Paul Vixie
- Re: [DNSOP] Why new code/old keys? Re: [Ext] Re: … sthaug
- Re: [DNSOP] Why new code/old keys? Re: [Ext] Re: … Paul Vixie
- Re: [DNSOP] Why new code/old keys? Re: [Ext] Re: … Matt Larson
- Re: [DNSOP] Why new code/old keys? Re: [Ext] Re: … Paul Vixie
- Re: [DNSOP] Why new code/old keys? Re: [Ext] Re: … Mukund Sivaraman
- Re: [DNSOP] Why new code/old keys? Re: [Ext] Re: … Mark Andrews