Re: [DNSOP] I-D Action: draft-ietf-dnsop-rfc5011-security-considerations-13.txt

Ólafur Guðmundsson <olafur@cloudflare.com> Wed, 18 July 2018 13:11 UTC

Return-Path: <olafur@cloudflare.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 68E0C1311A6 for <dnsop@ietfa.amsl.com>; Wed, 18 Jul 2018 06:11:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.03
X-Spam-Level:
X-Spam-Status: No, score=-1.03 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FROM_EXCESS_BASE64=0.979, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tQnVksB54Gv0 for <dnsop@ietfa.amsl.com>; Wed, 18 Jul 2018 06:11:04 -0700 (PDT)
Received: from mail-wr1-x443.google.com (mail-wr1-x443.google.com [IPv6:2a00:1450:4864:20::443]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CF3891311BE for <dnsop@ietf.org>; Wed, 18 Jul 2018 06:11:03 -0700 (PDT)
Received: by mail-wr1-x443.google.com with SMTP id c13-v6so4652057wrt.1 for <dnsop@ietf.org>; Wed, 18 Jul 2018 06:11:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=GP3lkv39JgWnyv7hZwla3u0NmHnqvAwJE6cFGFK10oQ=; b=lQda8xFcx/N5gMdaQqlr9tzIgS6+C0dFKq1pQCrXrLudPRQqLZqKrgjB5B1raK10f8 Nb0BmlO7rqJNidi+CbQ3eZdJ2bmx4MFIgUaEn+vWZrHhgY76MqW3wSm0p9umAnYNzw3O qxj3uNPCWpuJnur7z7aAD0x7HRx/olF8vYCNo=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=GP3lkv39JgWnyv7hZwla3u0NmHnqvAwJE6cFGFK10oQ=; b=JefMhnOQIs2FUtSJsgnAhbIXs2eBd6rspfbiAtCHMvSOa4Cx6jX/x301k77CdnKi5R CUo3nitVc1WLnE5TAhmirKW++oUpwi2r2wcoEjaNerEObGVHCvgd82G+p1Rj5uHvi4kd 43Vq7p/2FJiG9/OIcr/NBEojmr8fw66mUh+BLqF0oCXYB4LnYYszsq7LerJ9yXloiFLc Np1VO59aB7/Q4vLap3dnHGgTOO5wG0LKV4cCYwLGiVOMp1P4cv04h4c42KqyVA71jLD0 l6Z3ZNp9GkK/n8IDXvXyIwObQrD/hUSqlHBUOodsJiaAr70CFuVQ5c+su5aId7773AKB PmSg==
X-Gm-Message-State: AOUpUlEMarIwQzeWbe7sLJfmPkYT47VkbPO0BVY0Z1JN30eUlBfA69rc vanHNaDdfbZwKH2HRK4aM/6RnPVb5h41XBbW1yYILtEs
X-Google-Smtp-Source: AAOMgpeWzDlInwSYnojAsjpO/s8HnNx+oRZXaNdjL1B/MBKBBdh4Wm+9/TJFl+wNo1wlT8+JSXMIjt98+zw1KIoxDDA=
X-Received: by 2002:adf:c78e:: with SMTP id l14-v6mr4472131wrg.230.1531919462150; Wed, 18 Jul 2018 06:11:02 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:adf:e44a:0:0:0:0:0 with HTTP; Wed, 18 Jul 2018 06:11:01 -0700 (PDT)
In-Reply-To: <153174539326.23149.7392295208412679544@ietfa.amsl.com>
References: <153174539326.23149.7392295208412679544@ietfa.amsl.com>
From: =?UTF-8?B?w5NsYWZ1ciBHdcOwbXVuZHNzb24=?= <olafur@cloudflare.com>
Date: Wed, 18 Jul 2018 09:11:01 -0400
Message-ID: <CAN6NTqy=ETR5nDWSdz1hL+MKSCtVoZLcZ3_hYqa4U6So_=LMQQ@mail.gmail.com>
To: dnsop <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000005dce18057145cb1d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/TEJJxrQg_7nEpdkdCc0YP6AvNQs>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-rfc5011-security-considerations-13.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Jul 2018 13:11:18 -0000

Hi
i read this document over with fresh eyes and tried to ignore any history.

Summary: Publication considered harmful

Reasons: This document calls itself "Security Considerations" but in
reality all it is covering is "Publication considerations by Authority"
the document does not cover at all the consumption of RFC5011 events by
resolvers which IMHO are the more important part of the protocol.

     Olafur


On Mon, Jul 16, 2018 at 8:49 AM, <internet-drafts@ietf.org> wrote:

>
> A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
> This draft is a work item of the Domain Name System Operations WG of the
> IETF.
>
>         Title           : Security Considerations for RFC5011 Publishers
>         Authors         : Wes Hardaker
>                           Warren Kumari
>         Filename        : draft-ietf-dnsop-rfc5011-
> security-considerations-13.txt
>         Pages           : 20
>         Date            : 2018-07-16
>
> Abstract:
>    This document extends the RFC5011 rollover strategy with timing
>    advice that must be followed by the publisher in order to maintain
>    security.  Specifically, this document describes the math behind the
>    minimum time-length that a DNS zone publisher must wait before
>    signing exclusively with recently added DNSKEYs.  This document also
>    describes the minimum time-length that a DNS zone publisher must wait
>    after publishing a revoked DNSKEY before assuming that all active
>    RFC5011 resolvers should have seen the revocation-marked key and
>    removed it from their list of trust anchors.
>
>    This document contains much math and complicated equations, but the
>    summary is that the key rollover / revocation time is much longer
>    than intuition would suggest.  This document updates RFC7583 by
>    adding an additional delays (sigExpirationTime and
>    timingSafetyMargin).
>
>    If you are not both publishing a DNSSEC DNSKEY, and using RFC5011 to
>    advertise this DNSKEY as a new Secure Entry Point key for use as a
>    trust anchor, you probably don't need to read this document.
>
>
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-dnsop-rfc5011-
> security-considerations/
>
> There are also htmlized versions available at:
> https://tools.ietf.org/html/draft-ietf-dnsop-rfc5011-
> security-considerations-13
> https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-rfc5011-security-
> considerations-13
>
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=draft-ietf-dnsop-rfc5011-
> security-considerations-13
>
>
> Please note that it may take a couple of minutes from the time of
> submission
> until the htmlized version and diff are available at tools.ietf.org.
>
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>



-- 
Ólafur Gudmundsson | Engineering Director
www.cloudflare.com blog.cloudflare.com