Re: [DNSOP] KSK rollover
"George Barwood" <george.barwood@blueyonder.co.uk> Thu, 13 May 2010 16:37 UTC
Return-Path: <george.barwood@blueyonder.co.uk>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5DC8D3A6877 for <dnsop@core3.amsl.com>; Thu, 13 May 2010 09:37:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 4.652
X-Spam-Level: ****
X-Spam-Status: No, score=4.652 tagged_above=-999 required=5 tests=[AWL=1.457, BAYES_50=0.001, HELO_EQ_BLUEYON=1.4, MIME_BASE64_BLANKS=0.041, MIME_BASE64_TEXT=1.753]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xUTd2883xGCD for <dnsop@core3.amsl.com>; Thu, 13 May 2010 09:37:56 -0700 (PDT)
Received: from smtp-out4.blueyonder.co.uk (smtp-out4.blueyonder.co.uk [195.188.213.7]) by core3.amsl.com (Postfix) with ESMTP id 67A803A691A for <dnsop@ietf.org>; Thu, 13 May 2010 09:37:55 -0700 (PDT)
Received: from [172.23.170.141] (helo=anti-virus02-08) by smtp-out4.blueyonder.co.uk with smtp (Exim 4.52) id 1OCbPs-0001gz-Je; Thu, 13 May 2010 17:37:44 +0100
Received: from [92.238.99.235] (helo=GeorgeLaptop) by asmtp-out4.blueyonder.co.uk with esmtpa (Exim 4.52) id 1OCbPr-0002hk-DE; Thu, 13 May 2010 17:37:43 +0100
Message-ID: <44C21CD9EE514B039EAFEAFA707A2DA1@local>
From: George Barwood <george.barwood@blueyonder.co.uk>
To: Patrik Wallstrom <pawal@blipp.com>
References: <A865F793EED745D2B5F15A33F9467EEA@local> <A8C3C484-690B-49BB-91BC-33C339A29025@blipp.com>
Date: Thu, 13 May 2010 17:37:42 +0100
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: base64
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5931
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] KSK rollover
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 May 2010 16:37:57 -0000
----- Original Message ----- From: "Patrik Wallstrom" <pawal@blipp.com> To: "George Barwood" <george.barwood@blueyonder.co.uk> Cc: <dnsop@ietf.org> Sent: Thursday, May 13, 2010 9:06 AM Subject: Re: [DNSOP] KSK rollover >On May 13, 2010, at 9:56 AM, George Barwood wrote: >> I have been thinking about KSK rollover in my DNSSEC implementation, and it seems > that there is currently no specification for KSK rollover within the DNSSEC protocol. >> >> There is this expired requirements draft >> >> http://tools.ietf.org/wg/dnsop/draft-ietf-dnsop-key-rollover-requirements/ >> >> but that's all I found. >> >> Have I missed something? It seems to me that this is a rather vital component if >> DNSSEC is to be widely deployed. >> >> Are there any plans to revive and/or implement these requirements? > You probably want to read the Key Timing Considerations draft: > http://tools.ietf.org/html/draft-morris-dnsop-dnssec-key-timing-02 That is certainly relevant to rollover, but it doesn't specify any means by which the new DS records can be placed in the parent zone. http://tools.ietf.org/html/rfc5011 "Automated Updates of DNS Security (DNSSEC) Trust Anchors" has some relevance, but doesn't provide for parent notification, or for publishing a DS record *before* the key is published in the zone, which is I think desirable. The mechanism that occurs to me is to have a new RRtype, say "CDS", with identical format to the DS record, but placed in the child zone ( and signed by the child zone). The parent, at regular intervals, or on receiving a notification from the child, would retrieve the contents of the CDS RRset, and use it as the new DS RRset ( of course after validating it using the old DS RRset ). There probably needs to be consideration of how the system can recover after a KSK is compromised, maybe there should be some minimum time interval before a new DS record is fully trusted. I have not thought that through. Well, that's just my immediate thoughts, there may be a better way. I'm somewhat puzzled that thre is no specification, and apparently no activity on this. KSK rollover is probably a fairly rare event (maybe once every few years), so possibly the feeling is that manual procedures will be sufficient. I think a standardized, automated in-protocol mechanism would be advisable though. Maybe I'm wrong. Best regards, George
- [DNSOP] KSK rollover George Barwood
- Re: [DNSOP] KSK rollover Patrik Wallstrom
- Re: [DNSOP] KSK rollover George Barwood
- Re: [DNSOP] KSK rollover Evan Hunt
- Re: [DNSOP] KSK rollover Edward Lewis
- Re: [DNSOP] KSK rollover Mark Andrews
- Re: [DNSOP] KSK rollover Joe Abley
- Re: [DNSOP] KSK rollover Joe Abley
- Re: [DNSOP] KSK rollover Mark Andrews
- Re: [DNSOP] KSK rollover Joe Abley
- Re: [DNSOP] KSK rollover Mark Andrews
- Re: [DNSOP] KSK rollover George Barwood
- Re: [DNSOP] KSK rollover Chris Thompson
- Re: [DNSOP] KSK rollover George Barwood