Re: [DNSOP] [Ext] Re: Resolver behaviour with multiple trust anchors

Edward Lewis <> Wed, 08 November 2017 18:17 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 0ABE1129527 for <>; Wed, 8 Nov 2017 10:17:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id p5NHU3aNf9gF for <>; Wed, 8 Nov 2017 10:17:25 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 0137C12950A for <>; Wed, 8 Nov 2017 10:17:23 -0800 (PST)
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1178.4; Wed, 8 Nov 2017 10:17:20 -0800
Received: from ([]) by PMBX112-W1-CA-1.PEXCH112.ICANN.ORG ([]) with mapi id 15.00.1178.000; Wed, 8 Nov 2017 10:17:20 -0800
From: Edward Lewis <>
To: Petr Špaček <>, Paul Hoffman <>, "" <>
Thread-Topic: [DNSOP] [Ext] Re: Resolver behaviour with multiple trust anchors
Thread-Index: AQHTVumQ9Sx/szK9UESN2BoiNrPbqKMH/JGAgAALagCAA0vtAA==
Date: Wed, 08 Nov 2017 18:17:20 +0000
Message-ID: <>
References: <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
user-agent: Microsoft-MacOutlook/f.27.0.171010
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="B_3592991838_1037652375"
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [DNSOP] [Ext] Re: Resolver behaviour with multiple trust anchors
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 08 Nov 2017 18:17:28 -0000

On 11/6/17, 10:57, "DNSOP on behalf of Petr Špaček" < on behalf of> wrote:

>I did my best to explain my reasoning, let me know if you can see some holes in the reasoning.

Coming from my assumption that "use any chain" is the best way to go, I tried to figure out why you are coming to a different conclusion.

There are two "holes" I see.  One is that DNSSEC's design is centered on preventing a receiver from accepting forged data.  Two is that the design of DNSSEC has to take into account the limitations of the base (DNS) protocol.

>From the point of view of a validator (operator), it is your choice to decide what to trust, or not.  You may decide that a certain signed zone is critical to your operations, so you get the DNSKEY with the SEP bit set and pin it as trusted.  How do you know whether the zone manages its keys in accordance with Automated Updates of DNSSEC Trust Anchors?  How do you know when to update the trust anchor, especially if the zone is not running in accord with Automated Updates?

The DNS protocol doesn't let you know.  You could find this via out-of-band channels, like via something at a URL (listing the secure entry points), via direct communication with the zone operators.

The protocol (DNS) lacks per-zone signaling.  For that reason, the assumptions of how DNSSEC is set up assumes a unified one-protocol set up.  E.g., even in the early days, .COM was an unusual case and we were tempted to define DNSSEC to act differently for it or other large delegated zones.  It took a while to get "opt-out" into the protocol in a way anyone could make use of it, which was a central issue.  (The history of that is murkier than I may be presenting.)

We even tried to have different key "strengths."  That failed to materialize as we realized the weakest link is still the weakest link.

Trying to differentiate zones by "criticality" begins walking a thread of deciding "what is critical" and how does one decide that?  (There are TLD operators who told me "it's okay, we think of this TLD as experimental."  To me a TLD would be critical, but that view is apparently not universally shared.)  How would a validator determine, objectively, whether a zone is critical to the validator's audience?  Once it did determine, how would it know what the security policy was of the zone (does it honor the add hold-down time, etc., does it even separate the KSK from the ZSK, would it switch to a CSK, and so on).

I could see a knob for a validator operator to select zones for pinning the trust anchors, for selecting them for STD 69 (Automated Update) treatment.  I can't see though having a restrictive policy (if trust anchor, no DS - so to speak) be the default as that would be the unusual case (having a trust anchor).

DNSSEC never assumed that the whole tree would be signed.  That is why trust anchors were invented.  DNSSEC, at first, even tried to allow an arbitrary policy of "who can sign what."  (That is why there's "Domain Name System Security Extensions" from March 1999 and then "Domain Name System Security (DNSSEC) Signing Authority' from November 2000.  That's RFC 2535 and 3008 for those that speak RFC numbers.  DNSSEC didn't adopt the on-tree signing authority until we exhausted attempts at something more liberal.)  The problem with arbitrary policies is that, first, you must be able to write them down.

This is why the guidance in "Protocol Modifications for the DNS Security Extensions" leads to "any" chain. "Clarifications and Implementation Notes for DNS Security (DNSSEC)" opens the possibility that knobs can be included, which is the prerogative of the implementer to build and the operator to use (local policy).  I see these two documents as compatible.

The bottom line is that one can choose to abide by a rule of "if a trust anchor is there, ignore other chains" but recall that the choice is made by the validator operator, not the zone administrator, as the validator operator is also responsible for keeping the trust anchors current and accurate, it is their own failure if that is not the case, and they exclusively have the ability to fix a conflict.

The bottom line is that the zone administrator doesn't get a say - it's all up to the validator operators.