IETF Logo Mail Archive

Re: [DNSOP] [Ext] About key tags

Shumon Huque <shuque@gmail.com> Tue, 05 March 2024 02:06 UTC

Return-Path: <shuque@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 12906C180B72 for <dnsop@ietfa.amsl.com>; Mon, 4 Mar 2024 18:06:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1HDtcOka7lIc for <dnsop@ietfa.amsl.com>; Mon, 4 Mar 2024 18:06:37 -0800 (PST)
Received: from mail-io1-xd34.google.com (mail-io1-xd34.google.com [IPv6:2607:f8b0:4864:20::d34]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EEA6BC1519A9 for <dnsop@ietf.org>; Mon, 4 Mar 2024 18:06:37 -0800 (PST)
Received: by mail-io1-xd34.google.com with SMTP id ca18e2360f4ac-7c403dbf3adso360553039f.1 for <dnsop@ietf.org>; Mon, 04 Mar 2024 18:06:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1709604397; x=1710209197; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=nKeUJR06RUvTeBPvNO+jEAZlmRxyvkRTCpEcySMkO78=; b=Ey3t/9j5gR3Hd3Vjf5llpZWRQkBCAKmU81mL2Q2mnjY5/ay6J4U7AcjlG6PvCRzIkn 4dR3Gg8qocVixQTZQY9zTq6Vv3z7JG/oWIyY24MitlTL3ctqRg+fhiOEOKiDf/FRgONP Fc0pHIwoYPfhAJkzI86h7W1YbbI4IZZOUJKDVq6QO5+uqwowgJeaSSZ95X2C+WVCCkT9 2svV6+ZzWWhUNDCf2uCdl/k4u3PTvdz4D3ke8mRQHl57j5ttwNugSj0RujS4HAqdK2ee ZU2h1e40bVLlTbAbPhQ83UzD+Ca8YKcrMHKOtBEIcpwfmgg7RIm41fIvwHv0LU4jcD1E wLAw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709604397; x=1710209197; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=nKeUJR06RUvTeBPvNO+jEAZlmRxyvkRTCpEcySMkO78=; b=LvtqTMZewGwmMovsd5EVR7Gtv8tj+lIG1j1FMS/kEnk3ULxRpeCsU7aZNfxY0yeMkP OwfN1t2lq5aSibtiiH1D8d3lS1d5IBzXXsbV+vJ8QdboCvePSBHKBSHWbFYXznM8YIjy gRQtbnX2nxrPd9Jp7EqDs3YP+0hEDg+RR6TSdL7gW4r53QI+W+wGKQR7fzslxJTcq56a QD2+K2Klo2Pk56z3D3ivwrBWytZtTb4T+ExoWeuM/97k6SPKv4fCmHQJ5k8KRCbwzkC/ TdZL9M4tiyc6WAxRYpDmmTFVZUevvsOQDPHu+VxVp3JsQdiDJB7zjf1A+8Ey7YRuf98T tKVA==
X-Gm-Message-State: AOJu0Yy9iDa3DHyDLDAEHVGIZcHgxv4OZGYAoIqVsie/2Z3zapdicBCp LujChWEAz0ONskaI8uPkaNXZu0ay3qy23zhV7F+95exvUcyJ5SGsK4F0W2AFtOF5TXGe4vGXlBR mkj7d3JsvTBuYar7S0W/T2rFCWvM=
X-Google-Smtp-Source: AGHT+IF46bIAPLkOqDoBHSYceOHTs7JTdw6HdrffiZ9QiCqlMS4JDZ/A1nAcohcUtR3k2C0OhjfApADmGEa4VVQslEI=
X-Received: by 2002:a05:6602:460b:b0:7c8:4342:7867 with SMTP id do11-20020a056602460b00b007c843427867mr7596262iob.13.1709604396920; Mon, 04 Mar 2024 18:06:36 -0800 (PST)
MIME-Version: 1.0
References: <BBA3FCAF-C5AA-40B0-A1E7-6773330A8E30@fl1ger.de> <FB36282B-5C87-4ED0-8669-D0438666F08D@strandkip.nl> <CANLjSvUi31srBhcUP513egeiKHGfMRyyRZrqYwLHug_n_i=K2A@mail.gmail.com> <D36D404C-C495-4838-BECA-417801327282@icann.org> <m1rg5V1-0000M5C@stereo.hq.phicoh.net> <5B66188E-0615-45C4-BAD3-F546F7F88254@icann.org> <m1rg7sM-0000LXC@stereo.hq.phicoh.net> <fbdb9145-4f98-469d-a8cb-b0a5dedd0ca2@desec.io> <m1rh3gl-0000KqC@stereo.hq.phicoh.net>
In-Reply-To: <m1rh3gl-0000KqC@stereo.hq.phicoh.net>
From: Shumon Huque <shuque@gmail.com>
Date: Mon, 04 Mar 2024 21:06:25 -0500
Message-ID: <CAHPuVdWQOJs0K8w1SfJ2hNf=C+POeFg7TG8YcWbQx9NR5yRurQ@mail.gmail.com>
To: Philip Homburg <pch-dnsop-5@u-1.phicoh.com>
Cc: dnsop@ietf.org, Peter Thomassen <peter@desec.io>
Content-Type: multipart/alternative; boundary="000000000000c8f6d70612e04a35"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/W8S0d21Ay5TXCquzF0OwTwG7yzs>
Subject: Re: [DNSOP] [Ext] About key tags
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Mar 2024 02:06:42 -0000

On Mon, Mar 4, 2024 at 3:29 AM Philip Homburg <pch-dnsop-5@u-1.phicoh.com>
wrote:

>
> What I mean is that if we take all of the standards track DNSSEC RFCs and
> we
> add a new RFC that says something to the effect:
> 1) A signer MUST NOT sign a DS or DNSKEY RRset if the set has duplicate key
>    tags.
> 2) An authoritative DNS server MUST not serve a set of RRSIG records that
>    corresponds to a single RRset where the collection of RRSIG records has
> a
>    duplicate key tag.
>
> then as far as I can tell, there is no conflict with currently published
> standards track DNSSEC RFCs.
>
> In addition for most signers and authoritative servers it will be easy to
> meet
> those requirements and many signers are already in line with those
> requirements.
>
> The only thing that prevents us from publishing such an update is an
> informational RFC about multi-signers (or other practices that are not
> documented or standardized within the IETF).


Note that RFC 8901 is an IETF consensus document that was produced in the
DNS Operations working group. So, we can't just dismiss it and propose
protocol changes without considering effects on that (and other documents).
As I also noted earlier, its status will likely be upgraded when we revise
it.

Furthermore, it is not as some have previously tried to characterize it, a
niche
configuration that only a few large enterprises will use. Multi-signer is a
key
enabler of non-disruptive transfers of signed zones across distinct
providers.
There is a currently adopted working group document (intended category:
Standards Track) that is laying out the details of that process:

    https://datatracker.ietf.org/doc/draft-ietf-dnsop-dnssec-automation/

Here's a presentation from Christian Elmerot, of a real world example of
a recent successful multi-signer transition (.GOV from Verisign to
Cloudflare):

https://indico.dns-oarc.net/event/48/contributions/1038/attachments/1005/1948/gov-transition-nsec-nsec3.pdf

Some (single) organizations are also looking at multi-signer techniques
for deployments across distinct HSM vendors.

Separately from multi-signer, I agree with John Levine's comments about
not breaking existing configurations that are deployed in the field.

Shumon.

v2.23.0 | Report a Bug | By Email