IETF Logo Mail Archive

Re: [DNSOP] [dnsext] Why ZSK rollover is a Bad Idea (tm)

Roy Arends <roy@dnss.ec> Wed, 07 October 2009 14:20 UTC

Return-Path: <roy@dnss.ec>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B9FA83A6868 for <dnsop@core3.amsl.com>; Wed, 7 Oct 2009 07:20:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.745
X-Spam-Level:
X-Spam-Status: No, score=-1.745 tagged_above=-999 required=5 tests=[AWL=0.504, BAYES_00=-2.599, HELO_EQ_SE=0.35]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Yix-Ye2PyOHU for <dnsop@core3.amsl.com>; Wed, 7 Oct 2009 07:20:30 -0700 (PDT)
Received: from mail.schlyter.se (trinitario.schlyter.se [195.47.254.10]) by core3.amsl.com (Postfix) with ESMTP id CE2493A659C for <dnsop@ietf.org>; Wed, 7 Oct 2009 07:20:29 -0700 (PDT)
Received: from a82-94-105-54.adsl.xs4all.nl (a82-94-105-54.adsl.xs4all.nl [82.94.105.54]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: roy) by mail.schlyter.se (Postfix) with ESMTPSA id 6AED82D499; Wed, 7 Oct 2009 16:22:01 +0200 (MEST)
From: Roy Arends <roy@dnss.ec>
To: Joe Abley <jabley@hopcount.ca>
In-Reply-To: <712BBDEE-25FF-4E2E-A9E5-49E49162D41D@hopcount.ca>
References: <1C586E51-D77C-406C-9B89-47276A9B41B2@ICSI.Berkeley.EDU> <p06240812c6f160ac1fb2@10.20.30.158> <d3aa5d00910061408y191bf863p48a6ec703553b67e@mail.gmail.com> <FB20C78E-3A72-409C-8406-2B8A00923783@NLnetLabs.nl> <712BBDEE-25FF-4E2E-A9E5-49E49162D41D@hopcount.ca>
Message-Id: <005603A4-31C0-49E0-894F-3FAEB38D7D92@dnss.ec>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v936)
Date: Wed, 07 Oct 2009 16:21:58 +0200
X-Mailer: Apple Mail (2.936)
Cc: Eric Rescorla <ekr@rtfm.com>, Nicholas Weaver <nweaver@icsi.berkeley.edu>, dnsop WG <dnsop@ietf.org>, Paul Hoffman <paul.hoffman@vpnc.org>
Subject: Re: [DNSOP] [dnsext] Why ZSK rollover is a Bad Idea (tm)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Oct 2009 14:20:30 -0000

On Oct 7, 2009, at 3:22 PM, Joe Abley wrote:
>
> On 2009-10-07, at 09:23, Olaf Kolkman wrote:
>
>> On Oct 6, 2009, at 10:08 PM, Eric Rescorla wrote:
>>
>>> I don't have a general position on ZSKs--perhaps it's a good idea  
>>> for
>>> some other reason--but I don't
>>> think that rolling the keys over at high rates provides any
>>> significant security benefit, no matter
>>> where in the hierarchy you're doing it.
>>
>> Really this is an DNSOP issues, more specifically an issue for  
>> RFC4641bis.
>>
>> [I've added dnsop, please remove namedroppers when replying to this  
>> note]
>>
>> RFC4641 argues for frequent ZSK rollovers, the argument therein is
>> based on operational arguments that are (implicitly) based on  
>> operator
>> acces to private keys and/or the timeline in which changes in which
>> the (zone) operator may need to be replaced.
>
> I skimmed through 4641 to try and refresh my memory, but couldn't  
> find the discussion on ZSK rollover frequency. No doubt this is my  
> deficiency.
>
> From my perspective the operational argument is that procedures  
> which are rarely exercised may not be exercised well when they are  
> needed (a backup that is not regularly tested cannot really be  
> relied upon; a protect path that is never used might not work when  
> it is needed, etc).
>
> Frequent key rollover has the operational benefit of when you need  
> to do an emergency roll you know the procedures work.
>
> From this perspective we might roll a ZSK more frequently than a KSK  
> because the ZSK needs to be stored on-line to facilitate re-signing  
> when the zone changes. With the KSK we have the option of keeping it  
> off-line, and arguably the risk of compromise is consequently lower.  
> Regular testing of the machinery is still important, however.
>
> I am no crypto expert, but ekr's concern over the cryptographic  
> benefits of frequent key roll seemed entirely reasonable.
>
> I think the operational benefit is real, however.

I find it worrying that folks intend to test or practice operational  
procedures by doing it often on a live production system. What if that  
test or practice fails? "Whoops, we were testing it on the live  
system, we failed, good thing we called it a test"

There is also a risk involved by rolling keys over regularly.  
Especially when the schedule is publicly announced. "If your attack  
fails, we will have write access to the keystore _every month_, on the  
1st, at exactly 3 am cest".

I fail to see the operational benefit of "Frequent Rollover Syndrome".

Roy

v2.45.0 | Report a Bug | By Email | System Status