Re: [DNSOP] Emergency KSK Rollover for locally secure zones.
"Rose, Scott" <scott.rose@nist.gov> Thu, 03 August 2017 16:18 UTC
Return-Path: <scott.rose@nist.gov>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 64D781320BB for <dnsop@ietfa.amsl.com>; Thu, 3 Aug 2017 09:18:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LTDq77BFYBFS for <dnsop@ietfa.amsl.com>; Thu, 3 Aug 2017 09:18:25 -0700 (PDT)
Received: from wsget2.nist.gov (wsget2.nist.gov [IPv6:2610:20:6005:13::151]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F3311320AC for <dnsop@ietf.org>; Thu, 3 Aug 2017 09:18:25 -0700 (PDT)
Received: from WSGHUB1.xchange.nist.gov (129.6.42.34) by wsget2.nist.gov (129.6.13.151) with Microsoft SMTP Server (TLS) id 14.3.361.1; Thu, 3 Aug 2017 12:18:15 -0400
Received: from postmark.nist.gov (129.6.16.94) by mail-g.nist.gov (129.6.42.33) with Microsoft SMTP Server id 14.3.361.1; Thu, 3 Aug 2017 12:18:22 -0400
Received: from [129.6.140.7] (7-140.antd.nist.gov [129.6.140.7]) by postmark.nist.gov (8.13.8/8.13.1) with ESMTP id v73GHw0I017110; Thu, 3 Aug 2017 12:17:58 -0400
From: "Rose, Scott" <scott.rose@nist.gov>
To: Aanchal Malhotra <aanchal4@bu.edu>
CC: dnsop@ietf.org
Date: Thu, 03 Aug 2017 12:17:58 -0400
Message-ID: <EE9ABA7D-BDB6-40FE-92B8-BC6335FF1898@nist.gov>
In-Reply-To: <CAMbs7ks-ZZ-tFpnNkgNx779ct0ns24d+pzKbzQhKuAxVnMUwrA@mail.gmail.com>
References: <CAMbs7ks-ZZ-tFpnNkgNx779ct0ns24d+pzKbzQhKuAxVnMUwrA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="=_MailMate_B8FFCD02-A361-4B6B-B39C-DCA3239A5172_="
Content-Transfer-Encoding: 8bit
Embedded-HTML: [{"HTML":[1209, 2102], "plain":[888, 1505], "uuid":"1A686D2C-D7D0-4A56-BD46-B04344F5C7AA"}]
X-Mailer: MailMate (1.9.6r5347)
X-NIST-MailScanner-Information:
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/XtvGgnPxX7e4IqcMjzAikBSKob4>
Subject: Re: [DNSOP] Emergency KSK Rollover for locally secure zones.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Aug 2017 16:18:28 -0000
Hi, (800-81 author here) That needs to be updated as it was from the earlier revision of 800-81. It really should stress the use of RFC 5011 automated trust anchor update process. The first version of the doc assumed RFC 5011 was not available in the majority of implementations, which is not the case now. I’d probably update that to recommend (and stress) to always use the RFC 5011 rollover process. As for emergency rollovers, some admins do worry about it and plan for it by having a pre-published KSK in the DNSKEY RRset at all times (not just during an actual rollover process). RFC 5011 can be used there too (see the “Scenarios” section in RFC 5011). There isn’t a single doc that focuses on KSK rollovers, but it is discussed in the BCP docs like RFC 6781 and other implementation-specific documents. Scott On 3 Aug 2017, at 11:50, Aanchal Malhotra wrote: > Dear all, > > May be this has been discussed long ago on the list or elsewhere. > Please > guide me to proper pointers, if any. > > Section 11.2.1 in [1] > <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-81-2.pdf> > states the following for KSK rollover for *locally secure zones*: > > "*In rolling over the KSK, the secure zone may not know which > resolvers > have stored the public key as a trust anchor. If the network > administrator > has an out-of-band method of contacting resolver administrators that > have > stored the public key as a trust anchor (such as e-mail), the network > administrator should send out appropriate warnings and set up a > trusted > means of disseminating the new trust anchor. Otherwise, the DNS > administrator can do nothing except pre-publish the new KSK with ample > time > to give resolver administrators enough time to learn the new KSK.*" > > I have the following questions: > > a) This might work in case of an active KSK rollover. However in case > of > KSK compromise, which would require an emergency KSK rollover, what > does > the network administrator do in the '*Otherwise*' situation from the > above > quote? > > b) I am just curious to know if this is even an issue or do network > administrators care about it? And if it is, Is there any RFC or > relevant > doc or mailing list that discusses this problem/solutions, etc.? > > References: > [1] > http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-81-2.pdf > > Thanks, > Aanchal Malhotra. > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop =================================== Scott Rose NIST ITL scott.rose@nist.gov +1-301-975-8439 GV: +1-571-249-3671 ===================================
- Re: [DNSOP] Emergency KSK Rollover for locally se… Aanchal Malhotra
- Re: [DNSOP] Emergency KSK Rollover for locally se… Rose, Scott
- Re: [DNSOP] Emergency KSK Rollover for locally se… Wessels, Duane
- Re: [DNSOP] Emergency KSK Rollover for locally se… Aanchal Malhotra
- Re: [DNSOP] Emergency KSK Rollover for locally se… Warren Kumari
- Re: [DNSOP] Emergency KSK Rollover for locally se… Aanchal Malhotra
- Re: [DNSOP] Emergency KSK Rollover for locally se… Wessels, Duane
- Re: [DNSOP] Emergency KSK Rollover for locally se… Aanchal Malhotra
- Re: [DNSOP] Emergency KSK Rollover for locally se… Michael StJohns
- Re: [DNSOP] Emergency KSK Rollover for locally se… Aanchal Malhotra
- Re: [DNSOP] Emergency KSK Rollover for locally se… Michael StJohns
- Re: [DNSOP] Emergency KSK Rollover for locally se… Aanchal Malhotra
- Re: [DNSOP] Emergency KSK Rollover for locally se… Tony Finch
- Re: [DNSOP] Emergency KSK Rollover for locally se… Warren Kumari
- Re: [DNSOP] Emergency KSK Rollover for locally se… Aanchal Malhotra