Re: [DNSOP] Emergency KSK Rollover for locally secure zones.

"Rose, Scott" <scott.rose@nist.gov> Thu, 03 August 2017 16:18 UTC

Return-Path: <scott.rose@nist.gov>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 64D781320BB for <dnsop@ietfa.amsl.com>; Thu, 3 Aug 2017 09:18:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LTDq77BFYBFS for <dnsop@ietfa.amsl.com>; Thu, 3 Aug 2017 09:18:25 -0700 (PDT)
Received: from wsget2.nist.gov (wsget2.nist.gov [IPv6:2610:20:6005:13::151]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F3311320AC for <dnsop@ietf.org>; Thu, 3 Aug 2017 09:18:25 -0700 (PDT)
Received: from WSGHUB1.xchange.nist.gov (129.6.42.34) by wsget2.nist.gov (129.6.13.151) with Microsoft SMTP Server (TLS) id 14.3.361.1; Thu, 3 Aug 2017 12:18:15 -0400
Received: from postmark.nist.gov (129.6.16.94) by mail-g.nist.gov (129.6.42.33) with Microsoft SMTP Server id 14.3.361.1; Thu, 3 Aug 2017 12:18:22 -0400
Received: from [129.6.140.7] (7-140.antd.nist.gov [129.6.140.7]) by postmark.nist.gov (8.13.8/8.13.1) with ESMTP id v73GHw0I017110; Thu, 3 Aug 2017 12:17:58 -0400
From: "Rose, Scott" <scott.rose@nist.gov>
To: Aanchal Malhotra <aanchal4@bu.edu>
CC: <dnsop@ietf.org>
Date: Thu, 3 Aug 2017 12:17:58 -0400
Message-ID: <EE9ABA7D-BDB6-40FE-92B8-BC6335FF1898@nist.gov>
In-Reply-To: <CAMbs7ks-ZZ-tFpnNkgNx779ct0ns24d+pzKbzQhKuAxVnMUwrA@mail.gmail.com>
References: <CAMbs7ks-ZZ-tFpnNkgNx779ct0ns24d+pzKbzQhKuAxVnMUwrA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="=_MailMate_B8FFCD02-A361-4B6B-B39C-DCA3239A5172_="
Content-Transfer-Encoding: 8bit
Embedded-HTML: [{"HTML":[1209, 2102], "plain":[888, 1505], "uuid":"1A686D2C-D7D0-4A56-BD46-B04344F5C7AA"}]
X-Mailer: MailMate (1.9.6r5347)
X-NIST-MailScanner-Information:
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/XtvGgnPxX7e4IqcMjzAikBSKob4>
Subject: Re: [DNSOP] Emergency KSK Rollover for locally secure zones.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Aug 2017 16:18:28 -0000

Hi,

(800-81 author here)

That needs to be updated as it was from the earlier revision of 800-81.  
It really should stress the use of RFC 5011 automated trust anchor 
update process.  The first version of the doc assumed RFC 5011 was not 
available in the majority of implementations, which is not the case now. 
  I’d probably update that to recommend (and stress) to always use the 
RFC 5011 rollover process.

As for emergency rollovers, some admins do worry about it and plan for 
it by having a pre-published KSK in the DNSKEY RRset at all times (not 
just during an actual rollover process).  RFC 5011 can be used there too 
(see the “Scenarios” section in RFC 5011). There isn’t a single 
doc that focuses on KSK rollovers, but it is discussed in the BCP docs 
like RFC 6781 and other implementation-specific documents.

Scott


On 3 Aug 2017, at 11:50, Aanchal Malhotra wrote:

> Dear all,
>
> May be this has been discussed long ago on the list or elsewhere. 
> Please
> guide me to proper pointers, if any.
>
> Section 11.2.1 in [1]
> <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-81-2.pdf>
> states the following for KSK rollover for *locally secure zones*:
>
> "*In rolling over the KSK, the secure zone may not know which 
> resolvers
> have stored the public key as a trust anchor. If the network 
> administrator
> has an out-of-band method of contacting resolver administrators that 
> have
> stored the public key as a trust anchor (such as e-mail), the network
> administrator should send out appropriate warnings and set up a 
> trusted
> means of disseminating the new trust anchor. Otherwise, the DNS
> administrator can do nothing except pre-publish the new KSK with ample 
> time
> to give resolver administrators enough time to learn the new KSK.*"
>
> I have the following questions:
>
> a) This might work in case of an active KSK rollover. However in case 
> of
> KSK compromise, which would require an emergency KSK rollover, what 
> does
> the network administrator do in the '*Otherwise*' situation from the 
> above
> quote?
>
> b) I am just curious to know if this is even an issue or do network
> administrators care about it? And if it is, Is there any RFC or 
> relevant
> doc or mailing list that discusses this problem/solutions, etc.?
>
> References:
> [1]
> http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-81-2.pdf
>
> Thanks,
> Aanchal Malhotra.


> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop


===================================
Scott Rose
NIST ITL
scott.rose@nist.gov
+1-301-975-8439
GV: +1-571-249-3671
===================================