Re: [DNSOP] Updated KSK Sentinel document

"Wessels, Duane" <dwessels@verisign.com> Tue, 13 February 2018 18:49 UTC

Return-Path: <dwessels@verisign.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1903D12EAB1 for <dnsop@ietfa.amsl.com>; Tue, 13 Feb 2018 10:49:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.31
X-Spam-Level:
X-Spam-Status: No, score=-4.31 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JaaC38dgz-uu for <dnsop@ietfa.amsl.com>; Tue, 13 Feb 2018 10:49:37 -0800 (PST)
Received: from mail3.verisign.com (mail3.verisign.com [72.13.63.32]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 824E812EAAC for <dnsop@ietf.org>; Tue, 13 Feb 2018 10:49:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=545; q=dns/txt; s=VRSN; t=1518547778; h=from:to:cc:date:message-id:references:in-reply-to: content-id:content-transfer-encoding:mime-version:subject; bh=N6T1vU8k7SOiSWISwjFrvfHfjPCGB0A4t5DVOwmLpeQ=; b=Zy0NUocqtSv6FxHf8ixIE8+kCWb1CZUHHwHLfkIoJVnvX/DV05kl7iAq N87dNPfgoytctlr+gPvI/6RPcGAzwHkDED5s8RV6bSki5oYujwDCqORU6 T20KKyIZTt95oQmt3IiOoN5SC130agpJr5OUaC7YYUtW/bujsWtknA/m+ v7aCXJZTHQGpbEj5mkvi6+HFCySNsyM5qSJmI+TPJIPW2ESt40ctZkC+r yaZ6PZo1kU6Msb2KeRy+MToaIDIlsnOr2zGawu8C2tkZTW1SuUfjiOKzB lEnKAR6IsnUnVabvK5KMsMfUQ5n+tPjLcPN+e8wVouTEH4Z5zPZhNqkC/ Q==;
X-IronPort-AV: E=Sophos;i="5.46,508,1511827200"; d="scan'208";a="3854694"
IronPort-PHdr: =?us-ascii?q?9a23=3AzmFoLB/GXxzVhv9uRHKM819IXTAuvvDOBiVQ1KB3?= =?us-ascii?q?0OgcTK2v8tzYMVDF4r011RmVBdyds6oMotGVmpioYXYH75eFvSJKW713fDhBt/?= =?us-ascii?q?8rmRc9CtWOE0zxIa2iRSU7GMNfSA0tpCnjYgBaF8nkelLdvGC54yIMFRXjLwp1?= =?us-ascii?q?Ifn+FpLPg8it2O2+54Dfbx9UiDahfLh/MAi4oQLNu8cMnIBsMLwxyhzHontJf+?= =?us-ascii?q?RZ22ZlLk+Nkhj/+8m94odt/zxftPw9+cFAV776f7kjQrxDEDsmKWE169b1uhTF?= =?us-ascii?q?UACC+2ETUmQSkhpPHgjF8BT3VYr/vyfmquZw3jSRMMvrRr42RDui9b9mRh/2hi?= =?us-ascii?q?kaKz43/mLZisJyg6JavB2vqBNwzpXIYIGMMfpyYr/Rcc8ESWdHQ81fVzZBAoS5?= =?us-ascii?q?b4YXAeYOPfhXr5Lmp1QQqRu+HhGgD/7hxD9VnHD227M13+o8GgzBwQMhEcwBsG?= =?us-ascii?q?/PrNrrMKcSSvu4zLfWwjXZbvNWwjb96IfOchw7vf6MWrdwfNPXxEIyFA3Flk2d?= =?us-ascii?q?pZH5Mz+Py+gAsWaW4/B9We+vhWMrsR99rzevy8s0l4XFmpgZxk3G+Cll2oo5ON?= =?us-ascii?q?K1RU1hbdK5E5ZdsTyROZFsTcM4WW5ovT43yrgBuZGmYicH0I8nxxvDa/yfdIiI?= =?us-ascii?q?/w7jWP6RIThmgHJlf6qyiA2o8Uim1+H8Usa10FNQoSpEltnMsW0N1wDP5sSZUP?= =?us-ascii?q?d94Fmu2SyO1wDI6+FELkY0mbDHJJ4mx748jpsTsULdES/qgEj6kbOael859uWq?= =?us-ascii?q?5enreKjqq5+SOoNulA3zPaQjltS6AesiMwgOW2ab+f671L3m5UD2XbtLgeMtkq?= =?us-ascii?q?nCrp/aId8bq7WnAwBLyIYj6g2/Dzap0NQeh3UIMFVFeBefg4jzJ17OOOz4Deu4?= =?us-ascii?q?g1m0jThrwevGPrr5ApjWL3jMjqvhfbhn505b0gozwshV54hIBbEZPPLzRkjxuc?= =?us-ascii?q?TCDh85KQO02eHnCNFg2YwAQm+PH6qZMKLOvl+I/O4gPfSDZJJG8Ar6ftIi7bbO?= =?us-ascii?q?hGU+nVNVKbOp1IEQbHy1NuljIk6ZJ3fgn4FSP30Nu190c+Hxk1CGSnobS2u7Wa?= =?us-ascii?q?92rmU3F4+9ForHXaizjaaAxya0GNtdYWUQWQPEKmvha4jRA6REUymVOMI0yjE?= =?us-ascii?q?=3D?=
X-IPAS-Result: =?us-ascii?q?A2HEAQAfMoNa//WZrQpdDgsBAQEBAQEBAQEBAQEHAQEBAQG?= =?us-ascii?q?FUAqeACcRgQaYWQqFOwKDQBQBAgEBAQEBAQIBAoEQgjgigkoBAQEBAgE6PwULA?= =?us-ascii?q?gEIDQEKHhAyJQIEDgWKLbJYhQGDe4IRAQEBAQEBAQMBAQEBAQEBAQEBAR2FAYN?= =?us-ascii?q?tghAMgnmFIoNIghQgBaQuAwYCmAiSPpdrAgQLAhkBgTw2gXNwFWcBghuEOD94i?= =?us-ascii?q?3MsgQaBFwEBAQ?=
Received: from BRN1WNEXCHM01.vcorp.ad.vrsn.com (brn1wnexchm01 [10.173.152.255]) by brn1lxmailout02.verisign.com (8.13.8/8.13.8) with ESMTP id w1DInavE011980 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Tue, 13 Feb 2018 13:49:36 -0500
Received: from BRN1WNEXMBX01.vcorp.ad.vrsn.com ([::1]) by BRN1WNEXCHM01.vcorp.ad.vrsn.com ([::1]) with mapi id 14.03.0301.000; Tue, 13 Feb 2018 13:49:35 -0500
From: "Wessels, Duane" <dwessels@verisign.com>
To: Bob Harold <rharolde@umich.edu>
CC: dnsop <dnsop@ietf.org>
Thread-Topic: [EXTERNAL] [DNSOP] Updated KSK Sentinel document
Thread-Index: AQHTpPtkOUUr5kVGfE+n6t4Zgr64NQ==
Date: Tue, 13 Feb 2018 18:49:34 +0000
Message-ID: <DBD75FF7-8208-4DFD-B77B-D67680C6F908@verisign.com>
References: <CAHw9_iJ5Dr0sHw3EkWyHeAVDDb3k=8C6XOfrA02-_bQzd4n2Sg@mail.gmail.com> <CA+nkc8AeY2+Azw7Rk-y4s5Gfp=amYZNiN=_kxtetgS9s8kcEYg@mail.gmail.com>
In-Reply-To: <CA+nkc8AeY2+Azw7Rk-y4s5Gfp=amYZNiN=_kxtetgS9s8kcEYg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.170.148.18]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <132A999034827642B33212FAD758D312@verisign.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/YLbwApI0aNbcXWlyOyzdNPO6dck>
Subject: Re: [DNSOP] Updated KSK Sentinel document
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Feb 2018 18:49:39 -0000

> On Feb 13, 2018, at 9:10 AM, Bob Harold <rharolde@umich.edu> wrote:
> 
> If an entry could be put in the root zone, that is signed only with the new key, then could users query that and always get a yes/no answer to whether they will be affected?  

This doesn't work because when the new key is published in the zone (and signed by the old key, as it must be), then the new key becomes trusted by the validator.  Thus, there is still a valid chain-of-trust to those records for those with only the old TA.  

DW