IETF Logo Mail Archive

Re: [DNSOP] [Ext] About key tags

Philip Homburg <pch-dnsop-5@u-1.phicoh.com> Tue, 05 March 2024 09:52 UTC

Return-Path: <pch-b538D2F77@u-1.phicoh.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2CC29C14F681 for <dnsop@ietfa.amsl.com>; Tue, 5 Mar 2024 01:52:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.907
X-Spam-Level:
X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 59x_t0FUGHdb for <dnsop@ietfa.amsl.com>; Tue, 5 Mar 2024 01:52:12 -0800 (PST)
Received: from stereo.hq.phicoh.net (stereo.hq.phicoh.net [IPv6:2a10:3781:2413:1:2a0:c9ff:fe9f:17a9]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DB216C14F680 for <dnsop@ietf.org>; Tue, 5 Mar 2024 01:52:09 -0800 (PST)
Received: from stereo.hq.phicoh.net (localhost [::ffff:127.0.0.1]) by stereo.hq.phicoh.net with esmtp (TLS version=TLSv1.2 cipher=ECDHE-RSA-CHACHA20-POLY1305) (Smail #158) id m1rhRSw-0000LzC; Tue, 5 Mar 2024 10:52:06 +0100
Message-Id: <m1rhRSw-0000LzC@stereo.hq.phicoh.net>
To: dnsop@ietf.org
From: Philip Homburg <pch-dnsop-5@u-1.phicoh.com>
Sender: pch-b538D2F77@u-1.phicoh.com
References: <BBA3FCAF-C5AA-40B0-A1E7-6773330A8E30@fl1ger.de> <FB36282B-5C87-4ED0-8669-D0438666F08D@strandkip.nl> <CANLjSvUi31srBhcUP513egeiKHGfMRyyRZrqYwLHug_n_i=K2A@mail.gmail.com> <D36D404C-C495-4838-BECA-417801327282@icann.org> <m1rg5V1-0000M5C@stereo.hq.phicoh.net> <5B66188E-0615-45C4-BAD3-F546F7F88254@icann.org> <m1rg7sM-0000LXC@stereo.hq.phicoh.net> <fbdb9145-4f98-469d-a8cb-b0a5dedd0ca2@desec.io> <m1rh3gl-0000KqC@stereo.hq.phicoh.net> <CAHPuVdWQOJs0K8w1SfJ2hNf=C+POeFg7TG8YcWbQx9NR5yRurQ@mail.gmail.com>
In-reply-to: Your message of "Mon, 4 Mar 2024 21:06:25 -0500 ." <CAHPuVdWQOJs0K8w1SfJ2hNf=C+POeFg7TG8YcWbQx9NR5yRurQ@mail.gmail.com>
Date: Tue, 05 Mar 2024 10:52:05 +0100
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Z0qcdaXgcpoFN8rGqj5VRtOmBLQ>
Subject: Re: [DNSOP] [Ext] About key tags
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Mar 2024 09:52:14 -0000

>Note that RFC 8901 is an IETF consensus document that was produced in the
>DNS Operations working group. So, we can't just dismiss it and propose
>protocol changes without considering effects on that (and other documents).
>As I also noted earlier, its status will likely be upgraded when we revise
>it.

Under the assumption that adding a constraint for unique key tags for the
DNSSEC standard protocols is relatively easy (from a protocol point
of view, getting changes deployed is always a lot harder), we can
take a look at RFC 8901. As you say it likely needs a revision anyhow.

So, for example Section 6.1 of RFC 8901.

For a KSK rollover, the zone owner would generate a new KSK. The zone owner
also signs the DNSKEY RRset. So this is essentially the same as what any
other signer would have to do. No real changes are required except making
sure to select a new KSK with a key tag that does not conflict with
keys already in the DNSKEY RRset.

Then for a ZSK rollover. Each provider has independent signing keys, so a
provider would have to select a new signing key that does not conflict
with current keys in the DNSKEY RRset. Again, this is what any signer would
do in the new model.

Then the provider would submit the new key to the zone owner for inclusion
in the DNSKEY RRset. At this point, if two providers would want to update
their keys at the same time and happen to have new keys with conflicting
key tags, we would have a problem.

However, this can only happen if two ZSK rollovers would happen at the same
time. Which is something that can be consideren bad operational practice
and is certainly not suggested as something to do in Section 6.1. Furthermore,
Section 6.1 is explicit about the coordination between providers and the
zone owner when it comes to a ZSK rollover. So it is easy for a zone owner
to prevent two ZSK rollovers at the same time.

I have to admit, model 2 would be a bit more complex. But not fundamentally
impossible.

v2.23.0 | Report a Bug | By Email