IETF Logo Mail Archive

Re: [DNSOP] [dnsext] Why ZSK rollover is a Bad Idea (tm)

Olaf Kolkman <olaf@NLnetLabs.nl> Wed, 07 October 2009 08:21 UTC

Return-Path: <olaf@NLnetLabs.nl>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5193D28C0F6 for <dnsop@core3.amsl.com>; Wed, 7 Oct 2009 01:21:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.524
X-Spam-Level:
X-Spam-Status: No, score=-2.524 tagged_above=-999 required=5 tests=[AWL=0.076, BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L3u-kMHXXFll for <dnsop@core3.amsl.com>; Wed, 7 Oct 2009 01:21:55 -0700 (PDT)
Received: from open.nlnetlabs.nl (open.nlnetlabs.nl [IPv6:2001:7b8:206:1::1]) by core3.amsl.com (Postfix) with ESMTP id AFE9528C0EB for <dnsop@ietf.org>; Wed, 7 Oct 2009 01:21:53 -0700 (PDT)
Received: from [IPv6:2001:67c:64:42:226:bbff:fe0e:7cc7] ([IPv6:2001:67c:64:42:226:bbff:fe0e:7cc7]) (authenticated bits=0) by open.nlnetlabs.nl (8.14.3/8.14.3) with ESMTP id n978NJ8K004266 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Wed, 7 Oct 2009 10:23:20 +0200 (CEST) (envelope-from olaf@NLnetLabs.nl)
Mime-Version: 1.0 (Apple Message framework v1076)
Content-Type: multipart/signed; boundary="Apple-Mail-11--428792406"; protocol="application/pkcs7-signature"; micalg="sha1"
From: Olaf Kolkman <olaf@NLnetLabs.nl>
In-Reply-To: <d3aa5d00910061408y191bf863p48a6ec703553b67e@mail.gmail.com>
Date: Wed, 07 Oct 2009 09:23:18 +0100
Message-Id: <FB20C78E-3A72-409C-8406-2B8A00923783@NLnetLabs.nl>
References: <1C586E51-D77C-406C-9B89-47276A9B41B2@ICSI.Berkeley.EDU> <p06240812c6f160ac1fb2@10.20.30.158> <d3aa5d00910061408y191bf863p48a6ec703553b67e@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>, dnsop@ietf.org
X-Mailer: Apple Mail (2.1076)
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.3 (open.nlnetlabs.nl [IPv6:2001:7b8:206:1::53]); Wed, 07 Oct 2009 10:23:28 +0200 (CEST)
Cc: "namedroppers@ops.ietf.org WG" <namedroppers@ops.ietf.org>, Nicholas Weaver <nweaver@icsi.berkeley.edu>, Paul Hoffman <paul.hoffman@vpnc.org>
Subject: Re: [DNSOP] [dnsext] Why ZSK rollover is a Bad Idea (tm)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Oct 2009 08:21:56 -0000



On Oct 6, 2009, at 10:08 PM, Eric Rescorla wrote:

> [ Moderators note: Post was moderated, either because it was posted by
>   a non-subscriber, or because it was over 20K.
>   With the massive amount of spam, it is easy to miss and therefore
>   delete relevant posts by non-subscribers.
>   Please fix your subscription addresses. ]
>
> On Tue, Oct 6, 2009 at 2:02 PM, Paul Hoffman <paul.hoffman@vpnc.org>  
> wrote:
>> At 4:09 PM -0400 10/6/09, Nicholas Weaver wrote:
>>> Eric Rescorla has an explanation why the zone signing key rollover  
>>> mechanism in DNSSEC for the root is a bad idea:  It doesn't  
>>> improve security and only makes things more complicated:
>>>
>>> http://www.educatedguesswork.org/2009/10/on_the_security_of_zsk_rollove.html
>>>
>>>> The more general lesson here is that changing keys rapidly is  
>>>> nearly useless as a method of preventing analytic attacks. It's  
>>>> almost never practical to change keys frequently enough to have a  
>>>> significant impact on the attacker's required level of effort. If  
>>>> you're that close to the edge of a successful attack, what you  
>>>> need is a stronger key, not to change your weak keys more  
>>>> frequently. In the specific case of DNSSEC, just expanding the  
>>>> size of the packet by 10 bytes or so would have as much if not  
>>>> more security impact at a far lower system complexity cost.
>>
>> I won't speak for Ekr, but I see his argument being against ZSKs in  
>> general, not just at the root. It's the same
>> argument I have tried to make in DNSOP.
>
>
> I don't have a general position on ZSKs--perhaps it's a good idea for
> some other reason--but I don't
> think that rolling the keys over at high rates provides any
> significant security benefit, no matter
> where in the hierarchy you're doing it.



Really this is an DNSOP issues, more specifically an issue for  
RFC4641bis.

[I've added dnsop, please remove namedroppers when replying to this  
note]

RFC4641 argues for frequent ZSK rollovers, the argument therein is
based on operational arguments that are (implicitly) based on operator
acces to private keys and/or the timeline in which changes in which
the (zone) operator may need to be replaced.

EKRs argument is based on cryptographic strength and argues another  
view.

The current considerations need to be made more explicit.


I've added this as an issue to the issue tracker.

See (http://www.nlnetlabs.nl//svn/I-D-dnsop-rfc4641bis/trunk/open-issues/ 
)

I hope I can address a few of the issues before Yokohama.

--Olaf




________________________________________________________

Olaf M. Kolkman                        NLnet Labs
                                        Science Park 140,
http://www.nlnetlabs.nl/               1098 XG Amsterdam

v2.45.0 | Report a Bug | By Email | System Status