IETF Logo Mail Archive

Re: [DNSOP] New Version Notification for draft-kumari-ogud-dnsop-cds-02.txt

Warren Kumari <warren@kumari.net> Fri, 12 July 2013 12:19 UTC

Return-Path: <warren@kumari.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 76BC421E8053 for <dnsop@ietfa.amsl.com>; Fri, 12 Jul 2013 05:19:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.299
X-Spam-Level:
X-Spam-Status: No, score=-102.299 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QhpRi00hInrC for <dnsop@ietfa.amsl.com>; Fri, 12 Jul 2013 05:19:37 -0700 (PDT)
Received: from vimes.kumari.net (smtp1.kumari.net [204.194.22.1]) by ietfa.amsl.com (Postfix) with ESMTP id CEA1221E804E for <dnsop@ietf.org>; Fri, 12 Jul 2013 05:19:37 -0700 (PDT)
Received: from [192.168.1.201] (unknown [196.38.31.134]) by vimes.kumari.net (Postfix) with ESMTPSA id D381B1B407D8; Fri, 12 Jul 2013 08:19:34 -0400 (EDT)
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: Warren Kumari <warren@kumari.net>
In-Reply-To: <C3DDD5D2-D59E-4026-BF99-2820281788B6@frobbit.se>
Date: Fri, 12 Jul 2013 08:19:30 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <998B82B2-4CF1-471F-A791-96D6F6D9DE93@kumari.net>
References: <CE0080AE.B7C0%bdickson@verisign.com> <C3DDD5D2-D59E-4026-BF99-2820281788B6@frobbit.se>
To: Patrik Fältström <paf@frobbit.se>
X-Mailer: Apple Mail (2.1508)
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>, "Dickson, Brian" <bdickson@verisign.com>
Subject: Re: [DNSOP] New Version Notification for draft-kumari-ogud-dnsop-cds-02.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Jul 2013 12:19:42 -0000

On Jul 8, 2013, at 3:32 PM, Patrik Fältström <paf@frobbit.se> wrote:

> 
> On 8 jul 2013, at 20:49, "Dickson, Brian" <bdickson@verisign.com> wrote:
> 
>> However, maybe something like a "PNS" (parent NS) in the child, where the
>> child is authoritative for the data, could signal {change | validation}
>> (depending on the RRR requirements), would do the trick?
> 
> Might solve some events, but I do not think it solves the most important situation, that DNS is moved from one DNS provider to another. The old DNS provider can not be asked to enter NS records for the gaining provider... And using NS (in reality, as you look for auth servers) to fetch NS data seems to me be a bit...fishy... ;-) The attack vector against such a situation is very complicated.

And is *precisely* why this document / technique is not trying to "solve" it.

CDS is specifically only for rolling your DNSKEY. It is specifically NOT for:
establishing trust.
recovering from a key compromise.
changing operators.
changing your NS.
a duck.

It is designed to be easy to clean, simple and easy to implement. It is designed to solve the "common case" -- there are a whole slew of cases that it simply rules out of scope.

This is designed to be the answer to "I feel like I should roll my keys because XXX, but I'm simply too lazy / likely to screw it up with the current interface" -- where XXX is something related to age, some policy, etc, NOT because I wandered into the directory where I store keys and found a file called exploit.php…

If I need to move DNS hosting folk, change my NS records, transfer my domain to another registrar,  revoke all keys, etc I'll go "old skool" and do the out of band / web dance.

We want to make this annoying (probably repetitive) bit easier, ocean boiling is left for later….

[ Please note: I'm currently sitting in a hotel in South Africa, with less than stellar Internet access, and a funny timezone. Replies may be terse and delayed. ]

W


> 
>   Patrik
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
> 

--
"Let's just say that if complete and utter chaos was lightning, he'd be the sort to stand on a hilltop in a thunderstorm wearing wet copper armour and shouting 'All gods are bastards'."

    -- Rincewind discussing Twoflower (Terry Pratchett, The Colour of Magic)

v2.23.0 | Report a Bug | By Email