IETF Logo Mail Archive

Re: [DNSOP] Simplified Updates of DNS Security Trust Anchors, for rolling the root key

Warren Kumari <warren@kumari.net> Tue, 30 June 2015 19:59 UTC

Return-Path: <warren@kumari.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 579A31B2C9E for <dnsop@ietfa.amsl.com>; Tue, 30 Jun 2015 12:59:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2tL8ti0Fkv7y for <dnsop@ietfa.amsl.com>; Tue, 30 Jun 2015 12:59:41 -0700 (PDT)
Received: from mail-oi0-f51.google.com (mail-oi0-f51.google.com [209.85.218.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 306C11AD2C0 for <dnsop@ietf.org>; Tue, 30 Jun 2015 12:59:41 -0700 (PDT)
Received: by oigx81 with SMTP id x81so16020833oig.1 for <dnsop@ietf.org>; Tue, 30 Jun 2015 12:59:40 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=dD915Z/oa9j+AnIskXvhj0K+V/BTVpT1EluMIMccolw=; b=MMMjzEm6pMU+zS3xRsUDgBvnjQOyOHMt6tyY8emdJHnf8P6aouKseQSbiX0d2N+M1+ n16xyUpzckQyMb29NRLyZA5N+iYZ7lwKHZE3f/MAo9Bdy4K1BCK5zRhvct6nr6IxTRn+ DrEVRXARH6MhXadp91DwCoAXRfds0xvs3O4gJkxJoGlw7za7hkAgb53S4gH2vsUE16FD Q1H1GeUGSVnGGO3EIehoDHn6tfK0bbAXu9Mkvv7p9aTutG/SkgJpIPX28gExoYrRaJZ5 UhVsidAVr2G+niG4azX3JE0AiUw07x96x100bwRWtdbUHmgQWJU2oVEKgg3H5rV3DUse G3Sg==
X-Gm-Message-State: ALoCoQlbD4t72DxvlL8o5QNPqYyDBfvLBOLXjbVhzvlyBgU8Cyg6bnuQ1+zBqS74ctNFT9RCYzsI
MIME-Version: 1.0
X-Received: by 10.60.145.228 with SMTP id sx4mr20897381oeb.79.1435694380311; Tue, 30 Jun 2015 12:59:40 -0700 (PDT)
Received: by 10.202.203.134 with HTTP; Tue, 30 Jun 2015 12:59:40 -0700 (PDT)
In-Reply-To: <55929AE2.50105@sinodun.com>
References: <CAHw9_iKmhA+f8QyuLkWeXQDfwprydVaGkR+LVJACGtsTB0+Pfw@mail.gmail.com> <55929AE2.50105@sinodun.com>
Date: Tue, 30 Jun 2015 15:59:40 -0400
Message-ID: <CAHw9_i+BRPXCdNLE4UCHDMzx0zcDfm8SbjLF1BGanGGL9VSCoA@mail.gmail.com>
From: Warren Kumari <warren@kumari.net>
To: John Dickinson <jad@sinodun.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/_DPhKzKpegNSb7GAbFerocLIoOE>
Cc: dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] Simplified Updates of DNS Security Trust Anchors, for rolling the root key
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jun 2015 19:59:43 -0000

On Tue, Jun 30, 2015 at 9:34 AM, John Dickinson <jad@sinodun.com> wrote:
>
>
> On 29/06/2015 21:48, Warren Kumari wrote:
>>
>> I'd appreciate any feedback, the draft announcment is here:
>> Name:           draft-wkumari-dnsop-trust-management
>> Revision:       00
>> Title:          Simplified Updates of DNS Security (DNSSEC) Trust Anchors
>> Document date:  2015-06-29
>> Group:          Individual Submission
>> Pages:          8
>> URL:
>>
>> https://www.ietf.org/internet-drafts/draft-wkumari-dnsop-trust-management-00.txt
>> Status:
>> https://datatracker.ietf.org/doc/draft-wkumari-dnsop-trust-management/
>> Htmlized:
>> https://tools.ietf.org/html/draft-wkumari-dnsop-trust-management-00
>>
> Hi,
>
> This draft appears to be trying to solve several problems.
> 1. Signalling by a validator to an authoritative server which keys it knows
> about.
> 2. Signalling by an authoritative server the mechanism it is using to roll
> it's keys
> 3. Defining an alternative to 5011 with a different mechanism to roll keys.


I think it is more just:
1: Signalling by a validator to an authoritative server which keys it
knows about.
3: Defining an alternative to 5011 with a different mechanism to roll keys.

An auth server *can* include a TDS record to signal that it supports
TDS (your #2), but it doesn't have to stop doing 5011. If it doesn't
publish the record, it still gets the signalling information.

This mechanism works with 5011 if that is what the auth server want to use.
An auth can:
A: use 5011 AND NOT publish a TDS record -- everyone will use the 5011
logic. The auth servers will still get the queries for the TDS record
from new clients, and so will be able to see the population change
(from new clients).

B: use 5011 AND publish a TDS record -- new clients will do the TDS
processing, older clients will still follow 5011 logic. The auth
server will still be able to follow the population change (from new
clients) (I need to add a priority section explaining what to do if
you support both TDS and 5011)

C: only use TDS - new clients will do TDS processing, old ones will
simply die when the roll happens. The TA maintainer will at least know
who all will die - those folk who talk to the root, but don't ever
send a TDS query. This is, um, not recommended :-)

>
> This seems a big ask for one draft.
>
> I have been planning to write a draft to address 1 by having validators send
> the DS of known TA's in an edns0 option code. This info, could then be
> logged by the authoritative nameservers.

Inserting it in edns0 implies (I think) that all of the queries will
contain this, which seems like a fairly big query size / efficiency
hit. I guess you could just do it every N queries, or M time, or
something. Very similar idea though...

I could simply pull all of the "and then install the new TA" stuff out
of the draft, and this could just be signaling of what TAs are
deployed.
I suspect that simply including a signalling mechanism that announces
what you know, without tying it to getting something in return, will
not get as widely deployed -- where is my incentive to send this? "To
be a good citizen" doesn't work as well as it used to / should :-( The
implicit suggestion that TDS may end up being the preferred mechanism,
and removal of the need to double-sign provides an incentive to do
this -- "I'll show you mine if you show me yours..."

>
> For problem 2 I was going to suggest advice to implementers of validators to
> (by default) treat all TA's as potentially 5011. A non 5011 TA is just one
> that is never seen to do 5011 stuff.

RFC 5011 requires significantly increasing the response sizes / double
signing. It is unclear if this really is a problem or not, but some
folk believe it is...

>
> Given the above, My feeling is that there is no need to propose an
> alternative to 5011 unless it adds a significant increase in security/ease
> of use.
>

I think it *does* provide a significant ease of use / operational win
over RFC5011-- it provides an incentive to report your TA set (you
need to, to get the next TAs), and also doesn't require increasing the
response size. It is unclear if this is a good enough tradeoff. It
might not be. Decoupling the signalling from the roll, and not
providing a 5011 alternative is, um, an alternative :-)

> In addition, if I have understood your intent correctly, I have a few
> questions regarding the security of your proposed mechanism.
>
> Assuming the traditional large (strong) KSK used as trust anchor and smaller
> ZSK scenario.
> It appears that the TDS RRSet will be signed only by the smaller ZSK.
> Doesn't this effectively create a circular dependency that effectively
> reduces the security of the zone down to the strength of the ZSK?
>

Hmmm. Good point. This may be a major issue... You could require that
the TDS records be signed by the KSK (like the ZSK), but this feels
like it may be hackish...

> You mention nothing like the add hold down timer in 5011. There seems to be
> good justification its need in 5011.

Yup, you are right. I had initially stuffed some text in the draft
saying that you simply follow all of the RFC5011 key timing logic /
parameters, but this didn't really seem to fit very well for some
cases. Rather than rewrite all of the 5011 timing stuff I decided to
publish this and get initial feedback. The draft still needs
significant work  before it would be finished, the full timing, much
better examples, the IANA section, the security section, priority of
5011 vs TDS, etc are included in that...


Anyway, thank you for reading and providing feedback, hopefully we can
make this better and / or remove the roll part and / or decide it is
not worth pursuing....


W

>
> regards
> John
>
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop



-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf

v2.23.0 | Report a Bug | By Email