IETF Logo Mail Archive

[DNSOP] new version: trust-history-02 draft

"W.C.A. Wijngaards" <wouter@NLnetLabs.nl> Fri, 21 August 2009 14:09 UTC

Return-Path: <wouter@nlnetlabs.nl>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 12EA128C16E for <dnsop@core3.amsl.com>; Fri, 21 Aug 2009 07:09:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sMEZq-fzXu2k for <dnsop@core3.amsl.com>; Fri, 21 Aug 2009 07:09:23 -0700 (PDT)
Received: from open.nlnetlabs.nl (open.nlnetlabs.nl [IPv6:2001:7b8:206:1::1]) by core3.amsl.com (Postfix) with ESMTP id 5291628C160 for <dnsop@ietf.org>; Fri, 21 Aug 2009 07:08:54 -0700 (PDT)
Received: from gary.nlnetlabs.nl (gary.nlnetlabs.nl [IPv6:2001:7b8:206:1:216:76ff:feb8:1853]) (authenticated bits=0) by open.nlnetlabs.nl (8.14.3/8.14.3) with ESMTP id n7LE8uVJ033944 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <dnsop@ietf.org>; Fri, 21 Aug 2009 16:08:56 +0200 (CEST) (envelope-from wouter@nlnetlabs.nl)
Message-ID: <4A8EAA78.1090000@nlnetlabs.nl>
Date: Fri, 21 Aug 2009 16:08:56 +0200
From: "W.C.A. Wijngaards" <wouter@NLnetLabs.nl>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.1) Gecko/20090814 Fedora/3.0-2.6.b3.fc11 Thunderbird/3.0b3
MIME-Version: 1.0
To: dnsop <dnsop@ietf.org>
X-Enigmail-Version: 0.96a
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.2 (open.nlnetlabs.nl [IPv6:2001:7b8:206:1::53]); Fri, 21 Aug 2009 16:08:56 +0200 (CEST)
Subject: [DNSOP] new version: trust-history-02 draft
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Aug 2009 14:09:24 -0000

Hi,

http://tools.ietf.org/html/draft-wijngaards-dnsop-trust-history-02

Is available for review and comment.  This represents my take on how
to perform trust-anchor management for a validator without having
a system update mechanism (which works with unsafe DNS).

I have incorporated substantial comments and feedback.

o From Ted Lemon, Fixed the 'poison one upstream server'-attack.
o From Bert Hubert, Fixed the 'history in reverse'-attack.
o From Ed Lewis, Fixed so keys do not 'last forever'.
o From Mark Andrews, considerations for 5011-revocation.
o From Steve Crocker, Easy to test.
o From Bill Manning, can work on its own.
o From Wolfgang Nagele, zone owner advertising and 30days tweakable.
o From Olaf Kolkman, made the text easier to understand.
And more, sorry if I forgot here.

There is exactly one open issue:
o Publication of expired RRSIGs.
[ various people, Ed Lewis, Olaf Kolkman ]
This specification puts expired RRSIGs into the DNS and expects them
to be delivered.  What about 'smart' boxes that remove expired
signatures?  I think that boxes are not allowed to remove 'expired'
signatures.  This is why we have the CD flag.  This is good to put
into dnssec-bis-updates?
One solution may be a 'HISTORICAL_RRSIG' new type.  Which needs a
new type allocation, where perhaps RRSIG serves perfectly fine.
Also RRSIG is sent with a DNSKEY answer.  HISTORICAL_RRSIG
causes extra queries to get it.

Best regards,
   Wouter

v2.23.0 | Report a Bug | By Email