IETF Logo Mail Archive

Re: [DNSOP] lost key rollovers considered harmful

Joe Abley <jabley@hopcount.ca> Thu, 04 April 2013 20:46 UTC

Return-Path: <jabley@hopcount.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4636421F8D8C for <dnsop@ietfa.amsl.com>; Thu, 4 Apr 2013 13:46:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xv0IhTcvt2Ps for <dnsop@ietfa.amsl.com>; Thu, 4 Apr 2013 13:46:44 -0700 (PDT)
Received: from mail-pd0-f180.google.com (mail-pd0-f180.google.com [209.85.192.180]) by ietfa.amsl.com (Postfix) with ESMTP id A428221F8D41 for <dnsop@ietf.org>; Thu, 4 Apr 2013 13:46:44 -0700 (PDT)
Received: by mail-pd0-f180.google.com with SMTP id q11so1626823pdj.25 for <dnsop@ietf.org>; Thu, 04 Apr 2013 13:46:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hopcount.ca; s=google; h=x-received:content-type:mime-version:subject:from:in-reply-to:date :cc:content-transfer-encoding:message-id:references:to:x-mailer; bh=ALwq38POpqQ12YanPsU0nHzucaOppggSsbaQYfzsHUk=; b=HDiI3PPICtgMqfj9l7SbINE0VGyYw5gN7q8nuSoiEa0Y4z2g5j2CwS+lx1saCyNCe0 jomwknYKdjvZicsfBRZ5Db/vPyf6icH1dy6opglRi+EuPhramEFHuVxqViqaGhqCoF7z 5Xsu6+NTSmCASrHxC9Ejxfkx2Tg+vW8E3pmxY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:content-type:mime-version:subject:from:in-reply-to:date :cc:content-transfer-encoding:message-id:references:to:x-mailer :x-gm-message-state; bh=ALwq38POpqQ12YanPsU0nHzucaOppggSsbaQYfzsHUk=; b=gFXrJGVMu9mO8ntR9Vz+7LbqZG8Y8xDotRbIvPepUd6gui3gLO1M3TZhOOHJTB89P7 fN5XYjaMIyhTDCSHYEGKG8690O1TOa4Apoak4aeV3eUIDKhV58ctqbNUx0VfeFcxD/mu V4NrgsTBLrFKHFN32YThLrTUUYyTk5W2ky7Xta4BCvReO4/haSFZ8aw2mFkSgSxgdfZN yOwFudKbfUmMVT0eemB7i8x3dWbyOv7OQun7U3LCjj+7dmAX7oNJyMd+EDlXlyfRXaHf jREQNdf71FTEt1tVGb8QZKE3OpDSH90aB7h9VKFWF2WTlgvbBZNnFPOnWDxCUBHEeVrG SU9w==
X-Received: by 10.68.44.195 with SMTP id g3mr10888556pbm.141.1365108404397; Thu, 04 Apr 2013 13:46:44 -0700 (PDT)
Received: from dh23.r1.hopcount.ca (dh23.r1.hopcount.ca. [199.212.90.23]) by mx.google.com with ESMTPS id cn1sm11468247pbb.7.2013.04.04.13.46.42 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 04 Apr 2013 13:46:43 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\))
From: Joe Abley <jabley@hopcount.ca>
In-Reply-To: <20130404203515.2D1A731F02D2@drugs.dv.isc.org>
Date: Thu, 04 Apr 2013 16:46:39 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <C23A6D78-88E9-43B8-95A8-FDCF56F79E72@hopcount.ca>
References: <87B5FB9E-755D-4E75-A54E-7A17B6AAF21A@hopcount.ca> <8D361F63-C433-4B11-BC26-37D1F550D463@vpnc.org> <alpine.LFD.2.10.1304031109290.28075@bofh.nohats.ca> <F58E5E77-4277-482C-8E43-E196966B8626@rfc1035.com> <E5DF98DF-BE4A-4A71-B781-480D59E46434@vpnc.org> <F8B19211-E088-4D86-8786-A9145CCED243@icsi.berkeley.edu> <20130404203515.2D1A731F02D2@drugs.dv.isc.org>
To: Mark Andrews <marka@isc.org>
X-Mailer: Apple Mail (2.1503)
X-Gm-Message-State: ALoCoQnvLjJi9cwVuCHRLF6ThbHD6V5frIhg9Q/JfVrAER4RRZcm6aJi4pSBM+uD1QtZteneS+kC
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>, Nicholas Weaver <nweaver@icsi.berkeley.edu>, Paul Hoffman <paul.hoffman@vpnc.org>
Subject: Re: [DNSOP] lost key rollovers considered harmful
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Apr 2013 20:46:45 -0000

On 2013-04-04, at 16:35, Mark Andrews <marka@isc.org> wrote:

> Validators need to have end dates for DNSKEYS.  If it starts up
> after that date it goes to all insecure.

http://tools.ietf.org/html/draft-jabley-dnsop-validator-bootstrap-00

was a first attempt to describe how a validator should bootstrap itself.

I got zero feedback that anybody was interested in that problem space, and the draft never went any further. I continue to think that behaviour upon cold boot is important to specify however, and if root zone KSK rollover thoughts have changed peoples minds about its usefulness, I'd gladly pick it up again.

It needs some work (any sentence that includes the word "certificate" is liable to make Mr Hoffman shake his fist in its current form), but I think the basic approach described has merit.

In general, if we acknowledge for the purposes of this discussion that root zone KSK rollovers will happen, and will happen often enough to care about mitigating damage during roll, I think we need a two-pronged approach to this problem space:

1. Use 5011 or some similar mechanism to accommodate key rollovers (for devices that are turned on often enough to be able to do that)

2. Carefully specify bootstrapping behaviour so that any cold-start of a long-dormant validator can be handled in some sane way.


Joe

v2.23.0 | Report a Bug | By Email