Re: [DNSOP] lost key rollovers considered harmful
Joe Abley <jabley@hopcount.ca> Thu, 04 April 2013 20:46 UTC
Return-Path: <jabley@hopcount.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4636421F8D8C for <dnsop@ietfa.amsl.com>; Thu, 4 Apr 2013 13:46:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xv0IhTcvt2Ps for <dnsop@ietfa.amsl.com>; Thu, 4 Apr 2013 13:46:44 -0700 (PDT)
Received: from mail-pd0-f180.google.com (mail-pd0-f180.google.com [209.85.192.180]) by ietfa.amsl.com (Postfix) with ESMTP id A428221F8D41 for <dnsop@ietf.org>; Thu, 4 Apr 2013 13:46:44 -0700 (PDT)
Received: by mail-pd0-f180.google.com with SMTP id q11so1626823pdj.25 for <dnsop@ietf.org>; Thu, 04 Apr 2013 13:46:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hopcount.ca; s=google; h=x-received:content-type:mime-version:subject:from:in-reply-to:date :cc:content-transfer-encoding:message-id:references:to:x-mailer; bh=ALwq38POpqQ12YanPsU0nHzucaOppggSsbaQYfzsHUk=; b=HDiI3PPICtgMqfj9l7SbINE0VGyYw5gN7q8nuSoiEa0Y4z2g5j2CwS+lx1saCyNCe0 jomwknYKdjvZicsfBRZ5Db/vPyf6icH1dy6opglRi+EuPhramEFHuVxqViqaGhqCoF7z 5Xsu6+NTSmCASrHxC9Ejxfkx2Tg+vW8E3pmxY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:content-type:mime-version:subject:from:in-reply-to:date :cc:content-transfer-encoding:message-id:references:to:x-mailer :x-gm-message-state; bh=ALwq38POpqQ12YanPsU0nHzucaOppggSsbaQYfzsHUk=; b=gFXrJGVMu9mO8ntR9Vz+7LbqZG8Y8xDotRbIvPepUd6gui3gLO1M3TZhOOHJTB89P7 fN5XYjaMIyhTDCSHYEGKG8690O1TOa4Apoak4aeV3eUIDKhV58ctqbNUx0VfeFcxD/mu V4NrgsTBLrFKHFN32YThLrTUUYyTk5W2ky7Xta4BCvReO4/haSFZ8aw2mFkSgSxgdfZN yOwFudKbfUmMVT0eemB7i8x3dWbyOv7OQun7U3LCjj+7dmAX7oNJyMd+EDlXlyfRXaHf jREQNdf71FTEt1tVGb8QZKE3OpDSH90aB7h9VKFWF2WTlgvbBZNnFPOnWDxCUBHEeVrG SU9w==
X-Received: by 10.68.44.195 with SMTP id g3mr10888556pbm.141.1365108404397; Thu, 04 Apr 2013 13:46:44 -0700 (PDT)
Received: from dh23.r1.hopcount.ca (dh23.r1.hopcount.ca. [199.212.90.23]) by mx.google.com with ESMTPS id cn1sm11468247pbb.7.2013.04.04.13.46.42 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 04 Apr 2013 13:46:43 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\))
From: Joe Abley <jabley@hopcount.ca>
In-Reply-To: <20130404203515.2D1A731F02D2@drugs.dv.isc.org>
Date: Thu, 04 Apr 2013 16:46:39 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <C23A6D78-88E9-43B8-95A8-FDCF56F79E72@hopcount.ca>
References: <87B5FB9E-755D-4E75-A54E-7A17B6AAF21A@hopcount.ca> <8D361F63-C433-4B11-BC26-37D1F550D463@vpnc.org> <alpine.LFD.2.10.1304031109290.28075@bofh.nohats.ca> <F58E5E77-4277-482C-8E43-E196966B8626@rfc1035.com> <E5DF98DF-BE4A-4A71-B781-480D59E46434@vpnc.org> <F8B19211-E088-4D86-8786-A9145CCED243@icsi.berkeley.edu> <20130404203515.2D1A731F02D2@drugs.dv.isc.org>
To: Mark Andrews <marka@isc.org>
X-Mailer: Apple Mail (2.1503)
X-Gm-Message-State: ALoCoQnvLjJi9cwVuCHRLF6ThbHD6V5frIhg9Q/JfVrAER4RRZcm6aJi4pSBM+uD1QtZteneS+kC
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>, Nicholas Weaver <nweaver@icsi.berkeley.edu>, Paul Hoffman <paul.hoffman@vpnc.org>
Subject: Re: [DNSOP] lost key rollovers considered harmful
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Apr 2013 20:46:45 -0000
On 2013-04-04, at 16:35, Mark Andrews <marka@isc.org> wrote: > Validators need to have end dates for DNSKEYS. If it starts up > after that date it goes to all insecure. http://tools.ietf.org/html/draft-jabley-dnsop-validator-bootstrap-00 was a first attempt to describe how a validator should bootstrap itself. I got zero feedback that anybody was interested in that problem space, and the draft never went any further. I continue to think that behaviour upon cold boot is important to specify however, and if root zone KSK rollover thoughts have changed peoples minds about its usefulness, I'd gladly pick it up again. It needs some work (any sentence that includes the word "certificate" is liable to make Mr Hoffman shake his fist in its current form), but I think the basic approach described has merit. In general, if we acknowledge for the purposes of this discussion that root zone KSK rollovers will happen, and will happen often enough to care about mitigating damage during roll, I think we need a two-pronged approach to this problem space: 1. Use 5011 or some similar mechanism to accommodate key rollovers (for devices that are turned on often enough to be able to do that) 2. Carefully specify bootstrapping behaviour so that any cold-start of a long-dormant validator can be handled in some sane way. Joe
- Re: [DNSOP] public consultation on root zone KSK … Joe Abley
- [DNSOP] public consultation on root zone KSK roll… Joe Abley
- [DNSOP] public consultation on root zone KSK roll… Joe Abley
- Re: [DNSOP] public consultation on root zone KSK … Paul Hoffman
- Re: [DNSOP] public consultation on root zone KSK … Paul Wouters
- Re: [DNSOP] public consultation on root zone KSK … Joe Abley
- Re: [DNSOP] public consultation on root zone KSK … Paul Hoffman
- Re: [DNSOP] public consultation on root zone KSK … Stephane Bortzmeyer
- Re: [DNSOP] public consultation on root zone KSK … Stephane Bortzmeyer
- Re: [DNSOP] public consultation on root zone KSK … Evan Hunt
- Re: [DNSOP] public consultation on root zone KSK … Joe Abley
- [DNSOP] lost key rollovers considered harmful Jim Reid
- Re: [DNSOP] lost key rollovers considered harmful Joe Abley
- Re: [DNSOP] lost key rollovers considered harmful Paul Hoffman
- Re: [DNSOP] lost key rollovers considered harmful Nicholas Weaver
- Re: [DNSOP] lost key rollovers considered harmful Mark Andrews
- Re: [DNSOP] lost key rollovers considered harmful Joe Abley
- Re: [DNSOP] lost key rollovers considered harmful Joe Abley
- Re: [DNSOP] lost key rollovers considered harmful Joe Abley
- Re: [DNSOP] lost key rollovers considered harmful Paul Wouters
- Re: [DNSOP] lost key rollovers considered harmful Paul Wouters
- Re: [DNSOP] lost key rollovers considered harmful Paul Hoffman
- Re: [DNSOP] lost key rollovers considered harmful Jim Reid
- Re: [DNSOP] lost key rollovers considered harmful Joe Abley
- Re: [DNSOP] lost key rollovers considered harmful Jim Reid
- Re: [DNSOP] lost key rollovers considered harmful Paul Hoffman
- Re: [DNSOP] lost key rollovers considered harmful Mark Andrews
- Re: [DNSOP] public consultation on root zone KSK … Tony Finch
- Re: [DNSOP] public consultation on root zone KSK … Joe Abley
- Re: [DNSOP] public consultation on root zone KSK … Tony Finch
- Re: [DNSOP] public consultation on root zone KSK … Tony Finch
- Re: [DNSOP] public consultation on root zone KSK … Joe Abley
- Re: [DNSOP] public consultation on root zone KSK … Ralf Weber
- Re: [DNSOP] public consultation on root zone KSK … Tony Finch