Re: [DNSOP] Why new code/old keys? Re: [Ext] Re: sentinel and timing?
Mark Andrews <marka@isc.org> Thu, 08 February 2018 22:21 UTC
Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 13646127876 for <dnsop@ietfa.amsl.com>; Thu, 8 Feb 2018 14:21:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.91
X-Spam-Level:
X-Spam-Status: No, score=-6.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EXsp93h9ckYW for <dnsop@ietfa.amsl.com>; Thu, 8 Feb 2018 14:21:54 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D507312711D for <dnsop@ietf.org>; Thu, 8 Feb 2018 14:21:54 -0800 (PST)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 41F9C3AB003; Thu, 8 Feb 2018 22:21:52 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id D4E5316008A; Thu, 8 Feb 2018 22:21:50 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id C4EE1160089; Thu, 8 Feb 2018 22:21:50 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id wBRRJM2Oao_V; Thu, 8 Feb 2018 22:21:50 +0000 (UTC)
Received: from [172.30.42.91] (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id A3B98160088; Thu, 8 Feb 2018 22:21:49 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: Mark Andrews <marka@isc.org>
In-Reply-To: <32CB34DD-D682-42D7-B869-5A03057FCCC1@kahlerlarson.org>
Date: Fri, 09 Feb 2018 09:21:47 +1100
Cc: Joe Abley <jabley@hopcount.ca>, sthaug@nethelp.no, Ed Lewis <edward.lewis@icann.org>, dnsop WG <dnsop@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <C8597C6C-87FF-4C65-92BA-9C789F2D917F@isc.org>
References: <564E7616-6B47-48E2-B3DC-68A22032F441@icann.org> <20180208.152419.74654265.sthaug@nethelp.no> <A03DAC63-E005-4811-B706-B0284273DE6B@hopcount.ca> <32CB34DD-D682-42D7-B869-5A03057FCCC1@kahlerlarson.org>
To: Matt Larson <matt@kahlerlarson.org>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/dnOVYUvBoIzNvbJ2u-bZsYi-RRQ>
Subject: Re: [DNSOP] Why new code/old keys? Re: [Ext] Re: sentinel and timing?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Feb 2018 22:21:57 -0000
Managed keys presumes the operator is actually using RFC5011 timings to roll their keys. There are very few zones that have publicly said they are using RFC 5011. Named gets used on private networks. Those networks can use DNSSEC they can decide to use trusted-keys rather than RFC 5011. Mark > On 9 Feb 2018, at 2:24 am, Matt Larson <matt@kahlerlarson.org> wrote: > >> >> On Feb 8, 2018, at 9:43 AM, Joe Abley <jabley@hopcount.ca> wrote: >> >> >> >>> On 8 Feb 2018, at 09:24, sthaug@nethelp.no wrote: >>> >>>> If just to spread rumors, I heard the following as early as November, 2016. One of the issues is that operators update code without updating configuration files. I.e., a BIND upgraded today might be using a configuration file from the pre-managed-key days. >>> >>> Speaking only for myself - I have done many BIND upgrades without config >>> file changes (and I basically expect this to work). >> >> The problem is that until the first KSK rollover, >> >> best current practice for configuring DNSSEC validation in 2008 (without RFC5011) >> >> and >> >> best current practice for configuring DNSSEC validation in 2018 (with RFC5011) >> >> are functionally identical; there's no failure evident from using trusted-keys vs. managed-keys in your configuration, and BIND9's fastidious backwards compatibility means that old configurations continue to work even if "best current practice" with respect to the facilities implemented in BIND9 have changed. > > I would love to see BIND's trusted-keys syntax deprecated. Not the ability to configure a trust anchor statically, mind you, just the syntax. Changing the syntax and refusing to start with trusted-key in the configuration file would force those who are dragging old config files behind them unchanged to update. > > Maybe something like this: > > managed-keys { > "." initial-key 257 3 8 > "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF > FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX > bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD > X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz > W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS > Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq > QxA+Uk1ihz0="; > managed no; // Behave as if this were "trusted-keys" > }; > > (But please let's not bikeshed the syntax of a possible implementation...) > > Matt > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
- Re: [DNSOP] Why new code/old keys? Re: [Ext] Re: … sthaug
- [DNSOP] Why new code/old keys? Re: [Ext] Re: sent… Edward Lewis
- Re: [DNSOP] Why new code/old keys? Re: [Ext] Re: … Ray Bellis
- Re: [DNSOP] Why new code/old keys? Re: [Ext] Re: … Joe Abley
- Re: [DNSOP] Why new code/old keys? Re: [Ext] Re: … Matt Larson
- Re: [DNSOP] Why new code/old keys? Re: [Ext] Re: … Paul Vixie
- Re: [DNSOP] Why new code/old keys? Re: [Ext] Re: … sthaug
- Re: [DNSOP] Why new code/old keys? Re: [Ext] Re: … Paul Vixie
- Re: [DNSOP] Why new code/old keys? Re: [Ext] Re: … Matt Larson
- Re: [DNSOP] Why new code/old keys? Re: [Ext] Re: … Paul Vixie
- Re: [DNSOP] Why new code/old keys? Re: [Ext] Re: … Mukund Sivaraman
- Re: [DNSOP] Why new code/old keys? Re: [Ext] Re: … Mark Andrews