IETF Logo Mail Archive

Re: [DNSOP] Why ZSK rollover is a Bad Idea (tm)

Todd Glassey <tglassey@earthlink.net> Thu, 08 October 2009 17:37 UTC

Return-Path: <tglassey@earthlink.net>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8B66F28C1B0 for <dnsop@core3.amsl.com>; Thu, 8 Oct 2009 10:37:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.003
X-Spam-Level:
X-Spam-Status: No, score=-2.003 tagged_above=-999 required=5 tests=[AWL=-1.818, BAYES_40=-0.185]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t1fEWch0XaFp for <dnsop@core3.amsl.com>; Thu, 8 Oct 2009 10:37:21 -0700 (PDT)
Received: from elasmtp-kukur.atl.sa.earthlink.net (elasmtp-kukur.atl.sa.earthlink.net [209.86.89.65]) by core3.amsl.com (Postfix) with ESMTP id 6B1F33A6805 for <dnsop@ietf.org>; Thu, 8 Oct 2009 10:37:21 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=dk20050327; d=earthlink.net; b=XHUjMBEf6zKnl8DEs5GGyzCr8Uh2xSGgBYWQ9EhBGsVRLlNd2ZaLI1iVIukNmvOD; h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:CC:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding:X-ELNK-Trace:X-Originating-IP;
Received: from [38.104.134.74] (helo=[192.168.1.138]) by elasmtp-kukur.atl.sa.earthlink.net with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.67) (envelope-from <tglassey@earthlink.net>) id 1MvwxD-0002hA-3l; Thu, 08 Oct 2009 13:39:03 -0400
Message-ID: <4ACE23CC.90900@earthlink.net>
Date: Thu, 08 Oct 2009 10:39:24 -0700
From: Todd Glassey <tglassey@earthlink.net>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
To: Doug Barton <dougb@dougbarton.us>
References: <1C586E51-D77C-406C-9B89-47276A9B41B2@ICSI.Berkeley.EDU> <p06240812c6f160ac1fb2@10.20.30.158> <d3aa5d00910061408y191bf863p48a6ec703553b67e@mail.gmail.com> <FB20C78E-3A72-409C-8406-2B8A00923783@NLnetLabs.nl> <712BBDEE-25FF-4E2E-A9E5-49E49162D41D@hopcount.ca> <005603A4-31C0-49E0-894F-3FAEB38D7D92@dnss.ec> <4ACD8333.7050806@dougbarton.us>
In-Reply-To: <4ACD8333.7050806@dougbarton.us>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-ELNK-Trace: 01b7a7e171bdf5911aa676d7e74259b7b3291a7d08dfec7991ce71fa2cec6a1882b10bf106c46a7d350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c
X-Originating-IP: 38.104.134.74
Cc: dnsop WG <dnsop@ietf.org>, Roy Arends <roy@dnss.ec>
Subject: Re: [DNSOP] Why ZSK rollover is a Bad Idea (tm)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Oct 2009 17:37:22 -0000

Doug Barton wrote:
> Roy Arends wrote:
>   
>> I find it worrying that folks intend to test or practice operational
>> procedures by doing it often on a live production system. What if that
>> test or practice fails? "Whoops, we were testing it on the live system,
>> we failed, good thing we called it a test"
>>
>> There is also a risk involved by rolling keys over regularly. Especially
>> when the schedule is publicly announced. "If your attack fails, we will
>> have write access to the keystore _every month_, on the 1st, at exactly
>> 3 am cest".
>>
>> I fail to see the operational benefit of "Frequent Rollover Syndrome".
>>     
>
> Roy,
>
> I know you understand the concept that no matter how well you practice
> something in the QA lab you're never really _sure_ it works till you
> do it "in the wild." I think that at least in the early days of actual
> DNSSEC deployment (which we have barely stepped into atm) it's very
> reasonable to exercise all parts of the system now, under (relatively)
> controlled conditions so that down the road if we reach a point where
> we are forced to do an emergency key rollover on an "important" zone
> we'll have some level of comfort (or at least know where to look for
> things to break).
>
> Down the road I tend to agree with you that "frequent" KSK rollover
> will probably not have much benefit, but if I were administering a
> zone for which DNSSEC was critical I'd probably do it once a year just
> to keep all parts of the machine lubricated.
>   
Doug - the key changes will want to be in accordance with corporate 
policy for all identity token management and should be administered as 
such. That generally means in audited company's a formal review once a 
year or more often. Because of this and since the DNSSEC services will 
become a key part of Internet presence management, these will also need 
to be reviewed as part of any formal IT audit practice as well.

Todd Glassey (as an Auditor).
>
> Doug
>
>   
> ------------------------------------------------------------------------
>
>
> No virus found in this incoming message.
> Checked by AVG - www.avg.com 
> Version: 8.5.421 / Virus Database: 270.14.7/2421 - Release Date: 10/07/09 20:49:00
>
>

v2.45.0 | Report a Bug | By Email | System Status