IETF Logo Mail Archive

Re: [DNSOP] Simplified Updates of DNS Security Trust Anchors, for rolling the root key

Tony Finch <dot@dotat.at> Thu, 02 July 2015 09:30 UTC

Return-Path: <fanf2@hermes.cam.ac.uk>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C7341B3121 for <dnsop@ietfa.amsl.com>; Thu, 2 Jul 2015 02:30:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jmuuLJZIzH-P for <dnsop@ietfa.amsl.com>; Thu, 2 Jul 2015 02:30:37 -0700 (PDT)
Received: from ppsw-40.csi.cam.ac.uk (ppsw-40.csi.cam.ac.uk [131.111.8.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E1DED1B311C for <dnsop@ietf.org>; Thu, 2 Jul 2015 02:30:36 -0700 (PDT)
X-Cam-AntiVirus: no malware found
X-Cam-ScannerInfo: http://www.cam.ac.uk/cs/email/scanner/
Received: from hermes-1.csi.cam.ac.uk ([131.111.8.51]:58909) by ppsw-40.csi.cam.ac.uk (smtp.hermes.cam.ac.uk [131.111.8.156]:25) with esmtpa (EXTERNAL:fanf2) id 1ZAapF-0004iA-lo (Exim 4.82_3-c0e5623) (return-path <fanf2@hermes.cam.ac.uk>); Thu, 02 Jul 2015 10:30:33 +0100
Received: from fanf2 by hermes-1.csi.cam.ac.uk (hermes.cam.ac.uk) with local id 1ZAapF-0007Xe-LW (Exim 4.72) (return-path <fanf2@hermes.cam.ac.uk>); Thu, 02 Jul 2015 10:30:33 +0100
Date: Thu, 02 Jul 2015 10:30:33 +0100
From: Tony Finch <dot@dotat.at>
X-X-Sender: fanf2@hermes-1.csi.cam.ac.uk
To: Paul Wouters <paul@nohats.ca>
In-Reply-To: <alpine.LFD.2.11.1507011833370.8321@bofh.nohats.ca>
Message-ID: <alpine.LSU.2.00.1507021026290.3128@hermes-1.csi.cam.ac.uk>
References: <CAHw9_iKmhA+f8QyuLkWeXQDfwprydVaGkR+LVJACGtsTB0+Pfw@mail.gmail.com> <55929AE2.50105@sinodun.com> <CAHw9_i+BRPXCdNLE4UCHDMzx0zcDfm8SbjLF1BGanGGL9VSCoA@mail.gmail.com> <alpine.LFD.2.11.1507011833370.8321@bofh.nohats.ca>
User-Agent: Alpine 2.00 (LSU 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Sender: Tony Finch <fanf2@hermes.cam.ac.uk>
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/fWomAYI80ChA6DoJnbXioaSJamM>
Cc: dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] Simplified Updates of DNS Security Trust Anchors, for rolling the root key
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Jul 2015 09:30:39 -0000

Paul Wouters <paul@nohats.ca> wrote:
>
> You would only add it to the question for DNSKEY of the root.

Yes.

> Maybe only after you determined a validation failure, so you clearly
> have the wrong trust anchor.

No, the point of this option is to signal to the root what trust anchors
are in use by the population of validators, before a rollover happens.

It is like the algorithm signalling option, RFC 6975. (Which seems to be
mostly unimplemented... why?)

> It seems in general, having some special record signed by only the
> new key seems a nicer solution,

That cannot work.

http://www.ietf.org/mail-archive/web/dnsop/current/msg14664.html

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
Dover, Wight, Portland, Plymouth: Cyclonic, mainly southwest, 4 or 5. Slight
or moderate. Thundery showers. Moderate, occasionally poor.

v2.23.0 | Report a Bug | By Email