Re: [DNSOP] public consultation on root zone KSK rollover
Joe Abley <jabley@hopcount.ca> Sat, 06 April 2013 09:28 UTC
Return-Path: <jabley@hopcount.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CDB9421F8B49 for <dnsop@ietfa.amsl.com>; Sat, 6 Apr 2013 02:28:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.1
X-Spam-Level:
X-Spam-Status: No, score=-103.1 tagged_above=-999 required=5 tests=[AWL=0.500, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g+xY-4ZxxV2n for <dnsop@ietfa.amsl.com>; Sat, 6 Apr 2013 02:28:34 -0700 (PDT)
Received: from mail-qe0-f46.google.com (mail-qe0-f46.google.com [209.85.128.46]) by ietfa.amsl.com (Postfix) with ESMTP id 5011821F8B45 for <dnsop@ietf.org>; Sat, 6 Apr 2013 02:28:34 -0700 (PDT)
Received: by mail-qe0-f46.google.com with SMTP id nd7so405298qeb.33 for <dnsop@ietf.org>; Sat, 06 Apr 2013 02:28:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hopcount.ca; s=google; h=x-received:references:from:mime-version:in-reply-to:date:message-id :subject:to:cc:content-type:content-transfer-encoding; bh=HFt1/TsR8+hPj/hMYroULBrvlABrAW8lsgdOIuJwU+0=; b=mNPpoADEFhAbyOnDim86UgYJ0xezSuduTdVkadsgNVItSlKvHfD5Cgb+foVc3veyik QsIGuoZ9kfbcI5+zL+NfMQso08ym1mxGFEUfRW8O3i0n5Jdh3jIYq3qOjUiOuP6Awba4 DjtXMFOFdZuX1xBOpGS4QHy0RktO9N1zNzVrs=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:references:from:mime-version:in-reply-to:date:message-id :subject:to:cc:content-type:content-transfer-encoding :x-gm-message-state; bh=HFt1/TsR8+hPj/hMYroULBrvlABrAW8lsgdOIuJwU+0=; b=EBPVPBjkGSXSclWNS0b91684e4zQa2mO/RCpyfCHvT5EnHDk0CItq9N89QUD1qJG3P 5xi4YFUzrV4EBIgnbGvbn7HE2xHaVF4XsvpPzxkjc1ixiJb7vocFAzJTd+n22Mr5aT+7 TN3QPmKiQ45L1LV25PN8ZgFtimRYa1z/kk/EYo1PVPQ2by9RwOwRLt7wFYAWPqKjxtqC hxII0xUmLlUAmhr9rgATOT3BTh/tH15CDFwLodThW+suws4EFYcEgZqYKHrBr7KdBzAI UHIEBVJodcbLOlZzKb0aNEUaQRIzedRXJ5+yyvkCrjLu78vwk6QVwHZaW1EKhTCZZQaB lFlA==
X-Received: by 10.224.39.146 with SMTP id g18mr1105944qae.31.1365240513697; Sat, 06 Apr 2013 02:28:33 -0700 (PDT)
References: <87B5FB9E-755D-4E75-A54E-7A17B6AAF21A@hopcount.ca> <8D361F63-C433-4B11-BC26-37D1F550D463@vpnc.org> <20130403151735.GA20820@nic.fr> <20130403163826.GA46759@isc.org> <76E16FA9-84E0-4091-9ECA-5DB0A5BCA90A@dotat.at> <8811862356902250422@unknownmsgid> <E2559F6A-4C20-4227-B000-9152B0A41AED@dotat.at>
From: Joe Abley <jabley@hopcount.ca>
Mime-Version: 1.0 (1.0)
In-Reply-To: <E2559F6A-4C20-4227-B000-9152B0A41AED@dotat.at>
Date: Sat, 06 Apr 2013 17:28:29 +0800
Message-ID: <2025094731617877595@unknownmsgid>
To: Tony Finch <dot@dotat.at>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Gm-Message-State: ALoCoQmj9GPFDU651g0mFgiAADBFsRBDQa+UkGY8ctRdORg0y5SNE1aLGXO8PXduZvYWxjV9MyY2
Cc: Evan Hunt <each@isc.org>, "dnsop@ietf.org WG" <dnsop@ietf.org>, Paul Hoffman <paul.hoffman@vpnc.org>
Subject: Re: [DNSOP] public consultation on root zone KSK rollover
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Apr 2013 09:28:35 -0000
Hi Tony, The intention was that those distributing code that relies upon retrieval of an authentic trust anchor would make arrangements with ICANN to sign trusted copies of the relevant objects themselves and have those signatures published alongside the ICANN-generated signatures. So, ISC could use the same PGP key as they use to sign BIND9 distributions, Apple could use a key derived from their code-signing CA, etc. In this way users could have the same trust in the retrieved trust anchor as they do in the software that has retrieved it. We have not had significant interest from vendors in developing this approach, but we remain interested. Joe Aue Te Ariki! He toki ki roto taku mahuna! On 2013-04-06, at 17:22, Tony Finch <dot@dotat.at> wrote: > On 6 Apr 2013, at 10:04, Joe Abley <jabley@hopcount.ca> wrote: >> On 2013-04-06, at 16:55, Tony Finch <dot@dotat.at> wrote: >>> >>> Validator vendors have to provide an out-of-band trust anchor update mechanism to cope with this. It needs to be coded and included in long-term support releases of validators and operating systems before rollover, I think. >> >> draft-jabley-dnsop-validator-bootstrap. > > Still needs implementation. > > My point about trustworthiness is that there is (as far as I know) no documentation of how the private keys are managed for the certificates / signatures on the trust anchor files, which rather undermines the elaborate root KSK management. I am also worried about being vulnerable to a screwup by any number of CAs; it would be good to pin the list of CA certs that might be used to verify the DNS trust anchor signatures. > > Tony. > -- > f.anthony.n.finch <dot@dotat.at> http://dotat.at/
- Re: [DNSOP] public consultation on root zone KSK … Joe Abley
- [DNSOP] public consultation on root zone KSK roll… Joe Abley
- [DNSOP] public consultation on root zone KSK roll… Joe Abley
- Re: [DNSOP] public consultation on root zone KSK … Paul Hoffman
- Re: [DNSOP] public consultation on root zone KSK … Paul Wouters
- Re: [DNSOP] public consultation on root zone KSK … Joe Abley
- Re: [DNSOP] public consultation on root zone KSK … Paul Hoffman
- Re: [DNSOP] public consultation on root zone KSK … Stephane Bortzmeyer
- Re: [DNSOP] public consultation on root zone KSK … Stephane Bortzmeyer
- Re: [DNSOP] public consultation on root zone KSK … Evan Hunt
- Re: [DNSOP] public consultation on root zone KSK … Joe Abley
- [DNSOP] lost key rollovers considered harmful Jim Reid
- Re: [DNSOP] lost key rollovers considered harmful Joe Abley
- Re: [DNSOP] lost key rollovers considered harmful Paul Hoffman
- Re: [DNSOP] lost key rollovers considered harmful Nicholas Weaver
- Re: [DNSOP] lost key rollovers considered harmful Mark Andrews
- Re: [DNSOP] lost key rollovers considered harmful Joe Abley
- Re: [DNSOP] lost key rollovers considered harmful Joe Abley
- Re: [DNSOP] lost key rollovers considered harmful Joe Abley
- Re: [DNSOP] lost key rollovers considered harmful Paul Wouters
- Re: [DNSOP] lost key rollovers considered harmful Paul Wouters
- Re: [DNSOP] lost key rollovers considered harmful Paul Hoffman
- Re: [DNSOP] lost key rollovers considered harmful Jim Reid
- Re: [DNSOP] lost key rollovers considered harmful Joe Abley
- Re: [DNSOP] lost key rollovers considered harmful Jim Reid
- Re: [DNSOP] lost key rollovers considered harmful Paul Hoffman
- Re: [DNSOP] lost key rollovers considered harmful Mark Andrews
- Re: [DNSOP] public consultation on root zone KSK … Tony Finch
- Re: [DNSOP] public consultation on root zone KSK … Joe Abley
- Re: [DNSOP] public consultation on root zone KSK … Tony Finch
- Re: [DNSOP] public consultation on root zone KSK … Tony Finch
- Re: [DNSOP] public consultation on root zone KSK … Joe Abley
- Re: [DNSOP] public consultation on root zone KSK … Ralf Weber
- Re: [DNSOP] public consultation on root zone KSK … Tony Finch