IETF Logo Mail Archive

Re: [DNSOP] public consultation on root zone KSK rollover

Joe Abley <jabley@hopcount.ca> Sat, 06 April 2013 09:28 UTC

Return-Path: <jabley@hopcount.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CDB9421F8B49 for <dnsop@ietfa.amsl.com>; Sat, 6 Apr 2013 02:28:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.1
X-Spam-Level:
X-Spam-Status: No, score=-103.1 tagged_above=-999 required=5 tests=[AWL=0.500, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g+xY-4ZxxV2n for <dnsop@ietfa.amsl.com>; Sat, 6 Apr 2013 02:28:34 -0700 (PDT)
Received: from mail-qe0-f46.google.com (mail-qe0-f46.google.com [209.85.128.46]) by ietfa.amsl.com (Postfix) with ESMTP id 5011821F8B45 for <dnsop@ietf.org>; Sat, 6 Apr 2013 02:28:34 -0700 (PDT)
Received: by mail-qe0-f46.google.com with SMTP id nd7so405298qeb.33 for <dnsop@ietf.org>; Sat, 06 Apr 2013 02:28:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hopcount.ca; s=google; h=x-received:references:from:mime-version:in-reply-to:date:message-id :subject:to:cc:content-type:content-transfer-encoding; bh=HFt1/TsR8+hPj/hMYroULBrvlABrAW8lsgdOIuJwU+0=; b=mNPpoADEFhAbyOnDim86UgYJ0xezSuduTdVkadsgNVItSlKvHfD5Cgb+foVc3veyik QsIGuoZ9kfbcI5+zL+NfMQso08ym1mxGFEUfRW8O3i0n5Jdh3jIYq3qOjUiOuP6Awba4 DjtXMFOFdZuX1xBOpGS4QHy0RktO9N1zNzVrs=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:references:from:mime-version:in-reply-to:date:message-id :subject:to:cc:content-type:content-transfer-encoding :x-gm-message-state; bh=HFt1/TsR8+hPj/hMYroULBrvlABrAW8lsgdOIuJwU+0=; b=EBPVPBjkGSXSclWNS0b91684e4zQa2mO/RCpyfCHvT5EnHDk0CItq9N89QUD1qJG3P 5xi4YFUzrV4EBIgnbGvbn7HE2xHaVF4XsvpPzxkjc1ixiJb7vocFAzJTd+n22Mr5aT+7 TN3QPmKiQ45L1LV25PN8ZgFtimRYa1z/kk/EYo1PVPQ2by9RwOwRLt7wFYAWPqKjxtqC hxII0xUmLlUAmhr9rgATOT3BTh/tH15CDFwLodThW+suws4EFYcEgZqYKHrBr7KdBzAI UHIEBVJodcbLOlZzKb0aNEUaQRIzedRXJ5+yyvkCrjLu78vwk6QVwHZaW1EKhTCZZQaB lFlA==
X-Received: by 10.224.39.146 with SMTP id g18mr1105944qae.31.1365240513697; Sat, 06 Apr 2013 02:28:33 -0700 (PDT)
References: <87B5FB9E-755D-4E75-A54E-7A17B6AAF21A@hopcount.ca> <8D361F63-C433-4B11-BC26-37D1F550D463@vpnc.org> <20130403151735.GA20820@nic.fr> <20130403163826.GA46759@isc.org> <76E16FA9-84E0-4091-9ECA-5DB0A5BCA90A@dotat.at> <8811862356902250422@unknownmsgid> <E2559F6A-4C20-4227-B000-9152B0A41AED@dotat.at>
From: Joe Abley <jabley@hopcount.ca>
Mime-Version: 1.0 (1.0)
In-Reply-To: <E2559F6A-4C20-4227-B000-9152B0A41AED@dotat.at>
Date: Sat, 06 Apr 2013 17:28:29 +0800
Message-ID: <2025094731617877595@unknownmsgid>
To: Tony Finch <dot@dotat.at>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Gm-Message-State: ALoCoQmj9GPFDU651g0mFgiAADBFsRBDQa+UkGY8ctRdORg0y5SNE1aLGXO8PXduZvYWxjV9MyY2
Cc: Evan Hunt <each@isc.org>, "dnsop@ietf.org WG" <dnsop@ietf.org>, Paul Hoffman <paul.hoffman@vpnc.org>
Subject: Re: [DNSOP] public consultation on root zone KSK rollover
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Apr 2013 09:28:35 -0000

Hi Tony,

The intention was that those distributing code that relies upon
retrieval of an authentic trust anchor would make arrangements with
ICANN to sign trusted copies of the relevant objects themselves and
have those signatures published alongside the ICANN-generated
signatures.

So, ISC could use the same PGP key as they use to sign BIND9
distributions, Apple could use a key derived from their code-signing
CA, etc. In this way users could have the same trust in the retrieved
trust anchor as they do in the software that has retrieved it.

We have not had significant interest from vendors in developing this
approach, but we remain interested.


Joe

Aue Te Ariki! He toki ki roto taku mahuna!

On 2013-04-06, at 17:22, Tony Finch <dot@dotat.at> wrote:

> On 6 Apr 2013, at 10:04, Joe Abley <jabley@hopcount.ca> wrote:
>> On 2013-04-06, at 16:55, Tony Finch <dot@dotat.at> wrote:
>>>
>>> Validator vendors have to provide an out-of-band trust anchor update mechanism to cope with this. It needs to be coded and included in long-term support releases of validators and operating systems before rollover, I think.
>>
>> draft-jabley-dnsop-validator-bootstrap.
>
> Still needs implementation.
>
> My point about trustworthiness is that there is (as far as I know) no documentation of how the private keys are managed for the certificates / signatures on the trust anchor files, which rather undermines the elaborate root KSK management. I am also worried about being vulnerable to a screwup by any number of CAs; it would be good to pin the list of CA certs that might be used to verify the DNS trust anchor signatures.
>
> Tony.
> --
> f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/

v2.23.0 | Report a Bug | By Email