IETF Logo Mail Archive

Re: [DNSOP] [Ext] DNSSEC Strict Mode

Mark Andrews <marka@isc.org> Thu, 25 February 2021 21:08 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4BC953A0691 for <dnsop@ietfa.amsl.com>; Thu, 25 Feb 2021 13:08:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isc.org header.b=kTmqNJ1c; dkim=pass (1024-bit key) header.d=isc.org header.b=YpOELLV9
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wfaVuEyzoOeh for <dnsop@ietfa.amsl.com>; Thu, 25 Feb 2021 13:08:54 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 87E293A0597 for <dnsop@ietf.org>; Thu, 25 Feb 2021 13:08:54 -0800 (PST)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 261AE3AB01C; Thu, 25 Feb 2021 21:08:54 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=isc.org; s=ostpay; t=1614287334; bh=k9Q419jAC+Vnv1kPz+OdRyExcCje/MZjcB91TZ5jNpQ=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=kTmqNJ1caEV0uDiUzYRl9ymu7uRyf+/bx5Ka2XKLm4nA3J3aepAn1qsbqYVZSk43v alDSX/ssNPLJve/9E71mtQoVdJv7NruOmb2w7TaJSdlReRqWy/9ADMgk+LNzNQNaf1 rwrwSvj3VaqJcxhybOelFIxE9py81F3ReRSBEUVg=
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 12CF6160047; Thu, 25 Feb 2021 21:08:54 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id DF3FC1600A3; Thu, 25 Feb 2021 21:08:53 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.9.2 zmx1.isc.org DF3FC1600A3
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=05DFB016-56A2-11EB-AEC0-15368D323330; t=1614287333; bh=/pd4wHn/oH0txhuH9litKhE9DsvUaXCsJxZ+fu9JCrg=; h=Content-Type:Mime-Version:Subject:From:Date: Content-Transfer-Encoding:Message-Id:To; b=YpOELLV9GhX4U7A1Q2I/PojMZJz+4TCsM2wkyYnDDYhh0U3DFDYUuhlZzmbFlveqk APat+I/hheOMxzLPdginNhRYv4GL+JgcXBUBYDwcX4rPAzXeJhE1YsqX3o/jzVYKuB 8Sbe/I0fOHfhTmxrV/iSlkSN4GJ6BwkBqVJx6yJw=
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id KuRcPZ28O7Rw; Thu, 25 Feb 2021 21:08:53 +0000 (UTC)
Received: from [172.30.42.67] (n114-75-173-184.bla4.nsw.optusnet.com.au [114.75.173.184]) by zmx1.isc.org (Postfix) with ESMTPSA id EC4E3160047; Thu, 25 Feb 2021 21:08:52 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.7\))
From: Mark Andrews <marka@isc.org>
In-Reply-To: <55277725-FED8-408A-B93D-C75AD1696018@nohats.ca>
Date: Fri, 26 Feb 2021 08:08:50 +1100
Cc: Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>, Paul Hoffman <paul.hoffman@icann.org>, dnsop <dnsop@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <9CAD5C2F-6703-4D5A-9544-2255118B562C@isc.org>
References: <CAHbrMsAdbn85AUCY9Yr6XXU-6Ti4dKwR1=zncGj4z-SjznAF3w@mail.gmail.com> <55277725-FED8-408A-B93D-C75AD1696018@nohats.ca>
To: Paul Wouters <paul@nohats.ca>
X-Mailer: Apple Mail (2.3445.9.7)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/hBdeZucG7QuZevpTJgO1h0S1QJQ>
Subject: Re: [DNSOP] [Ext] DNSSEC Strict Mode
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Feb 2021 21:08:58 -0000


> On 26 Feb 2021, at 04:39, Paul Wouters <paul@nohats.ca> wrote:
> 
> On Feb 25, 2021, at 11:06, Ben Schwartz <bemasc=40google.com@dmarc.ietf.org> wrote:
>> 
>> 
>> 
>> That's not especially the intent.  Currently, if you sign with two algorithms, and either of those algorithms becomes insecure*, your zone becomes susceptible to forgery.
> 
> Which is why we have RFC 8624 and it’s successors. It really should prevent you from using “insecure” or weak algorithms. The [*] doesn’t really help you. If sha2 is broken and we don’t know it, you wouldn’t know to not use it as “secure”
> 
> 
> 
>>  If you mark both algorithms as Strict, then your zone remains secure (for validators who implement both algorithms and this draft).
> 
> That cannot be true, unless your draft requires validaties to validate with all algorithms for a double signed zone (also double signed zones are rare and really only transition during a migration)
> 
> I’m with Paul H here, I don’t see a use case.
> 
> As I think Petr said, we need to make the software do algorithm rollovers easier so people don’t avoid migration.

And the first thing to do is to stop saying “Roll DNSSEC Algorithms”. You are adding a new algorithm then dropping the old algorithm.  TLD operators made this sound dangerous.  They created the myth that it is hard to do.  Every signed zone in existence “added a new algorithm” when they signed their zones for the first time.  Trying to do the two things at once complicates things.

Add a new algorithm:

Create keys for the new algorithm.  Start signing the zone with them.  Wait a while for any old DNSKEY RRsets (or the negative cache when signing the first time) to expire from caches.  Add DS records for them.

Remove a algorithm:

Remove DS records for the algorithm.  Wait a while for the DS records to go from caches.  Stop signing the zone with the algorithm and remove the DNSKEYs and associate RRSIGs.

Thats it except when there are trust anchors involved like for the root zone.  You add trust anchors last and remove them first.

> 
> Paul
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email