IETF Logo Mail Archive

Re: [DNSOP] Specification of DNSKEY "Private-key-format"

Mukund Sivaraman <muks@mukund.org> Fri, 30 August 2019 04:27 UTC

Return-Path: <muks@mukund.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 002B0120C84 for <dnsop@ietfa.amsl.com>; Thu, 29 Aug 2019 21:27:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mukund.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DQOHB4KY7ht6 for <dnsop@ietfa.amsl.com>; Thu, 29 Aug 2019 21:27:50 -0700 (PDT)
Received: from mail.akira.org (mail.akira.org [88.198.135.228]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 040B3120918 for <dnsop@ietf.org>; Thu, 29 Aug 2019 21:27:49 -0700 (PDT)
Received: from jurassic.lan.banu.com (unknown [27.5.13.194]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail.akira.org (Postfix) with ESMTPSA id 48E5879000BB; Fri, 30 Aug 2019 04:27:46 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mukund.org; s=mail; t=1567139267; bh=66qlhiR6yyBCJml8H/C+hwkW7umM2AZo7K10bBujPZk=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=KShE/nnbJNsHR0cjC4dIHLBs7T7GF0+Y5sfbIuuECX3Z5JCJ9W+y8XpOkgnLDgE7G qvEYQjXw5h6E1VynovIMk50ZWx3eZv4uz9zaxs1dlOW4/Yk5nf4ebuuGx7c2d8IgMG uXZDUvEpG7WZkRM6OoKxJXzz9oZq0z/ZfCLSmgew=
Date: Fri, 30 Aug 2019 09:56:21 +0530
From: Mukund Sivaraman <muks@mukund.org>
To: Evan Hunt <each@isc.org>
Cc: dnsop@ietf.org
Message-ID: <20190830042621.GA21281@jurassic.lan.banu.com>
References: <20190829125502.GA2048@jurassic.lan.banu.com> <20190829134831.GC90696@straasha.imrryr.org> <20190829135554.GA3616@jurassic.lan.banu.com> <20190829161123.GA52870@isc.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20190829161123.GA52870@isc.org>
User-Agent: Mutt/1.12.0 (2019-05-25)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/jZqXDsHPEWH4raNr2Ibk7yc4Vvc>
Subject: Re: [DNSOP] Specification of DNSKEY "Private-key-format"
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Aug 2019 04:27:53 -0000

Hi Evan

On Thu, Aug 29, 2019 at 04:11:23PM +0000, Evan Hunt wrote:
> On Thu, Aug 29, 2019 at 07:25:54PM +0530, Mukund Sivaraman wrote:
> > I am asking about where this key format is specified - I want to extend
> > it.
> 
> There's never been a written specification as far as I know, and if there
> was one, then it's definitely been obsolete since 2009, because I changed
> the format then and I didn't update any specs.
> 
> What I can tell you is: the private key file contains a format version
> string, "Private-key-format", currently always set to 1.3, and an
> algorithm string, "Algorithm".  After that comes a set of private keydata
> fields which are specific to the algorithm, and finally a set of *optional*
> metadata fields.
> 
> Those were introduced in format version 1.3. They include "Created",
> "Publish", "Delete", etc, and also a few (such as "RollPeriod") that
> were reserved for future use but we'e never gotten around to using them.
> 
> If the parser encounters any field that it doesn't recognize, and the key
> claims to be version 1.3, then it will reject the key with an error.
> However, if Private-key-format is increased to at least 1.4, then the
> version 1.3 parser will ignore the unknown fields and just use the ones
> that it does understand.  A version number above 2.0 is assumed not to be
> backward-compatible, so that key would be rejected always.

So it is a BIND-specific format. Years ago at ISC, I had looked for a
spec for it as I'd seen it used in some RFCs (e.g., RFC 6605) but could
not find one.

> We've have had a few conversations at ISC recently about adding some new
> fields and increasing the format version to 1.4, so it would probably be
> best if we coordinate our changes to ensure that your extensions are
> interoperable with ours.

For interoperability, there are other BIND-specific formats to consider
too such as the journal file format, the control channel protocol,
etc. The journal format is already incompatible between Loop and BIND,
and the control channel will soon be. I also would like for these to be
compatible and am open to collaboration.

On the topic of the private key format, there are multiple Loop tickets
that would propose changes.

* Currently, an experimental feature is being developed that needs
  additional meta fields. This caused me to ask the question.

* As you know, historically the BIND tree on unix relied on /dev/urandom
  and /dev/random (or some custom device) as sources of random
  numbers. This was slow to use, and in some environments, ran out of
  entropy. Some parts such as the dispatch code added a CSPRNG for
  source port randomization to improve performance and availablility of
  randomness. The general design led to flaws in the implementation of
  some features. Recent BIND branches appear to have tried to address
  this by switching to a mix of OpenSSL's PRNG and a local
  implementation of xoshiro128**.

  Loop is increasingly using a different crypto library, which
  implements LibreSSL portable's arc4random() based on OpenBSD's
  arc4random() and uses ChaCha with thread-local random state. It has
  replaced all usage of randomness within Loop and various hacks that
  were in place to work around randomness availability and performance
  issues have been removed. For the first time, all usage of randomness
  within the Loop tree demonstrably passes NIST SP 800-22.

  There is a ticket to implement the features of what dnssec-keymgr
  provides within named itself for ease of use of key maintenance (it is
  still named named, and will be renamed to loopd soon). This will need
  changes to metadata in the private key format, but see the next item.

* Loop has been improving how it handles key material (in memory) but
  there is still some way to go. Two aspects that I dislike about how it
  stores private keys on filesystem is that (1) they are stored in the
  clear, and (2) metadata unrelated to key material is stored alongside
  key material, though these should be in human readable form even if
  the key material is stored encrypted. This is unlike the DER->PEM form
  that OpenSSL tools generate by default (e.g., in Viktor's example).
  The key material and schedule metadata should be separated into
  different files.

Again, I'd very much like to collaborate with ISC, but the ball is in
your court.

		Mukund

--

Loop DNS nameserver: https://akira.org/loop/

v2.23.0 | Report a Bug | By Email