IETF Logo Mail Archive

Re: [DNSOP] draft-ietf-dnsop-dnssec-trust-history - discussion

"W.C.A. Wijngaards" <wouter@NLnetLabs.nl> Mon, 13 September 2010 14:36 UTC

Return-Path: <wouter@nlnetlabs.nl>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 57A2B3A69A8 for <dnsop@core3.amsl.com>; Mon, 13 Sep 2010 07:36:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.358
X-Spam-Level:
X-Spam-Status: No, score=-2.358 tagged_above=-999 required=5 tests=[AWL=0.242, BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XRfX2FFxSavm for <dnsop@core3.amsl.com>; Mon, 13 Sep 2010 07:36:07 -0700 (PDT)
Received: from open.nlnetlabs.nl (open.nlnetlabs.nl [IPv6:2001:7b8:206:1::1]) by core3.amsl.com (Postfix) with ESMTP id EBB203A69E1 for <dnsop@ietf.org>; Mon, 13 Sep 2010 07:36:04 -0700 (PDT)
Received: from gary.nlnetlabs.nl (gary.nlnetlabs.nl [IPv6:2001:7b8:206:1:216:76ff:feb8:1853]) (authenticated bits=0) by open.nlnetlabs.nl (8.14.4/8.14.3) with ESMTP id o8DEaTbf037502 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for <dnsop@ietf.org>; Mon, 13 Sep 2010 16:36:29 +0200 (CEST) (envelope-from wouter@nlnetlabs.nl)
Message-ID: <4C8E36ED.70201@nlnetlabs.nl>
Date: Mon, 13 Sep 2010 16:36:29 +0200
From: "W.C.A. Wijngaards" <wouter@NLnetLabs.nl>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.9) Gecko/20100907 Fedora/3.1.3-1.fc13 Lightning/1.0b3pre Thunderbird/3.1.3
MIME-Version: 1.0
To: dnsop@ietf.org
References: <569C36E4-4F05-41B2-B0B8-A4B8228F13C9@googlemail.com>
In-Reply-To: <569C36E4-4F05-41B2-B0B8-A4B8228F13C9@googlemail.com>
X-Enigmail-Version: 1.1.2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.6 (open.nlnetlabs.nl [IPv6:2001:7b8:206:1::1]); Mon, 13 Sep 2010 16:36:29 +0200 (CEST)
Subject: Re: [DNSOP] draft-ietf-dnsop-dnssec-trust-history - discussion
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Sep 2010 14:36:09 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi dnsop,

On 09/10/2010 01:24 PM, Stephen Morris wrote:
> Colleagues
> 
> Although draft-ietf-dnsop-dnssec-trust-history (the DNSSEC Trust
> Anchor History Service) is a working group item and the editor has
> received a number of private comments on it, there has actually been
> relatively little discussion of the draft on the list, either pre- or
> post-adoption. If the draft is to go forward, it must represent the
> consensus of the working group.  To show that, we need people to
> comment on it and to support it.
> 
> So, to gauge feeling and to trigger discussion, could the chairs
> please have your views on the following issues:
> 
> 1. Is the situation addressed by the draft - that of a validator that
> has been offline or that has missed an (emergency) rollover needing
> to reconfigure itself - a problem that needs to be solved?

Yes, I think that problems needs a solution.  If you miss the
couple-week KSK rollover, RFC5011 cannot catch up your root anchor.
Maybe not a problem in the ISP-space (who are always online), but for
widespread deployment.

> 2. If the answer to (1) is yes, is the idea of using DNS the best way
> to do it?

Well, one way is to have the OS update handle it somehow.  But then the
OS update has to handle it.  Perhaps the OS update requires domain names
to resolve (remember, the world is bogus when the root trust anchor no
longer works; port distributions and mirrors may not work).  Also such
an OS update, if it is secure, would rely on exactly another key that is
that old.

Another solution is a vendor-update solution, i.e. an ISC or an
NLnetLabs or other-vendor key which is used to fetch a new root key.
Such a key would need to be kept as safe as the private key for the root
to be useful.

Another solution is to fetch the root key fresh from the iana website.
And check that it is correct using another key (which is necessarily
just as old): the PGP key or the https certificate.

Trust history, then, does not require additional keys.  It could run
over TCP (i.e. fetch a text file), but recall that domain names are all
bogus.

So, without saying I really want to do one of them, I would like to
promote deployment of DNSSEC, and include a 'foolproof' root trust
anchor (or deployment-method description or handy shell-script to
reinitialise).

Initially, in IETF fashion, I went immediately to solution, and went for
an in-band (since no DNS service), not-rely-on-other-key and
safety-provided-by-root-team solution.  Maybe that was wrong, I would
like, however, to promote DNSSEC deployment towards the (more likely
down or offline) end-hosts, and something needs to be done to make it
possible to have a fluent KSK rollover for the root: I think it is very
important to make this as easy as possible, so that new algorithms or
updated key parameters can easily be introduced.

Best regards,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkyONu0ACgkQkDLqNwOhpPhcUACglbU+GsCIKmZAC69Q994K82w+
PpkAoIHZECi6raEFZ+OtvmJOsDnet8mo
=N0LK
-----END PGP SIGNATURE-----

v2.23.0 | Report a Bug | By Email