Re: [DNSOP] The DNSOP WG has placed draft-ogud-dnsop-maintain-ds in state "Candidate for WG Adoption"
Jan Včelák <jan.vcelak@nic.cz> Sun, 08 November 2015 20:50 UTC
Return-Path: <jan.vcelak@nic.cz>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C1EB1B34C6 for <dnsop@ietfa.amsl.com>; Sun, 8 Nov 2015 12:50:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.361
X-Spam-Level:
X-Spam-Status: No, score=-0.361 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_CZ=0.445, HOST_EQ_CZ=0.904, MIME_8BIT_HEADER=0.3, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gZBkSiCKxmbc for <dnsop@ietfa.amsl.com>; Sun, 8 Nov 2015 12:50:03 -0800 (PST)
Received: from mail.nic.cz (mail.nic.cz [IPv6:2001:1488:800:400::400]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B41051B34C4 for <dnsop@ietf.org>; Sun, 8 Nov 2015 12:50:03 -0800 (PST)
Received: from [192.168.0.111] (ip-89-177-125-149.net.upcbroadband.cz [89.177.125.149]) by mail.nic.cz (Postfix) with ESMTPSA id EBB6A18187E; Sun, 8 Nov 2015 21:50:00 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nic.cz; s=default; t=1447015801; bh=FVFXQaudloIfSLa6WaXIn2qAmjyf/UV/fEhY/lNO/IM=; h=To:From:Date; b=EVOIdNPBatJaVQ4IGjLmXdvW2VXqh0WELP2ixsX9+ktTwtPxigbGb1PPJ1Y8tcwEd /3DIPIhJKYtgwNPOFHMH0DzpLaWUcQs2iS7iA9lD7kGeFbeLJ31XU1O6KhR+szmObm JTGXLkKxmQQZ03whEiCMKDzMnUynG5dvL7oGlfZk=
To: Olafur Gudmundsson <ogud@ogud.com>, Shane Kerr <shane@time-travellers.org>
References: <20151106012018.31181.40792.idtracker@ietfa.amsl.com> <20151106115506.4e1d3e7e@pallas.home.time-travellers.org> <DAB0DDB3-65A9-46AF-AA3D-9B23D12C8B13@ogud.com>
From: Jan Včelák <jan.vcelak@nic.cz>
X-Enigmail-Draft-Status: N1110
Message-ID: <563FB574.8020709@nic.cz>
Date: Sun, 08 Nov 2015 21:49:56 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <DAB0DDB3-65A9-46AF-AA3D-9B23D12C8B13@ogud.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: clamav-milter 0.98.7 at mail
X-Virus-Status: Clean
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/l3til32YI31z55vid7Qpb5oOme0>
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] The DNSOP WG has placed draft-ogud-dnsop-maintain-ds in state "Candidate for WG Adoption"
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 08 Nov 2015 20:50:05 -0000
>> * Perhaps "Accept with challenge" should provide some advice on how >> this works. For example, a TXT record with a unique key for each zone >> (or customer) seems like a good recommendation. It might also make >> sense if each child domain (or customer) has a unique ownername to >> look for, to prevent 3rd parties from detecting such bootstrapping. >> (Yes a 3rd party can see the CDS update followed by the DS update, >> but they won't know the verification used.) Also to note that after >> the trust is established that the challenge record should no longer >> be necessary and can be removed. > > There are many different ways to do this > a) generate a random name with a <type> record with defined content > b) put a <type> record at a fixed name with random content > c) require resigning the CDS/CDNSKEY record with defined expiration time > etc. it is just a question of imagination what people come up with. > If the working group wants to recommend one standard way, that is fine. > Text welcome The value determined by the parent need not be random but can actually authenticate the CDS RDATA content. What about something like this: --8<-- Parent instructs the requestor to add a TXT RR into the zone with owner name matching the zone name prefixed with the '_cds' label. The RDATA of the record contain a value determined by the parent and provided to the client by a secure channel (e.g. domain registration system). The parent constructs the value as follows: HEX(HMAC-SHA256-64(parent_secret, cds_owner|cds_rdata)) Where: - HEX is a conversion from binary to lowercase hexadecimal digits. - HMAC-SHA256-64 is an authentication code as specified in RFC 6234. - server_secret is a cryptographically strong secret key known only to the parent. - cds_owner is the wire format representation of the child zone name in the canonical form. - cds_rdata is the wire format representation of the CDS RDATA in the canonical form. --8<-- However, this trust establishing dance still requires interaction with the parent via an out-of-band channel. So there is a little difference from giving the parent the initial DS records directly. Cheers, Jan
- [DNSOP] The DNSOP WG has placed draft-ogud-dnsop-… IETF Secretariat
- Re: [DNSOP] The DNSOP WG has placed draft-ogud-dn… Shane Kerr
- Re: [DNSOP] The DNSOP WG has placed draft-ogud-dn… Olafur Gudmundsson
- Re: [DNSOP] The DNSOP WG has placed draft-ogud-dn… Jan Včelák
- Re: [DNSOP] The DNSOP WG has placed draft-ogud-dn… Jacques Latour