IETF Logo Mail Archive

Re: [DNSOP] signalling mandatory DNSSEC in the parent zone

Mark Andrews <marka@isc.org> Tue, 02 March 2021 11:55 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B85C3A1681 for <dnsop@ietfa.amsl.com>; Tue, 2 Mar 2021 03:55:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isc.org header.b=hLOACdvj; dkim=pass (1024-bit key) header.d=isc.org header.b=Rnmqsk2E
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Yy5CzWmGGhq2 for <dnsop@ietfa.amsl.com>; Tue, 2 Mar 2021 03:55:54 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C86053A1680 for <dnsop@ietf.org>; Tue, 2 Mar 2021 03:55:54 -0800 (PST)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 063AA3AB023; Tue, 2 Mar 2021 11:55:53 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=isc.org; s=ostpay; t=1614686153; bh=aqEfwgqxppMRZeWMVa8KPW7/GweJ+dgYYX1Pfwx4XWM=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=hLOACdvj8ctSAUBqCCfmhjtPW4sad7w3gg4vy93IZv7wX2GTLDIzycxZT/8MgCNvS TKp+iBlowMbzQSRMdMRoucwMIQZsLUR8q/FSuFDlrG2GdMF6NZ22sldEfHn8cPGZVx SwlyceIOQJ7g4F5Z58u1DTVfroNB3d5oPIQMPMBU=
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id E178016006D; Tue, 2 Mar 2021 11:55:52 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id C4BD116008D; Tue, 2 Mar 2021 11:55:52 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.9.2 zmx1.isc.org C4BD116008D
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=05DFB016-56A2-11EB-AEC0-15368D323330; t=1614686152; bh=wvX9vGMDPMUTsN6wirUIJJ9dF8LE8S56/OFtLu1NBaY=; h=Content-Type:Mime-Version:Subject:From:Date: Content-Transfer-Encoding:Message-Id:To; b=Rnmqsk2EIrVlTR6labkQterpAOX+eVqTqVA0EO9ODVRv4OOpX8+qdoOJqFI61b68R GCHp8By9ATCAGGBbm20vGf0nIB5escjGTwHs2R8Yy8OYE8torbJrSfKFuLdxFoIQ0T r8+70cO2MXTR43aRXKP69Q+UoBYPLUafEg1WBFe8=
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id IL-ZrWPth-Jg; Tue, 2 Mar 2021 11:55:52 +0000 (UTC)
Received: from [172.30.42.67] (n114-75-173-184.bla4.nsw.optusnet.com.au [114.75.173.184]) by zmx1.isc.org (Postfix) with ESMTPSA id 7CC1516006D; Tue, 2 Mar 2021 11:55:51 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.7\))
From: Mark Andrews <marka@isc.org>
In-Reply-To: <5D1D786F-216A-4AD3-840E-CAFE5CA49B6C@wisser.se>
Date: Tue, 02 Mar 2021 22:55:48 +1100
Cc: Havard Eidnes <he=40uninett.no@dmarc.ietf.org>, ulrich=40wisser.se@dmarc.ietf.org, dnsop@ietf.org, brian.peter.dickson@gmail.com
Content-Transfer-Encoding: quoted-printable
Message-Id: <4577DCF6-9D72-4D46-90DD-F289F112E639@isc.org>
References: <20210301.205459.413147497474184552.he@uninett.no> <DE24E067-C0D3-4E26-B7FB-EF8311AE5E0A@isc.org> <5D1D786F-216A-4AD3-840E-CAFE5CA49B6C@wisser.se>
To: Ulrich Wisser <ulrich@wisser.se>
X-Mailer: Apple Mail (2.3445.9.7)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/lhzHLSUoWmX7UmKnvrUcnmgQh9s>
Subject: Re: [DNSOP] signalling mandatory DNSSEC in the parent zone
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Mar 2021 11:55:56 -0000


> On 2 Mar 2021, at 22:52, Ulrich Wisser <ulrich@wisser.se> wrote:
> 
> @Håvard No, that isn’t sufficient. A resolver could have the old DNSKEY set in cache but get signatures from the new servers. This can be solved by cross signing the ZSK -> put the ZSK of the other provider in the respective DNSKEY set, no need to exchange private keys, only the DNSKEY records. Then you will always have a validation path.
> 
> @Mark, that is exactly what I am talking about, a forced algorithm change can only work, when both operators cooperate and if we insist on lax-validation. We need both!

It doesn’t even work then as there the signatures of the non DNSKEY records are of the wrong algorithm.

> Cooperation is of course another problem.There is no incentive for the “losing” operator to cooperate. And because today moving a secure domain is a complex manual task, no-one is interested in helping out. We could make this much easier with the right support in protocol and software. Shumon and I will talk on this next week.
> 
> /Ulrich
> 
> 
>> On 1 Mar 2021, at 20:58, Mark Andrews <marka@isc.org> wrote:
>> 
>> Throw a forced algorithm change in on top where neither provider is willing to sign with the other providers algorithm. 
>> 
>> -- 
>> Mark Andrews
>> 
>>> On 2 Mar 2021, at 06:55, Havard Eidnes <he=40uninett.no@dmarc.ietf.org> wrote:
>>> 
>>> 
>>>> 
>>>> - Switching providers while staying secure requires
>>>> inter-provider cooperation, including publishing ZSKs from
>>>> both providers in the DNSKEY RRSET served by both providers.
>>> 
>>> What?
>>> 
>>> Maybe I just don't understand the context or conditions here, but
>>> ...
>>> 
>>> Isn't it possible to stand up a new signing and publishing setup
>>> with new ZSKs and new KSKs, and have both the old DS record
>>> pointing to the old setup's KSK and a new DS record pointing to
>>> the KSK of the new setup registered in the parent zone, and then
>>> change the actual delegation (NS records), while still retaining
>>> both the two DS records for a while until the data from the old
>>> setup has timed out?
>>> 
>>> There is then no need to share the secret part of the KSKs or the
>>> ZSKs between the old and the new providers, or to include both
>>> the new and the old ZSKs in the zone.
>>> 
>>> Regards,
>>> 
>>> - Håvard
>>> 
>>> _______________________________________________
>>> DNSOP mailing list
>>> DNSOP@ietf.org
>>> https://www.ietf.org/mailman/listinfo/dnsop
>> 
>> _______________________________________________
>> DNSOP mailing list
>> DNSOP@ietf.org
>> https://www.ietf.org/mailman/listinfo/dnsop
> 

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email