Re: [DNSOP] Validating stubs? Was: Re: WG review of draft-ietf-homenet-dot-03

George Michaelson <ggm@algebras.org> Wed, 22 March 2017 23:19 UTC

Return-Path: <ggm@algebras.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C99A1270A7 for <dnsop@ietfa.amsl.com>; Wed, 22 Mar 2017 16:19:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=algebras-org.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A__YyylOdM-P for <dnsop@ietfa.amsl.com>; Wed, 22 Mar 2017 16:19:19 -0700 (PDT)
Received: from mail-vk0-x229.google.com (mail-vk0-x229.google.com [IPv6:2607:f8b0:400c:c05::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 275C0126C83 for <dnsop@ietf.org>; Wed, 22 Mar 2017 16:19:19 -0700 (PDT)
Received: by mail-vk0-x229.google.com with SMTP id r69so28208730vke.2 for <dnsop@ietf.org>; Wed, 22 Mar 2017 16:19:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=algebras-org.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=+iKrttGA9vPGm87ibBmp6AK0GsYB1zPo7AyZbB2jkng=; b=ZUcT+ll3gWTJaZ/kI9g9wEroE+lm7ISP+sljXtRe5b9MlvqjT1WHsbSolGoRGlCay0 nIPYiUAiSuQ0YYiP485/sf/1deyCXKjVM2wuqURNHPzPlzaj8TP73iiI0CvbjJRueE7I JQwsAoAsAKd0PeXGTsLJVU0Y4Wn4OF74BgXPgQthAS8KLHxgY6HyEhiKApd/6d9+2Qqa r90MH14UhQux68OjwfrjGPaFW4NvPVS96N5+tci5PQuxgmAT/d9kWNLCx1urmKAMNk80 PgQvWS+MUBNgn3DeFCVoILGkm530xlVpNsam80BSwFBmC0xtTxququvUdNUizcqEnusl GRig==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=+iKrttGA9vPGm87ibBmp6AK0GsYB1zPo7AyZbB2jkng=; b=tv2vUYlrwxilaGXzAHQoMY2TUWw8Ieh7HaW4oawYjo/pLVYNIkV6RDDo8lnfs2vnwj mk3TUrnmCOE8yPrn3vebapc+TcFCg7K9x6rQ8vnRDmyP0LbF4YpGnghU4UJPYbm9IyC1 vzEVx4uvwY2Mx9dbCboMThHfsdVQcx8ng8OvmGSFCKcJEON/gMpOdMJMyFoQi9yvcELB TmuE+kbe3UM9Jp6oPiUbim2gnYXEeqOpBqmZUtCN7k7ksFLoTs49I6HV74A4Bfreyvan kcZhIB/fqou4gx1xKB7Q+ae/ifjKHHKLVaMCsLxwzSluzzmOxNa13VM9ltXO+C+k9puU GBVQ==
X-Gm-Message-State: AFeK/H0r8Cd6+n+IIOhrdlB1ZkNRTPdI8ea+yVUiDiq26COCcPQdTW/QSEGpshYfjlgyB01VAeJqC9v5r8+Chg==
X-Received: by 10.31.227.198 with SMTP id a189mr6876294vkh.1.1490224758166; Wed, 22 Mar 2017 16:19:18 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.103.72.218 with HTTP; Wed, 22 Mar 2017 16:19:17 -0700 (PDT)
X-Originating-IP: [2001:dc0:a000:4:e441:91bb:2c01:6c82]
In-Reply-To: <CAH1iCiq6nVGMpv7c1UVc8SurOWLQK1DViETof4W06tRXes=rSA@mail.gmail.com>
References: <CAH1iCiq6nVGMpv7c1UVc8SurOWLQK1DViETof4W06tRXes=rSA@mail.gmail.com>
From: George Michaelson <ggm@algebras.org>
Date: Thu, 23 Mar 2017 09:19:17 +1000
Message-ID: <CAKr6gn247yo6EG6G+P013htKTJ8P6gVzo9LnbeU0hBW6YHGYaA@mail.gmail.com>
To: Brian Dickson <brian.peter.dickson@gmail.com>
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>
Content-Type: text/plain; charset=UTF-8
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/mtsbfHRzdoaeETXivnuafl7Quro>
Subject: Re: [DNSOP] Validating stubs? Was: Re: WG review of draft-ietf-homenet-dot-03
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Mar 2017 23:19:22 -0000

Your question is well timed. with DNSSEC keyroll happening, the
question: "what level of 5011 deployement" exists is unanswerable with
authority because the architects did not consider signalling of
capability sufficiently trustable. So we have no direct measure of
capability, and a weak, indirect sense of deployment from other
signals of capabilities which would imply post-5011 capable code, but
cannot say if a locally maintained hand-installed TA is in use.

So the question "is it assumed" is a good one. I think the answer is
"yes, we design for the assumption DNS now is enabled for 5011, or
else is owning its problems"

-G

On Thu, Mar 23, 2017 at 9:08 AM, Brian Dickson
<brian.peter.dickson@gmail.com> wrote:
> I was thinking about the DNSSEC validation by stubs, with respect to the
> homenet discussion.
>
> And, I was wondering about various trust anchor options (other than ICANN's
> current root trust anchor).
>
> It occurred to me, that any non-ICANN trust anchor, would possibly require
> 5011 key rolls under certain circumstances.
>
> Which begs the question: are validating stub resolvers presumed to be
> 5011-capable?
>
> But, I realize, the issue of 5011 capability also exists for the root trust
> anchor.
>
> So, the dilemma is:
>
> Can we assume 5011 stub support regardless?
> If not, does this make the DNSSEC issue for homenet moot, since the root KSK
> will be rolled in the near future (for some value of "near future"), and
> break stub validation?
>
> On the other hand, if 5011 support by stubs is assumed, there is one
> interesting option:
>
> Establish a trust anchor for homenet (whatever name is used), AND publish
> the private keys.
>
> This creates the ability to have a master DNS authority server, in any given
> homenet instance, sign the data in the homenet zone. The default software
> could/would need to ship with the trust anchor, and the private key. The
> out-of-the-box behavior would just work, and would verify/validate properly
> for validating stubs that ship with the homenet trust anchor.
>
> There would then be the ability for users running their own homenet
> networks, to do the equivalent of changing the default password -- they
> would be able to do a 5011 key roll, which would cause the default trust
> anchor to be replaced with a unique trust anchor for that specific homenet.
>
> It's not part of the homenet standard (yet), but might be worth thinking
> about.
>
> Again, the main question is, has an assumption about 5011 support in stubs
> been made, and is it a valid assumption?
>
> If not, to re-emphasize, then the "unsigned delegation" thing isn't even
> necessary, since the stub resolvers won't be able to validate ANYTHING.
>
> Brian
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>