Re: [DNSOP] signalling mandatory DNSSEC in the parent zone

Ulrich Wisser <ulrich@wisser.se> Tue, 02 March 2021 12:07 UTC

Return-Path: <ulrich@wisser.se>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3DF793A16AA for <dnsop@ietfa.amsl.com>; Tue, 2 Mar 2021 04:07:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.118
X-Spam-Level:
X-Spam-Status: No, score=-2.118 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=wisser.se
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 65Qhm5p1U5Eg for <dnsop@ietfa.amsl.com>; Tue, 2 Mar 2021 04:07:02 -0800 (PST)
Received: from mout-p-102.mailbox.org (mout-p-102.mailbox.org [80.241.56.152]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 060DB3A16A7 for <dnsop@ietf.org>; Tue, 2 Mar 2021 04:07:01 -0800 (PST)
Received: from smtp1.mailbox.org (smtp1.mailbox.org [IPv6:2001:67c:2050:105:465:1:1:0]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-102.mailbox.org (Postfix) with ESMTPS id 4DqbTb4FvkzQlZb; Tue, 2 Mar 2021 13:06:59 +0100 (CET)
X-Virus-Scanned: amavisd-new at heinlein-support.de
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wisser.se; s=MBO0001; t=1614686816; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=yfUljocrNkTPUyVcgL0zhwm6dMhoxKpjVMr/vdAAirg=; b=orjzTwFxnyIRt0NLFAp3TeGQMHpWro2kUWiaGw48LtSbGK+4z+orfhSvPGa5PRQaR47vKT ZWl6DxP0YzYo6lxNKoluHKniY2kHHUA5O7iK8GVm3u59Rd7mQYR3D0uO1NeS2S1p33aPfy +33UakLHTpfbqZjmnie+RDGvYDX4PNWCMsAhLcnhWxzv1wBKNOdQUpy5vaEUepSvylaRu/ hCK2SAiI6DZ4fWX0xsxpqI3wndz1FxXIA1YReK6ZSy8KdnzsgBhQgAYcGIiTbC4NNs7jIR wXusTESwkJ4SwpBpYlIzbtWJYf669UrNgKj8oE3ACSsuf/RHiy8oipUN3t0k6Q==
Received: from smtp1.mailbox.org ([80.241.60.240]) by spamfilter06.heinlein-hosting.de (spamfilter06.heinlein-hosting.de [80.241.56.125]) (amavisd-new, port 10030) with ESMTP id yuvwKOVN7olo; Tue, 2 Mar 2021 13:06:55 +0100 (CET)
From: Ulrich Wisser <ulrich@wisser.se>
Message-Id: <0FD37A06-9DD4-46EB-BBB9-C480155CC9F1@wisser.se>
Content-Type: multipart/alternative; boundary="Apple-Mail=_B76297FF-9624-47BA-9261-C9FB54B13ECF"
Mime-Version: 1.0
Date: Tue, 2 Mar 2021 13:06:54 +0100
In-Reply-To: <4577DCF6-9D72-4D46-90DD-F289F112E639@isc.org>
Cc: dnsop@ietf.org
To: Mark Andrews <marka@isc.org>
References: <20210301.205459.413147497474184552.he@uninett.no> <DE24E067-C0D3-4E26-B7FB-EF8311AE5E0A@isc.org> <5D1D786F-216A-4AD3-840E-CAFE5CA49B6C@wisser.se> <4577DCF6-9D72-4D46-90DD-F289F112E639@isc.org>
X-MBO-SPAM-Probability:
X-Rspamd-Score: -4.35 / 15.00 / 15.00
X-Rspamd-Queue-Id: C57F61847
X-Rspamd-UID: 8cda8c
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/qG8koR2LSyX0dU_BOToAzER2QeQ>
Subject: Re: [DNSOP] signalling mandatory DNSSEC in the parent zone
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Mar 2021 12:07:05 -0000


> On 2 Mar 2021, at 12:55, Mark Andrews <marka@isc.org> wrote:
> 
> 
> 
>> On 2 Mar 2021, at 22:52, Ulrich Wisser <ulrich@wisser.se> wrote:
>> 
>> @Håvard No, that isn’t sufficient. A resolver could have the old DNSKEY set in cache but get signatures from the new servers. This can be solved by cross signing the ZSK -> put the ZSK of the other provider in the respective DNSKEY set, no need to exchange private keys, only the DNSKEY records. Then you will always have a validation path.
>> 
>> @Mark, that is exactly what I am talking about, a forced algorithm change can only work, when both operators cooperate and if we insist on lax-validation. We need both!
> 
> It doesn’t even work then as there the signatures of the non DNSKEY records are of the wrong algorithm.

Why would the signatures of the non DNSKEY RRset need to be of the same algorithm as the KSK?
Lax-validation says that “any validation path” should be accepted. 

example.com. DS 123 8 2 xxx

example.com <http://example.com/>. DNSKEY 257 3 8 xxx
Example.com. DNSKEY 256 3 8 yyy
example.com <http://example.com/>. DNSKEY 256 3 13 zzz
example.com <http://example.com/>. RRSIG DNSKEY 8 …

www.example.com <http://www.example.com/>. TXT “example”
www.example.com. RRSIG TXT 13 …

In my eyes there is a clear validation path to the www rr.



> 
>> Cooperation is of course another problem.There is no incentive for the “losing” operator to cooperate. And because today moving a secure domain is a complex manual task, no-one is interested in helping out. We could make this much easier with the right support in protocol and software. Shumon and I will talk on this next week.
>> 
>> /Ulrich
>> 
>> 
>>> On 1 Mar 2021, at 20:58, Mark Andrews <marka@isc.org> wrote:
>>> 
>>> Throw a forced algorithm change in on top where neither provider is willing to sign with the other providers algorithm. 
>>> 
>>> -- 
>>> Mark Andrews
>>> 
>>>> On 2 Mar 2021, at 06:55, Havard Eidnes <he=40uninett.no@dmarc.ietf.org> wrote:
>>>> 
>>>> 
>>>>> 
>>>>> - Switching providers while staying secure requires
>>>>> inter-provider cooperation, including publishing ZSKs from
>>>>> both providers in the DNSKEY RRSET served by both providers.
>>>> 
>>>> What?
>>>> 
>>>> Maybe I just don't understand the context or conditions here, but
>>>> ...
>>>> 
>>>> Isn't it possible to stand up a new signing and publishing setup
>>>> with new ZSKs and new KSKs, and have both the old DS record
>>>> pointing to the old setup's KSK and a new DS record pointing to
>>>> the KSK of the new setup registered in the parent zone, and then
>>>> change the actual delegation (NS records), while still retaining
>>>> both the two DS records for a while until the data from the old
>>>> setup has timed out?
>>>> 
>>>> There is then no need to share the secret part of the KSKs or the
>>>> ZSKs between the old and the new providers, or to include both
>>>> the new and the old ZSKs in the zone.
>>>> 
>>>> Regards,
>>>> 
>>>> - Håvard
>>>> 
>>>> _______________________________________________
>>>> DNSOP mailing list
>>>> DNSOP@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/dnsop
>>> 
>>> _______________________________________________
>>> DNSOP mailing list
>>> DNSOP@ietf.org
>>> https://www.ietf.org/mailman/listinfo/dnsop
>> 
> 
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742              INTERNET: marka@isc.org
>