Re: [DNSOP] Emergency KSK Rollover for locally secure zones.

Aanchal Malhotra <aanchal4@bu.edu> Thu, 03 August 2017 20:12 UTC

Return-Path: <aanchal4@bu.edu>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C13213178D for <dnsop@ietfa.amsl.com>; Thu, 3 Aug 2017 13:12:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VeTgZ-Gh59VZ for <dnsop@ietfa.amsl.com>; Thu, 3 Aug 2017 13:12:14 -0700 (PDT)
Received: from relay58.bu.edu (relay58.bu.edu [128.197.228.18]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F07E312EE45 for <dnsop@ietf.org>; Thu, 3 Aug 2017 13:12:13 -0700 (PDT)
X-Envelope-From: aanchal4@bu.edu
Received: from mail-oi0-f70.google.com (mail-oi0-f70.google.com [209.85.218.70]) by relay58.bu.edu (8.14.3/8.14.3) with ESMTP id v73KBmD9005244 for <dnsop@ietf.org>; Thu, 3 Aug 2017 16:11:48 -0400
Received: by mail-oi0-f70.google.com with SMTP id h4so1751833oic.0 for <dnsop@ietf.org>; Thu, 03 Aug 2017 13:11:48 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=ABBuI5Xd4SKkY1gEc11gmuJjWsWvO5Cy3V7NuU24wHY=; b=YoY+MuC/rIj3CbrS9OOZ+36Cf4FdAZcqnxc18XCCfbEIk/Jr8cwuIiAm1zLE3g7m33 8a8dzXM6cQlo+jjLozd4PF3lES7ky2HjuTirhiCbyRCdfAyeiqaD9dgQ5bvAVuRAhy4H yJ3+dSPWwTrrX+3bXqwP1U6WNEpvHoZGxqVOwwJtjqPlnYKHqsNfo/nyQLCqq6ci6+jN v1Z7fOnsClxdpVkC+U2CSpHKI7msyAxnoAHTulHw+SoLpmUz8Uo9ZvDbfs0LIM8nY5Wx c6MeEMSRb25O138NgbZwBtSpfovq4DRDg+OXvR6QLnSfRL4Ny8gIHMEwTajKxox00915 GEiQ==
X-Gm-Message-State: AIVw11318Zw9zYiy3M2RI6ZBY6cciWqVdnNLjFSl0FQD1P/szEyU98lu dGAKsRFDvVGNZ1MShvil9rBHJ6YrJmG4NQdP8OWsTN0AWODo5xnwtIm6RAkepXtb9eUTN4m39ms Rvo9ol1RqMXiFVQ==
X-Received: by 10.202.44.19 with SMTP id s19mr2386479ois.243.1501791108274; Thu, 03 Aug 2017 13:11:48 -0700 (PDT)
X-Received: by 10.202.44.19 with SMTP id s19mr2386467ois.243.1501791108069; Thu, 03 Aug 2017 13:11:48 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.74.121.75 with HTTP; Thu, 3 Aug 2017 13:11:27 -0700 (PDT)
In-Reply-To: <16161C24-1E34-4180-8A07-FE6F78DCEB81@verisign.com>
References: <CAMbs7ks-ZZ-tFpnNkgNx779ct0ns24d+pzKbzQhKuAxVnMUwrA@mail.gmail.com> <2EDD433D-BD40-4A54-BE52-57BC512C5988@verisign.com> <CAMbs7kv63z8K29Hqa4vC=p8DOtiJr96js4jQUx9k7eJ2HopSfg@mail.gmail.com> <16161C24-1E34-4180-8A07-FE6F78DCEB81@verisign.com>
From: Aanchal Malhotra <aanchal4@bu.edu>
Date: Thu, 3 Aug 2017 22:11:27 +0200
Message-ID: <CAMbs7kudQDfCWoshsHOpXX8BFJJMSM2u2kJ_-WR4ebzxQiHhvw@mail.gmail.com>
To: "Wessels, Duane" <dwessels@verisign.com>
Cc: "dnsop@ietf.org" <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="001a1137baae860e1a0555defd2a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/qi0TzO6VetuxIKbN7QisAWoJgVM>
Subject: Re: [DNSOP] Emergency KSK Rollover for locally secure zones.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Aug 2017 20:12:15 -0000

On Thu, Aug 3, 2017 at 10:06 PM, Wessels, Duane <dwessels@verisign.com>
wrote:

>
> > On Aug 3, 2017, at 12:58 PM, Aanchal Malhotra <aanchal4@bu.edu> wrote:
> >
> > However, I still don't see how it would help in case of trust anchor/KSK
> compromise.
>
> This is why I wrote "I don't know if you consider it a solution."
>
> Even so, I think it could be useful, depending on the nature and scale of
> the zone in question.  For example, if you had to perform an emergency KSK
> rollover you might do something like email a group of administrators with
> instructions to manually update their trust anchors.  RFC 8145 would help
> you know how many administrators followed through on that request.
>



* "If the network administrator has an out-of-band method of contacting
resolver administrators that have stored the public key as a trust anchor
(such as e-mail), the network administrator should send out appropriate
warnings and set up a trusted means of disseminating the new trust anchor.
Otherwise, the DNS administrator can do nothing except pre-publish the new
KSK with ample time to give resolver administrators enough time to learn
the new KSK."*
Sure you are right! But my question was for the "Otherwise" situation.

>
> DW
>
>