IETF Logo Mail Archive

Re: [DNSOP] public consultation on root zone KSK rollover

Tony Finch <dot@dotat.at> Sat, 06 April 2013 09:22 UTC

Return-Path: <fanf2@hermes.cam.ac.uk>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 227C821F8D2C for <dnsop@ietfa.amsl.com>; Sat, 6 Apr 2013 02:22:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.738
X-Spam-Level:
X-Spam-Status: No, score=-4.738 tagged_above=-999 required=5 tests=[AWL=0.465, BAYES_00=-2.599, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DEGt0pug7ZSr for <dnsop@ietfa.amsl.com>; Sat, 6 Apr 2013 02:22:35 -0700 (PDT)
Received: from ppsw-50.csi.cam.ac.uk (ppsw-50.csi.cam.ac.uk [131.111.8.150]) by ietfa.amsl.com (Postfix) with ESMTP id 8E22E21F8C04 for <dnsop@ietf.org>; Sat, 6 Apr 2013 02:22:35 -0700 (PDT)
X-Cam-AntiVirus: no malware found
X-Cam-SpamDetails: not scanned
X-Cam-ScannerInfo: http://www.ucs.cam.ac.uk/email/scanner/
Received: from 29.1.120.78.rev.sfr.net ([78.120.1.29]:52809 helo=[192.168.1.66]) by ppsw-50.csi.cam.ac.uk (smtp.hermes.cam.ac.uk [131.111.8.157]:587) with esmtpsa (PLAIN:fanf2) (TLSv1:AES128-SHA:128) id 1UOPKU-0001Q8-r0 (Exim 4.72) (return-path <fanf2@hermes.cam.ac.uk>); Sat, 06 Apr 2013 10:22:34 +0100
References: <87B5FB9E-755D-4E75-A54E-7A17B6AAF21A@hopcount.ca> <8D361F63-C433-4B11-BC26-37D1F550D463@vpnc.org> <20130403151735.GA20820@nic.fr> <20130403163826.GA46759@isc.org> <76E16FA9-84E0-4091-9ECA-5DB0A5BCA90A@dotat.at> <8811862356902250422@unknownmsgid>
Mime-Version: 1.0 (1.0)
In-Reply-To: <8811862356902250422@unknownmsgid>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Message-Id: <E2559F6A-4C20-4227-B000-9152B0A41AED@dotat.at>
X-Mailer: iPhone Mail (10B144)
From: Tony Finch <dot@dotat.at>
Date: Sat, 06 Apr 2013 10:22:24 +0100
To: Joe Abley <jabley@hopcount.ca>
Sender: Tony Finch <fanf2@hermes.cam.ac.uk>
Cc: Evan Hunt <each@isc.org>, "dnsop@ietf.org WG" <dnsop@ietf.org>, Paul Hoffman <paul.hoffman@vpnc.org>
Subject: Re: [DNSOP] public consultation on root zone KSK rollover
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Apr 2013 09:22:36 -0000

On 6 Apr 2013, at 10:04, Joe Abley <jabley@hopcount.ca> wrote:
> On 2013-04-06, at 16:55, Tony Finch <dot@dotat.at> wrote:
>> 
>> Validator vendors have to provide an out-of-band trust anchor update mechanism to cope with this. It needs to be coded and included in long-term support releases of validators and operating systems before rollover, I think.
> 
> draft-jabley-dnsop-validator-bootstrap.

Still needs implementation.

My point about trustworthiness is that there is (as far as I know) no documentation of how the private keys are managed for the certificates / signatures on the trust anchor files, which rather undermines the elaborate root KSK management. I am also worried about being vulnerable to a screwup by any number of CAs; it would be good to pin the list of CA certs that might be used to verify the DNS trust anchor signatures.

Tony.
--
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/

v2.23.0 | Report a Bug | By Email