Re: [DNSOP] [Ext] Re: draft-ietf-dnsop-algorithm-update
Edward Lewis <edward.lewis@icann.org> Mon, 15 April 2019 13:21 UTC
Return-Path: <edward.lewis@icann.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 987BB120188 for <dnsop@ietfa.amsl.com>; Mon, 15 Apr 2019 06:21:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zXRxLWmV63Ar for <dnsop@ietfa.amsl.com>; Mon, 15 Apr 2019 06:21:46 -0700 (PDT)
Received: from out.west.pexch112.icann.org (out.west.pexch112.icann.org [64.78.40.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D801812017C for <dnsop@ietf.org>; Mon, 15 Apr 2019 06:21:46 -0700 (PDT)
Received: from PMBX112-W1-CA-1.pexch112.icann.org (64.78.40.21) by PMBX112-W1-CA-1.pexch112.icann.org (64.78.40.21) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Mon, 15 Apr 2019 06:21:45 -0700
Received: from PMBX112-W1-CA-1.pexch112.icann.org ([64.78.40.21]) by PMBX112-W1-CA-1.PEXCH112.ICANN.ORG ([64.78.40.21]) with mapi id 15.00.1367.000; Mon, 15 Apr 2019 06:21:45 -0700
From: Edward Lewis <edward.lewis@icann.org>
To: Mark Andrews <marka@isc.org>
CC: "dnsop@ietf.org" <dnsop@ietf.org>, Michael StJohns <msj@nthpermutation.com>
Thread-Topic: [DNSOP] [Ext] Re: draft-ietf-dnsop-algorithm-update
Thread-Index: AQHU8zPy6MIqTJVhB0W9RaAKyd6+V6Y9aDkA
Date: Mon, 15 Apr 2019 13:21:44 +0000
Message-ID: <EC649C91-7015-4EAF-839D-5C58D604793C@icann.org>
References: <ec7ed79a-ae9c-bf6e-3ce7-1b529aa894fa@nthpermutation.com> <4CD31719-BC63-4038-9FD0-580B4C04BB64@isc.org> <A65F9777-A9C7-424B-B31C-A0FA33B48198@icann.org> <B3BBEDAE-235A-4BFA-AE49-44EA05CD5003@isc.org>
In-Reply-To: <B3BBEDAE-235A-4BFA-AE49-44EA05CD5003@isc.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.16.0.190211
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [192.0.47.234]
Content-Type: text/plain; charset="utf-8"
Content-ID: <2B9D24078DFE674DB30DB61FDEA620F4@pexch112.icann.org>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/rBkEV9gR1DWNj-0utGJkU8RSRYI>
Subject: Re: [DNSOP] [Ext] Re: draft-ietf-dnsop-algorithm-update
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Apr 2019 13:21:49 -0000
A few follow ups: On 4/14/19, 22:35, "DNSOP on behalf of Mark Andrews" <dnsop-bounces@ietf.org on behalf of marka@isc.org> wrote: >You don’t publish DS records (or trust anchors) for a algorithm until the incoherent state is resolved (incremental signing with the new algorithm is complete). While that makes sense, the protocol can't (not simply doesn't) forbid it. The publisher of the DS resource record set may be a different entity than the publisher of the corresponding DNSKEY resource record set. Because of the possibility of misalignment, the protocol as to be specific in order to be robust. >You can only check if all records are signed with a given algorithm by performing a transfer of a zone and analysing that. There is no way to do it with individual queries. The historic error involved a resolver, upon receipt of a response, declaring a data set invalid when the set of RRSIG resource records did not cover all the DNSSEC security algorithms that the rules for zone signing specified, as opposed to validating the data set in question because there were sufficient records to build a secure chain. >As for the original question, if all the DNSKEYs for a algorithm are revoked I would only be signing the DNSKEY RRset with that algorithm. This makes complete sense, but is not in-line with the letter of the protocol's rules. That's the issue. The consequence of following the protocol's current rules is a lot of deadweight. Namely, unusable RRSIG resource records sent in each reply of authoritative data just to include the DNSSEC security algorithm. The signatures need not make mathematic sense - as no one would need to validate them - with one exception. Where ever there is a division of key responsibilities such as having one organization manage the KSK and a different manage the ZSK, a ZSK may be "forced" to exist by rule and operational configuration. (Removed the remainder of the thread history...)
- [DNSOP] draft-ietf-dnsop-algorithm-update Michael StJohns
- Re: [DNSOP] draft-ietf-dnsop-algorithm-update Mark Andrews
- Re: [DNSOP] [Ext] Re: draft-ietf-dnsop-algorithm-… Edward Lewis
- Re: [DNSOP] [Ext] Re: draft-ietf-dnsop-algorithm-… Mark Andrews
- Re: [DNSOP] [Ext] Re: draft-ietf-dnsop-algorithm-… Edward Lewis
- Re: [DNSOP] [Ext] Re: draft-ietf-dnsop-algorithm-… Mark Andrews
- Re: [DNSOP] [Ext] Re: draft-ietf-dnsop-algorithm-… Mark Andrews