[DNSOP] Changes since draft-ietf-dnsop-rfc4641bis-13
Matthijs Mekking <matthijs@nlnetlabs.nl> Tue, 16 October 2012 14:03 UTC
Return-Path: <matthijs@nlnetlabs.nl>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EEF3F21F8873 for <dnsop@ietfa.amsl.com>; Tue, 16 Oct 2012 07:03:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.492
X-Spam-Level:
X-Spam-Status: No, score=-102.492 tagged_above=-999 required=5 tests=[AWL=0.107, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lcm7VkCTLH6z for <dnsop@ietfa.amsl.com>; Tue, 16 Oct 2012 07:03:25 -0700 (PDT)
Received: from open.nlnetlabs.nl (open.nlnetlabs.nl [IPv6:2001:7b8:206:1::1]) by ietfa.amsl.com (Postfix) with ESMTP id 7737721F873A for <dnsop@ietf.org>; Tue, 16 Oct 2012 07:03:19 -0700 (PDT)
Received: from [213.154.224.18] (zoidberg.nlnetlabs.nl [213.154.224.18]) (authenticated bits=0) by open.nlnetlabs.nl (8.14.5/8.14.4) with ESMTP id q9GE3ABt009810 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Tue, 16 Oct 2012 16:03:11 +0200 (CEST) (envelope-from matthijs@nlnetlabs.nl)
X-DKIM: OpenDKIM Filter v2.6.7 open.nlnetlabs.nl q9GE3ABt009810
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nlnetlabs.nl; s=default; t=1350396194; bh=D7DHZNgqbtP/qdPZl1BVAIOo1LaPPkmkSjd5Jnpxon4=; h=Date:From:To:CC:Subject; b=wq/NtFnLLlHgTTC4+9UAYMBQjjyQfS/Py27yyLx/Mc5FPE6U5v16XhWuGj8gRi+xE el1S+3yBwNaG13h0N7JRYMTtWQfJxoOcC2THYX9QxOO3bl6Sg1zV2Yp64m7r7UFOY1 ilGPLaAE/ydwJbaiZ3ZMz/q6F4r5Z5OsHLsWNtHk=
Message-ID: <507D691F.9000404@nlnetlabs.nl>
Date: Tue, 16 Oct 2012 16:03:11 +0200
From: Matthijs Mekking <matthijs@nlnetlabs.nl>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:16.0) Gecko/20121011 Thunderbird/16.0.1
MIME-Version: 1.0
To: dnsop@ietf.org
X-Enigmail-Version: 1.4.5
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="------------enigA11AA4F89E559048A97F57C4"
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7 (open.nlnetlabs.nl [213.154.224.1]); Tue, 16 Oct 2012 16:03:12 +0200 (CEST)
Cc: Ronald Bonica <rbonica@juniper.net>, Peter Koch <pk@ISOC.DE>, Miek Gieben <miek.gieben@sidn.nl>, bclaise@cisco.com, Stephen Morris <sa.morris7@googlemail.com>
Subject: [DNSOP] Changes since draft-ietf-dnsop-rfc4641bis-13
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Oct 2012 14:03:27 -0000
Hi all,
The document draft-ietf-dnsop-rfc464bis-13 has seen some issues while
being in AUTH and RCF-EDITOR state. This e-mail will list all the
suggested changes to address those issues.
* Issue in section 4.1.2. Key Signing Key Rollovers
There is a missing necessary wait: The old DNSKEY RRset must expire from
caches before the parent can change the DS RRset.
Old text:
new DNSKEY: During the "new DNSKEY" phase, the zone administrator
generates a second KSK, DNSKEY_K_2. The key is provided to the
parent, and the child will have to wait until a new DS RR has been
generated that points to DNSKEY_K_2. After that DS RR has been
published on all servers authoritative for the parent's zone, the
zone administrator has to wait at least TTL_DS to make sure that
the old DS RR has expired from caches.
DS change: The parent replaces DS_K_1 with DS_K_2.
New text:
new DNSKEY: During the "new DNSKEY" phase, the zone administrator
generates a second KSK, DNSKEY_K_2, introduces it into the key
set, and signs the new key set with both the old and new KSKs.
The minimum duration of this phase is the time it takes for
the data to propagate to the authoritative servers, plus TTL value
of the key set.
DS change: The new key is provided to the parent. The child will
have to wait until the parent replaces DS_K_1 with DS_K_2. After
the new DS RR has been published on all servers authoritative for
the parent's zone, the zone administrator has to wait at least
TTL_DS to make sure that the old DS RR has expired from caches.
* Issue in section 4.1.3. Single Type Signing Scheme Key Rollover
Not all signatures can skip pre-publication, the new key must sign the
DNSKEY RRset before the DS change, even if signing the rest of the zone
is delayed.
Old text:
This rollover has the drawback that it introduces double signatures
over all data of the zone. Taking these zone size considerations
into account, it is possible to not introduce the signatures made
with DNSKEY_S_2 at the "new DNSKEY" step. Instead, signatures of
DNSKEY_S_1 are replaced with signatures of DNSKEY_S_2 in an
additional stage between the "DS change" and "DNSKEY removal" step:
After the DS RRset containing DS_S_1 has expired from distant caches,
the signatures can be swapped. Only after the new signatures made
with DNSKEY_S_2 have been propagated, the old public key DNSKEY_S_1
can be removed from the DNSKEY RRset.
New text:
This rollover has the drawback that it introduces double signatures
over all data of the zone. Taking these zone size considerations
into account, it is possible to not introduce the signatures made
with DNSKEY_S_2 at the "new DNSKEY" step, except for the signature
over the DNSKEY RRset. Instead, signatures of DNSKEY_S_1 in the rest
of the zone are replaced with signatures of DNSKEY_S_2 in an
additional stage between the "DS change" and "DNSKEY removal" step:
After the DS RRset containing DS_S_1 has expired from distant caches,
the signatures can be swapped. Only after the new signatures made
with DNSKEY_S_2 have been propagated, the old public key DNSKEY_S_1
can be removed from the DNSKEY RRset.
* Issue on Section 4.3.5.1. Cooperating DNS operators
The decision is to handle only one scenario, the alternative approach
from the appendix, and remove the utterly complex, drawback heavy
scenario that is now described first in the document. I'll post the old
and new contents of the section below (warning: it is a bit long). In
addition, Appendix D. Transition Figure for Changing DNS Operators is
removed.
Old text:
In this scenario, it is assumed that the losing operator will not
pass any private key material to the gaining operator (that would
constitute a trivial case) but is otherwise fully cooperative.
In this environment, the change could be made with a Pre-Publish ZSK
rollover whereby the losing operator pre-publishes the ZSK of the
gaining operator, combined with a Double Signature KSK rollover where
the two registrars exchange public keys and independently generate a
signature over those key sets that they combine and both publish in
their copy of the zone. Once that is done they can use their own
private keys to sign any of their zone content during the transfer.
------------------------------------------------------------
initial | pre-publish |
------------------------------------------------------------
Parent:
NS_A NS_A
DS_A DS_A
------------------------------------------------------------
Child at A: Child at A: Child at B:
SOA_A0 SOA_A1 SOA_B0
RRSIG_Z_A(SOA) RRSIG_Z_A(SOA) RRSIG_Z_B(SOA)
NS_A NS_A NS_B
RRSIG_Z_A(NS) NS_B RRSIG_Z_B(NS)
RRSIG_Z_A(NS)
DNSKEY_Z_A DNSKEY_Z_A DNSKEY_Z_A
DNSKEY_Z_B DNSKEY_Z_B
DNSKEY_K_A DNSKEY_K_A DNSKEY_K_A
DNSKEY_K_B DNSKEY_K_B
RRSIG_K_A(DNSKEY) RRSIG_K_A(DNSKEY) RRSIG_K_A(DNSKEY)
RRSIG_K_B(DNSKEY) RRSIG_K_B(DNSKEY)
------------------------------------------------------------
------------------------------------------------------------
redelegation | post migration |
------------------------------------------------------------
Parent:
NS_B NS_B
DS_B DS_B
------------------------------------------------------------
Child at A: Child at B: Child at B:
SOA_A1 SOA_B0 SOA_B1
RRSIG_Z_A(SOA) RRSIG_Z_B(SOA) RRSIG_Z_B(SOA)
NS_A NS_B NS_B
NS_B RRSIG_Z_B(NS) RRSIG_Z_B(NS)
RRSIG_Z_A(NS)
DNSKEY_Z_A DNSKEY_Z_A
DNSKEY_Z_B DNSKEY_Z_B DNSKEY_Z_B
DNSKEY_K_A DNSKEY_K_A
DNSKEY_K_B DNSKEY_K_B DNSKEY_K_B
RRSIG_K_A(DNSKEY) RRSIG_K_A(DNSKEY)
RRSIG_K_B(DNSKEY) RRSIG_K_B(DNSKEY) RRSIG_K_B(DNSKEY)
------------------------------------------------------------
Figure 10: Rollover for cooperating operators
In this figure A denotes the losing operator and B the gaining
operator. RRSIG_Z is the RRSIG produced by a ZSK, RRSIG_K is
produced with a KSK, the appended A or B indicates the producers of
the key pair. "Child at A" is how the zone content is represented by
the losing DNS operator and "Child at B" is how the zone content is
represented by the gaining DNS operator.
The zone is initially delegated from the parent to the name servers
of operator A. Operator A uses his own ZSK and KSK to sign the zone.
The cooperating operator A will pre-publish the new NS record and the
ZSK and KSK of operator B, including the RRSIG over the DNSKEY RRset
generated by the KSK of B. Operator B needs to publish the same
DNSKEY RRset. When that DNSKEY RRset has populated the caches, the
re-delegation can be made, which involves adjusting the NS and DS
records in the parent zone to point to operator B. And after all
DNSSEC records related to A have expired from the caches, operator B
can stop publishing the keys and signatures belonging to operator A
and vice versa.
The requirement to exchange signatures has a couple of drawbacks. It
requires more operational overhead, because not only the operators
have to exchange public keys, they also have to exchange the
signatures of the new DNSKEY RRset. This drawback does not exist if
the Double Signature KSK rollover is replaced with a Double-DS KSK
rollover. See Figure 15 in Appendix D for the diagram.
Thus, if the registry and registrars allow DS records to be published
that do not point to a published DNSKEY in the child zone, the
Double-DS KSK rollover is preferred (see Figure 5), in combination
with the Pre-Publish ZSK rollover. This does not require sharing the
KSK signatures between the operators, but both operators still have
to publish each others ZSKs.
New text:
In this scenario, it is assumed that the losing operator will not
pass any private key material to the gaining operator (that would
constitute a trivial case) but is otherwise fully cooperative.
In this environment, the change could be made with a Pre-Publish ZSK
rollover whereby the losing operator pre-publishes the ZSK of the
gaining operator, combined with a Double-DS KSK rollover. Once that
is done they can use their own private keys to sign any of their zone
content during the transfer.
------------------------------------------------------------
initial | new DS and pre-publish |
------------------------------------------------------------
Parent:
NS_A NS_A
DS_A DS_A DS_B
------------------------------------------------------------
Child at A: Child at A: Child at B:
SOA_A0 SOA_A1 SOA_B0
RRSIG_Z_A(SOA) RRSIG_Z_A(SOA) RRSIG_Z_B(SOA)
NS_A NS_A NS_B
RRSIG_Z_A(NS) RRSIG_Z_A(NS) RRSIG_Z_B(NS)
DNSKEY_Z_A DNSKEY_Z_A DNSKEY_Z_A
DNSKEY_Z_B DNSKEY_Z_B
DNSKEY_K_A DNSKEY_K_A DNSKEY_K_B
RRSIG_K_A(DNSKEY) RRSIG_K_A(DNSKEY) RRSIG_K_B(DNSKEY)
------------------------------------------------------------
------------------------------------------------------------
re-delegation | post migration |
------------------------------------------------------------
Parent:
NS_B NS_B
DS_A DS_B DS_B
------------------------------------------------------------
Child at A: Child at B: Child at B:
SOA_A1 SOA_B0 SOA_B1
RRSIG_Z_A(SOA) RRSIG_Z_B(SOA) RRSIG_Z_B(SOA)
NS_B NS_B NS_B
RRSIG_Z_A(NS) RRSIG_Z_B(NS) RRSIG_Z_B(NS)
DNSKEY_Z_A DNSKEY_Z_A
DNSKEY_Z_B DNSKEY_Z_B DNSKEY_Z_B
DNSKEY_K_A DNSKEY_K_B DNSKEY_K_B
RRSIG_K_A(DNSKEY) RRSIG_K_B(DNSKEY) RRSIG_K_B(DNSKEY)
------------------------------------------------------------
Figure 10: Rollover for cooperating operators
In this figure A denotes the losing operator and B the gaining
operator. RRSIG_Z is the RRSIG produced by a ZSK, RRSIG_K is
produced with a KSK, the appended A or B indicates the producers of
the key pair. "Child at A" is how the zone content is represented by
the losing DNS operator and "Child at B" is how the zone content is
represented by the gaining DNS operator.
The zone is initially delegated from the parent to the name servers
of operator A. Operator A uses his own ZSK and KSK to sign the zone.
In the second stage, 'new DS and pre-publish', the cooperating
operator A will pre-publish the ZSK of operator B, while the new
operator B publishes the ZSK of operator A. Both operators sign their
zone with their own ZSKs and KSKs. At the same time, operator B can
pre-publish the new DS record, DS_B, that delegates to the KSK of
operator B.
When the old DNSKEY and DS RRsets have expired from the caches, i.e.
all the resolvers are still using the delegation of the old operator
but are prepared to trust the delegation to the new operator, the
re-delegation can be made. This involves adjusting the NS RRset in
the parent zone to point to operator B. To ensure resolvers switch
from A to B, operator A should also change its NS records to point to
operator B. In the post migration stage, when all RRSIG records
related to A have expired from the caches, operator B can stop
publishing the keys belonging to operator A and the DS record
belonging to operator A, DS_A, can be removed from the parent zone.
- [DNSOP] Changes since draft-ietf-dnsop-rfc4641bis… Matthijs Mekking
- Re: [DNSOP] Changes since draft-ietf-dnsop-rfc464… Tony Finch
- Re: [DNSOP] Changes since draft-ietf-dnsop-rfc464… Antoin Verschuren
- Re: [DNSOP] Changes since draft-ietf-dnsop-rfc464… Miek Gieben
- Re: [DNSOP] Changes since draft-ietf-dnsop-rfc464… Niall O'Reilly
- Re: [DNSOP] Changes since draft-ietf-dnsop-rfc464… Olafur Gudmundsson
- Re: [DNSOP] Changes since draft-ietf-dnsop-rfc464… Edward Lewis
- Re: [DNSOP] Changes since draft-ietf-dnsop-rfc464… Antoin Verschuren
- Re: [DNSOP] Changes since draft-ietf-dnsop-rfc464… Matthijs Mekking