IETF Logo Mail Archive

Re: [DNSOP] CDS RRtype - automated KSK rollover

"George Barwood" <george.barwood@blueyonder.co.uk> Thu, 30 June 2011 22:34 UTC

Return-Path: <george.barwood@blueyonder.co.uk>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A15811E8258 for <dnsop@ietfa.amsl.com>; Thu, 30 Jun 2011 15:34:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.846
X-Spam-Level:
X-Spam-Status: No, score=-0.846 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, MIME_BASE64_TEXT=1.753]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id afzsqk4ZQ6hf for <dnsop@ietfa.amsl.com>; Thu, 30 Jun 2011 15:34:30 -0700 (PDT)
Received: from mtaout01-winn.ispmail.ntl.com (mtaout01-winn.ispmail.ntl.com [81.103.221.47]) by ietfa.amsl.com (Postfix) with ESMTP id E236B11E807E for <dnsop@ietf.org>; Thu, 30 Jun 2011 15:34:29 -0700 (PDT)
Received: from know-smtpout-4.server.virginmedia.net ([62.254.123.4]) by mtaout01-winn.ispmail.ntl.com (InterMail vM.7.08.04.00 201-2186-134-20080326) with ESMTP id <20110630223426.FMWH10265.mtaout01-winn.ispmail.ntl.com@know-smtpout-4.server.virginmedia.net>; Thu, 30 Jun 2011 23:34:26 +0100
Received: from [82.46.65.24] (helo=GeorgeLaptop) by know-smtpout-4.server.virginmedia.net with smtp (Exim 4.63) (envelope-from <george.barwood@blueyonder.co.uk>) id 1QcPoX-000551-Pn; Thu, 30 Jun 2011 23:34:25 +0100
Message-ID: <95A982B76E864EB795A5B322A50EAD32@local>
From: George Barwood <george.barwood@blueyonder.co.uk>
To: Stephen Morris <sa.morris7@googlemail.com>, dnsop@ietf.org
References: <3C049373F5284CB7BCD4BEAA0EF0D0DE@local> <4E0C88EA.8050909@googlemail.com>
Date: Thu, 30 Jun 2011 23:33:57 +0100
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: base64
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6109
X-Cloudmark-Analysis: v=1.1 cv=R50lirqlHffDPPkwUlkuVa99MrvKdVWo//yz83qex8g= c=1 sm=0 a=NvRijEmkbiIA:10 a=3NElcqgl2aoA:10 a=8nJEP1OIZ-IA:10 a=mK_AVkanAAAA:8 a=48vgC7mUAAAA:8 a=iy3s7R6rU_hPtDWIKRoA:9 a=Kc96OwhYI445KohxvmQA:7 a=wPNLvfGTeEIA:10 a=f7E4GzFmBzwA:10 a=A2SeYfKJtcwA:10 a=MwQNKhUfhccA:10 a=9xyTavCNlvEA:10 a=lZB815dzVvQA:10 a=YqmONFQEAOCt3lpj:21 a=z6NEcZrDdE32_hyV:21 a=HpAAvcLHHh0Zw7uRqdWCyQ==:117
Subject: Re: [DNSOP] CDS RRtype - automated KSK rollover
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Jun 2011 22:34:31 -0000

----- Original Message ----- 
From: "Stephen Morris" <sa.morris7@googlemail.com>
To: <dnsop@ietf.org>
Sent: Thursday, June 30, 2011 3:32 PM
Subject: Re: [DNSOP] CDS RRtype - automated KSK rollover


> On 12/06/2011 20:50, George Barwood wrote:
>> I have updated the draft
>> 
>> http://www.ietf.org/id/draft-barwood-dnsop-ds-publish-02.txt
>> 
>> I have added an appendix with an exampler KSK rollover, and made
>> various generally minor changes.
>> 
>> IANA have now assigned type code 59 for the CDS RRtype.
>> 
>> I'd like to request that the WG adopt this document.
> 
> Before calling for adoption of this draft or any other similar proposal,
> I think we should step back a minute and take a look at the context.
> 
> There was quite a discussion on the subject of "automatic update of DS
> records" in this mailing list during February and March last year (the
> thread started by Tony Finch at at
> http://www.ietf.org/mail-archive/web/dnsop/current/msg08079.html).

I'd like to also reference this thread

http://www.ietf.org/mail-archive/web/dnsop/current/msg08424.html

which references an earlier requirements document from 2004, that is

http://tools.ietf.org/html/draft-ietf-dnsop-key-rollover-requirements-02

I think that requirements document is reasonably clear, and I think the earlier thread
indicates a reasonable consensus to move forward with satisfying the requirements.

> Early on in the discussion, Ed Lewis said:
> 
> "My concern - if the IETF produces a solution for transferring DS
> records in-band to the DNS protocol we will repeat a mistake made in
> pushing EPP to Full Standard. Pushing EPP to Full Standard is in itself
> a true accomplishment and there is no controversy, the process was
> followed faithfully. The problem is, once it was Full Standard it was
> found to not be applicable to the general population that it was
> designed to serve. The protocol works and is interoperable; the
> requirements didn't grow as the use cases grew."
> 
> I agree with Ed and think that we before adopting a solution, we
> should step back and ask some basic questions such as:
> 
> 1. Is there a problem?
> 2. If so, do we agree on the nature of the problem?
> 3. If we agree, is the IETF (and in particular, DNSOP) the place to
> develop a solution?
> 
> Last year's discussion thread covered a number of issues: at the risk of
> missing ones and losing some of the nuances of the discussion, the ones
> that stood out when I reviewed it were:
> 
> * Do we need to automatically update DS records?
> Current manual procedures were cited as being error-prone (i.e. people
> are less likely to notice a mistake in cutting and pasting a DS record
> into a web form than doing the same with an NS record), and there was
> the suggestion that DS records are likely to need more frequent updating
> than NS records.
> 
> * Who is the target audience?
> Should the operator/registrant-registrar-registry ecosystem be the
> primary or only target audience or should this approach focus on other
> parent/child relationships?

I believe it's best to leave out discussion of registrars etc, because I think the problem
can be properly solved and standardised in a generalised parent/child model.
> 
> * How should we update DS records?
> There was some discussion as to whether the update channel should be
> from child zone to parent zone, or whether the update should go through
> the registrant->registrar->registry path (or variation thereof). With
> the latter, EPP was suggested.
> 
> * If we automatically update DS records, why not NS records?
> Delegations are frequently broken - if we have a mechanism for
> automatically updating DS records, can we use the same mechanism to
> update NS records as well?
> 
> * What sort of security issues will arise?
> If you use an in-band (i.e. DNS) solution to transfer information from
> the child to the parent, how does it cope if the child zone has been
> compromised?

Well if the child zone ( the secret keys, I assume you mean) are compromised then all
security is lost in any case, and I'm not sure much more can be said.
Maybe I'm missing some subtlety here.
 
> * What sort of out-of-band communication should exist between parent and
> child zones?
> It was felt that some form of non-DNS communication needs to exist
> between the operators of the parent and child zones to handle initial
> zone configuration and to resolve emergencies and the like.

That's true. In general it's necessary to have an out-of-band bootstrap
mechanism for initial configuration and for reset if the child private keys are lost.
That said, it may be possible to have "insecure/opportunistic" auto-configuration 
in situations where the child has responsibility to verify the parent data.
I leave that open in the draft by saying it is parent policy :

  If the result is insecure, extra checks MAY be performed
  according to the parent zone policy.

> * Does this raise any issues with regards to transferring secure domains
> between registrars?
> The problems associated with these types of transfers have been
> discussed to great extent elsewhere, but they may have a bearing on the
> solution.

I think that is a distinct issue, although a general in-band mechanism to update
the parent DS RRset may well be useful in that situation. In the draft I focus
mainly on key rollover, but algorithm rollover is of course also covered, and
any other situations that require changes to the parent DS RRset.
 
> So it seems to me that the first step would be to write a draft that
> defines the problem and the requirements for a solution. (The
> requirements should include real-world requirements, e.g. how do we
> assess the potential bypassing of a registrar in changing registry
> data?) Solutions can then be measured against that.

> Does this sound a reasonable way for the WG to proceed?

Is the earlier requirements draft from 2005 (linked above) substantially incomplete in some way?
I think that would be a reasonable basis to measure, I would claim that the CDS
record is capable of satisfying the requirements expressed there in a natural way. 
I also think the requirement is actually fairly clear - when implementing KSK rollover,
you reach a point where it's clear that something is needed ( other than asking
the operator to start cutting and pasting / interfacing with some out-of-band system / whatever).
I doubt another cycle of requirements would be productive - we might be here again in 6 years time!

Kind regards,
George
 
> Stephen
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

v2.23.0 | Report a Bug | By Email