Re: [DNSOP] CDS RRtype - automated KSK rollover
"George Barwood" <george.barwood@blueyonder.co.uk> Thu, 30 June 2011 22:34 UTC
Return-Path: <george.barwood@blueyonder.co.uk>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A15811E8258 for <dnsop@ietfa.amsl.com>; Thu, 30 Jun 2011 15:34:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.846
X-Spam-Level:
X-Spam-Status: No, score=-0.846 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, MIME_BASE64_TEXT=1.753]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id afzsqk4ZQ6hf for <dnsop@ietfa.amsl.com>; Thu, 30 Jun 2011 15:34:30 -0700 (PDT)
Received: from mtaout01-winn.ispmail.ntl.com (mtaout01-winn.ispmail.ntl.com [81.103.221.47]) by ietfa.amsl.com (Postfix) with ESMTP id E236B11E807E for <dnsop@ietf.org>; Thu, 30 Jun 2011 15:34:29 -0700 (PDT)
Received: from know-smtpout-4.server.virginmedia.net ([62.254.123.4]) by mtaout01-winn.ispmail.ntl.com (InterMail vM.7.08.04.00 201-2186-134-20080326) with ESMTP id <20110630223426.FMWH10265.mtaout01-winn.ispmail.ntl.com@know-smtpout-4.server.virginmedia.net>; Thu, 30 Jun 2011 23:34:26 +0100
Received: from [82.46.65.24] (helo=GeorgeLaptop) by know-smtpout-4.server.virginmedia.net with smtp (Exim 4.63) (envelope-from <george.barwood@blueyonder.co.uk>) id 1QcPoX-000551-Pn; Thu, 30 Jun 2011 23:34:25 +0100
Message-ID: <95A982B76E864EB795A5B322A50EAD32@local>
From: George Barwood <george.barwood@blueyonder.co.uk>
To: Stephen Morris <sa.morris7@googlemail.com>, dnsop@ietf.org
References: <3C049373F5284CB7BCD4BEAA0EF0D0DE@local> <4E0C88EA.8050909@googlemail.com>
Date: Thu, 30 Jun 2011 23:33:57 +0100
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: base64
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6109
X-Cloudmark-Analysis: v=1.1 cv=R50lirqlHffDPPkwUlkuVa99MrvKdVWo//yz83qex8g= c=1 sm=0 a=NvRijEmkbiIA:10 a=3NElcqgl2aoA:10 a=8nJEP1OIZ-IA:10 a=mK_AVkanAAAA:8 a=48vgC7mUAAAA:8 a=iy3s7R6rU_hPtDWIKRoA:9 a=Kc96OwhYI445KohxvmQA:7 a=wPNLvfGTeEIA:10 a=f7E4GzFmBzwA:10 a=A2SeYfKJtcwA:10 a=MwQNKhUfhccA:10 a=9xyTavCNlvEA:10 a=lZB815dzVvQA:10 a=YqmONFQEAOCt3lpj:21 a=z6NEcZrDdE32_hyV:21 a=HpAAvcLHHh0Zw7uRqdWCyQ==:117
Subject: Re: [DNSOP] CDS RRtype - automated KSK rollover
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Jun 2011 22:34:31 -0000
----- Original Message ----- From: "Stephen Morris" <sa.morris7@googlemail.com> To: <dnsop@ietf.org> Sent: Thursday, June 30, 2011 3:32 PM Subject: Re: [DNSOP] CDS RRtype - automated KSK rollover > On 12/06/2011 20:50, George Barwood wrote: >> I have updated the draft >> >> http://www.ietf.org/id/draft-barwood-dnsop-ds-publish-02.txt >> >> I have added an appendix with an exampler KSK rollover, and made >> various generally minor changes. >> >> IANA have now assigned type code 59 for the CDS RRtype. >> >> I'd like to request that the WG adopt this document. > > Before calling for adoption of this draft or any other similar proposal, > I think we should step back a minute and take a look at the context. > > There was quite a discussion on the subject of "automatic update of DS > records" in this mailing list during February and March last year (the > thread started by Tony Finch at at > http://www.ietf.org/mail-archive/web/dnsop/current/msg08079.html). I'd like to also reference this thread http://www.ietf.org/mail-archive/web/dnsop/current/msg08424.html which references an earlier requirements document from 2004, that is http://tools.ietf.org/html/draft-ietf-dnsop-key-rollover-requirements-02 I think that requirements document is reasonably clear, and I think the earlier thread indicates a reasonable consensus to move forward with satisfying the requirements. > Early on in the discussion, Ed Lewis said: > > "My concern - if the IETF produces a solution for transferring DS > records in-band to the DNS protocol we will repeat a mistake made in > pushing EPP to Full Standard. Pushing EPP to Full Standard is in itself > a true accomplishment and there is no controversy, the process was > followed faithfully. The problem is, once it was Full Standard it was > found to not be applicable to the general population that it was > designed to serve. The protocol works and is interoperable; the > requirements didn't grow as the use cases grew." > > I agree with Ed and think that we before adopting a solution, we > should step back and ask some basic questions such as: > > 1. Is there a problem? > 2. If so, do we agree on the nature of the problem? > 3. If we agree, is the IETF (and in particular, DNSOP) the place to > develop a solution? > > Last year's discussion thread covered a number of issues: at the risk of > missing ones and losing some of the nuances of the discussion, the ones > that stood out when I reviewed it were: > > * Do we need to automatically update DS records? > Current manual procedures were cited as being error-prone (i.e. people > are less likely to notice a mistake in cutting and pasting a DS record > into a web form than doing the same with an NS record), and there was > the suggestion that DS records are likely to need more frequent updating > than NS records. > > * Who is the target audience? > Should the operator/registrant-registrar-registry ecosystem be the > primary or only target audience or should this approach focus on other > parent/child relationships? I believe it's best to leave out discussion of registrars etc, because I think the problem can be properly solved and standardised in a generalised parent/child model. > > * How should we update DS records? > There was some discussion as to whether the update channel should be > from child zone to parent zone, or whether the update should go through > the registrant->registrar->registry path (or variation thereof). With > the latter, EPP was suggested. > > * If we automatically update DS records, why not NS records? > Delegations are frequently broken - if we have a mechanism for > automatically updating DS records, can we use the same mechanism to > update NS records as well? > > * What sort of security issues will arise? > If you use an in-band (i.e. DNS) solution to transfer information from > the child to the parent, how does it cope if the child zone has been > compromised? Well if the child zone ( the secret keys, I assume you mean) are compromised then all security is lost in any case, and I'm not sure much more can be said. Maybe I'm missing some subtlety here. > * What sort of out-of-band communication should exist between parent and > child zones? > It was felt that some form of non-DNS communication needs to exist > between the operators of the parent and child zones to handle initial > zone configuration and to resolve emergencies and the like. That's true. In general it's necessary to have an out-of-band bootstrap mechanism for initial configuration and for reset if the child private keys are lost. That said, it may be possible to have "insecure/opportunistic" auto-configuration in situations where the child has responsibility to verify the parent data. I leave that open in the draft by saying it is parent policy : If the result is insecure, extra checks MAY be performed according to the parent zone policy. > * Does this raise any issues with regards to transferring secure domains > between registrars? > The problems associated with these types of transfers have been > discussed to great extent elsewhere, but they may have a bearing on the > solution. I think that is a distinct issue, although a general in-band mechanism to update the parent DS RRset may well be useful in that situation. In the draft I focus mainly on key rollover, but algorithm rollover is of course also covered, and any other situations that require changes to the parent DS RRset. > So it seems to me that the first step would be to write a draft that > defines the problem and the requirements for a solution. (The > requirements should include real-world requirements, e.g. how do we > assess the potential bypassing of a registrar in changing registry > data?) Solutions can then be measured against that. > Does this sound a reasonable way for the WG to proceed? Is the earlier requirements draft from 2005 (linked above) substantially incomplete in some way? I think that would be a reasonable basis to measure, I would claim that the CDS record is capable of satisfying the requirements expressed there in a natural way. I also think the requirement is actually fairly clear - when implementing KSK rollover, you reach a point where it's clear that something is needed ( other than asking the operator to start cutting and pasting / interfacing with some out-of-band system / whatever). I doubt another cycle of requirements would be productive - we might be here again in 6 years time! Kind regards, George > Stephen > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop
- [DNSOP] CDS RRtype - automated KSK rollover George Barwood
- Re: [DNSOP] CDS RRtype - automated KSK rollover Stephen Morris
- Re: [DNSOP] CDS RRtype - automated KSK rollover Stephen Morris
- Re: [DNSOP] CDS RRtype - automated KSK rollover Antoin Verschuren
- Re: [DNSOP] CDS RRtype - automated KSK rollover Olafur Gudmundsson
- Re: [DNSOP] CDS RRtype - automated KSK rollover Stephen Morris
- Re: [DNSOP] CDS RRtype - automated KSK rollover George Barwood
- Re: [DNSOP] CDS RRtype - automated KSK rollover Chris Thompson
- Re: [DNSOP] CDS RRtype - automated KSK rollover Chris Thompson
- Re: [DNSOP] CDS RRtype - automated KSK rollover George Barwood
- Re: [DNSOP] CDS RRtype - automated KSK rollover Olafur Gudmundsson
- Re: [DNSOP] CDS RRtype - automated KSK rollover Chris Thompson
- Re: [DNSOP] CDS RRtype - automated KSK rollover Joe Abley
- Re: [DNSOP] CDS RRtype - automated KSK rollover Olafur Gudmundsson
- Re: [DNSOP] CDS RRtype - automated KSK rollover Joe Abley
- Re: [DNSOP] CDS RRtype - automated KSK rollover Edward Lewis