IETF Logo Mail Archive

[DNSOP] Why new code/old keys? Re: [Ext] Re: sentinel and timing?

Edward Lewis <edward.lewis@icann.org> Thu, 08 February 2018 14:19 UTC

Return-Path: <edward.lewis@icann.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4CC6412DA0A for <dnsop@ietfa.amsl.com>; Thu, 8 Feb 2018 06:19:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vLFBWTlP_2FQ for <dnsop@ietfa.amsl.com>; Thu, 8 Feb 2018 06:18:57 -0800 (PST)
Received: from out.west.pexch112.icann.org (pfe112-ca-2.pexch112.icann.org [64.78.40.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DAA9F12DA19 for <dnsop@ietf.org>; Thu, 8 Feb 2018 06:18:57 -0800 (PST)
Received: from PMBX112-W1-CA-1.pexch112.icann.org (64.78.40.21) by PMBX112-W1-CA-2.pexch112.icann.org (64.78.40.23) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Thu, 8 Feb 2018 06:18:56 -0800
Received: from PMBX112-W1-CA-1.pexch112.icann.org ([64.78.40.21]) by PMBX112-W1-CA-1.PEXCH112.ICANN.ORG ([64.78.40.21]) with mapi id 15.00.1178.000; Thu, 8 Feb 2018 06:18:55 -0800
From: Edward Lewis <edward.lewis@icann.org>
To: dnsop <dnsop@ietf.org>
Thread-Topic: Why new code/old keys? Re: [Ext] Re: [DNSOP] sentinel and timing?
Thread-Index: AQHToOfADFOnOn/KWkuZJCq6Ru3YpA==
Date: Thu, 08 Feb 2018 14:18:55 +0000
Message-ID: <564E7616-6B47-48E2-B3DC-68A22032F441@icann.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.9.0.180116
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [192.0.47.234]
Content-Type: text/plain; charset="utf-8"
Content-ID: <45A7823E0D45C140B57AB4D49D9842C2@pexch112.icann.org>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/tiGuX4ll-EZL1H0vjB1gOJQCpAg>
Subject: [DNSOP] Why new code/old keys? Re: [Ext] Re: sentinel and timing?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Feb 2018 14:19:00 -0000

On 2/8/18, 01:02, "DNSOP on behalf of Paul Wouters" wrote:
    
>We have a giant hole in our understanding of why there are update nameservers running the latest software with the older keys.

If just to spread rumors, I heard the following as early as November, 2016.  One of the issues is that operators update code without updating configuration files.  I.e., a BIND upgraded today might be using a configuration file from the pre-managed-key days.

I am not saying this theory has been put to the test, but it is compelling.  This hypothesis is in the ICANN deck on the KSK rollover used throughout 2017 (until the postponement).

v2.23.0 | Report a Bug | By Email