Re: [DNSOP] Fwd: NewVersion Notificationfor draft-mekking-dnsop-auto-cpsync-00
Matthijs Mekking <matthijs@NLnetLabs.nl> Wed, 30 June 2010 17:31 UTC
Return-Path: <matthijs@nlnetlabs.nl>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 017B53A6AA4 for <dnsop@core3.amsl.com>; Wed, 30 Jun 2010 10:31:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X0PbgmVPl6bb for <dnsop@core3.amsl.com>; Wed, 30 Jun 2010 10:31:09 -0700 (PDT)
Received: from open.nlnetlabs.nl (open.nlnetlabs.nl [IPv6:2001:7b8:206:1::1]) by core3.amsl.com (Postfix) with ESMTP id 74F553A6843 for <dnsop@ietf.org>; Wed, 30 Jun 2010 10:31:02 -0700 (PDT)
Received: from [192.168.1.8] (ip123-112-174-82.adsl2.static.versatel.nl [82.174.112.123]) (authenticated bits=0) by open.nlnetlabs.nl (8.14.3/8.14.3) with ESMTP id o5UHVAIv093205 for <dnsop@ietf.org>; Wed, 30 Jun 2010 19:31:11 +0200 (CEST) (envelope-from matthijs@nlnetlabs.nl)
Message-ID: <4C2B7F73.2010605@nlnetlabs.nl>
Date: Wed, 30 Jun 2010 19:31:31 +0200
From: Matthijs Mekking <matthijs@NLnetLabs.nl>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.9) Gecko/20100423 Thunderbird/3.0.4
MIME-Version: 1.0
To: dnsop@ietf.org
References: <4C29F2FA.1000907@nlnetlabs.nl> <4C29FE8F.6030002@nlnetlabs.nl><DD056A31A84CFC4AB501BD56D1E14BBB826B70@exchange.secure64.com> <4C2A0696.7080204@ripe.net> <DD056A31A84CFC4AB501BD56D1E14BBB826B87@exchange.secure64.com>
In-Reply-To: <DD056A31A84CFC4AB501BD56D1E14BBB826B87@exchange.secure64.com>
X-Enigmail-Version: 1.0.1
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.3 (open.nlnetlabs.nl [213.154.224.1]); Wed, 30 Jun 2010 19:31:11 +0200 (CEST)
Subject: Re: [DNSOP] Fwd: NewVersion Notificationfor draft-mekking-dnsop-auto-cpsync-00
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Jun 2010 17:31:57 -0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Stephan, There were acknowledged some drawbacks of using DNSSEC as the security channel in this specific case. One is that you still do not cover unscheduled key rollovers, as that event may occur as a result of a compromised key. It is possible to cover if you use a different security channel, as is described in the section 'Security Considerations'. Another drawback is that a proxy parent (for example the registrar) might not have the appropriate material available to use DNSSEC verification. Also, the intention of the memo is to provide a more general solution to synchronize records between child and parent, which covers all required records (not only DS) and can be used in all situations. Best regards, Matthijs On 06/29/2010 05:15 PM, Stephan Lagerholm wrote: > Hi Wolfgang, > > My concern was not about the updates but rather about the gigantic > number of keys a busy parent would have to create, revoke, store, renew, > etc. > > It doesn't make sense to me to utilize symmetric encryption (such as > TSIG) to solve this problem. A scheme that utilized an asymmetric key > would be a much better fit. DNSSEC itself would be a strong candidate > here. > > Thanks, S > ---------------------------------------------------------------------- > Stephan Lagerholm > Senior DNS Architect, M.Sc. ,CISSP > Secure64 Software Corporation, www.secure64.com > Cell: 469-834-3940 > >> -----Original Message----- >> From: dnsop-bounces@ietf.org [mailto:dnsop-bounces@ietf.org] On Behalf > Of >> Wolfgang Nagele >> Sent: Tuesday, June 29, 2010 9:44 AM >> To: Stephan Lagerholm >> Cc: dnsop@ietf.org; Matthijs Mekking >> Subject: Re: [DNSOP] Fwd: NewVersion Notificationfor > draft-mekking-dnsop- >> auto-cpsync-00 >> >> Hi Stephan, >> >>> I like this draft but I'm a little bit concerned about the > scalability. >>> How will a busy parent provision a unique secret key for each of the >>> child? >> Do you mean the scalability for capacity on the update server side? >> Although >> BIND might not be able to scale this out of the box, the example has > only >> been >> given in the draft to have a hands-on way for ppl to try this draft. >> >> In reality it should not be a major issue to receive those DNS updates > and >> process them (with or without signatures) - similar efforts are > currently >> made >> for each request to change NS-sets on the parent (admittedly those > might >> happen >> less frequent). >> >>> And how will this key be transported between the parent and the >>> child in a secure way? >> The same way a parent is currently providing a domain owner with >> credentials for >> their management interfaces. If a domain owner has specific > requirements >> in >> terms of security on that channel it is something where registrars can >> offer >> whatever their customers demand. >> >> Regards, >> Wolfgang >> _______________________________________________ >> DNSOP mailing list >> DNSOP@ietf.org >> https://www.ietf.org/mailman/listinfo/dnsop > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJMK39zAAoJEA8yVCPsQCW5dPQIAMrzIXKfb3CnhCeAaZA5K6h7 RxLHEnCTh/NQvvFEOTWL+3zeBPP1CL3GO0meXFTUNw7e8kvjmKp7HvYz/3sHafFt y6wbSmWfWCTgfXbDQfPXd3yxeY1JJBnDWfEbPISvYytB3AIV2YkfXSwa/OtpiFxz FehVVToLllLARqMEpRuG+EWZZtEojDaPbJfDhyongixwPpaqD3nBzc9tnTkZIUby 4Ld0XZ+6pnBQdIIHXsulf7RxN/0uvwTR0PblLM38mmKB+nd4jebXsm4FjGiIX7zr k6PXUQsoJdnAsa+TO4+ZF+/7Vl7IolYQo3O5D+3qwd30gWXSmwZxzgVN9NBw/7g= =JkPp -----END PGP SIGNATURE-----
- Re: [DNSOP] Fwd: New Version Notificationfor draf… Wolfgang Nagele
- [DNSOP] Fwd: New Version Notification for draft-m… Matthijs Mekking
- Re: [DNSOP] Fwd: New Version Notification for dra… Matthijs Mekking
- Re: [DNSOP] Fwd: New Version Notificationfor draf… Stephan Lagerholm
- Re: [DNSOP] Fwd: NewVersion Notificationfor draft… Stephan Lagerholm
- Re: [DNSOP] Fwd: NewVersion Notificationfor draft… Wolfgang Nagele
- Re: [DNSOP] Fwd: New Version Notificationfor draf… Mark Andrews
- Re: [DNSOP] Fwd: New Version Notification fordraf… George Barwood
- Re: [DNSOP] Fwd: New Version Notificationfordraft… Stephan Lagerholm
- Re: [DNSOP] Fwd: New Version Notificationfordraft… George Barwood
- Re: [DNSOP] Fwd: New Version Notificationfordraft… Tony Finch
- Re: [DNSOP] Fwd: NewVersion Notificationfor draft… Matthijs Mekking
- Re: [DNSOP] Fwd: New Version Notification fordraf… Wolfgang Nagele
- Re: [DNSOP] Fwd: New Version Notification fordraf… Shane Kerr
- Re: [DNSOP] Fwd: New Version Notification fordraf… Mark Andrews
- Re: [DNSOP] Fwd: New Version Notificationfordraft… George Barwood
- Re: [DNSOP] Fwd: New Version Notificationfordraft… Wolfgang Nagele
- Re: [DNSOP] Fwd: New Version Notificationfordraft… Mark Andrews
- Re: [DNSOP] Fwd: New Version Notificationfordraft… George Barwood
- Re: [DNSOP] Fwd: New Version Notification fordraf… George Barwood
- Re: [DNSOP] Fwd: New Version Notificationfordraft… Andrew Sullivan
- Re: [DNSOP] Fwd: New Version Notificationfordraft… Wolfgang Nagele
- Re: [DNSOP] Fwd: New Version Notificationfordraft… Jakob Schlyter
- Re: [DNSOP] Fwd: New Version Notificationfordraft… Jakob Schlyter
- Re: [DNSOP] Fwd: New Version Notification for dra… bmanning