Re: [DNSOP] Updated KSK Sentinel document
Vladimír Čunát <vladimir.cunat+ietf@nic.cz> Tue, 13 February 2018 17:45 UTC
Return-Path: <vladimir.cunat@nic.cz>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1784712D860 for <dnsop@ietfa.amsl.com>; Tue, 13 Feb 2018 09:45:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.01
X-Spam-Level:
X-Spam-Status: No, score=-7.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nic.cz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DOB37ob2toH0 for <dnsop@ietfa.amsl.com>; Tue, 13 Feb 2018 09:45:39 -0800 (PST)
Received: from mail.nic.cz (mail.nic.cz [IPv6:2001:1488:800:400::400]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EBDB3128896 for <dnsop@ietf.org>; Tue, 13 Feb 2018 09:45:38 -0800 (PST)
Received: from [IPv6:2001:1488:fffe:6:9c32:1bff:fe1e:9162] (unknown [IPv6:2001:1488:fffe:6:9c32:1bff:fe1e:9162]) by mail.nic.cz (Postfix) with ESMTPSA id C6D5E622DA; Tue, 13 Feb 2018 18:45:35 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nic.cz; s=default; t=1518543936; bh=ivlDSDIlbpDFxSaHeuKpreEjWqMef4Kb7/tIWqq0BzM=; h=To:From:Date; b=Y89cxatcBu1yVHSlcdxrbIZeKcTSR8/bpq2hIvAZE7/BRvLKgNFXifQA855Wth1RS WT0IGV0A4JgI1VFg93R1XP4Ey9L7RCIVikPRTDsP+tdJbeifblVhRw6GRzrEFYti8N v5MTlaV72735PIZLqKnnYVdEzpagsHa3ZxLcJwwY=
To: Bob Harold <rharolde@umich.edu>
Cc: dnsop <dnsop@ietf.org>
References: <CAHw9_iJ5Dr0sHw3EkWyHeAVDDb3k=8C6XOfrA02-_bQzd4n2Sg@mail.gmail.com> <CA+nkc8AeY2+Azw7Rk-y4s5Gfp=amYZNiN=_kxtetgS9s8kcEYg@mail.gmail.com>
From: Vladimír Čunát <vladimir.cunat+ietf@nic.cz>
Message-ID: <ac1c8e00-ba0f-72df-83f5-47c3e935e447@nic.cz>
Date: Tue, 13 Feb 2018 18:45:35 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0
MIME-Version: 1.0
In-Reply-To: <CA+nkc8AeY2+Azw7Rk-y4s5Gfp=amYZNiN=_kxtetgS9s8kcEYg@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
X-Virus-Scanned: clamav-milter 0.99.2 at mail
X-Virus-Status: Clean
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/xzkU2I3RQNPJyrWcAeaxP4G6KAA>
Subject: Re: [DNSOP] Updated KSK Sentinel document
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Feb 2018 17:45:41 -0000
On 02/13/2018 06:10 PM, Bob Harold wrote: > [...] If an entry could be put in the root zone, that is signed only > with the new key, then could users query that and always get a yes/no > answer to whether they will be affected? I don't think that's possible. This is about the _single_ root DNSKEY RRset - switching which key signs the set (tags 19036 and 20326). Resolvers will either successfully validate this RRset or not, and consequently they either can validate all other signatures in the root zone or they can't trust anything in the whole DNS tree. --Vladimir
- [DNSOP] Updated KSK Sentinel document Warren Kumari
- Re: [DNSOP] Updated KSK Sentinel document Bob Harold
- Re: [DNSOP] Updated KSK Sentinel document Vladimír Čunát
- Re: [DNSOP] Updated KSK Sentinel document Joe Abley
- Re: [DNSOP] Updated KSK Sentinel document Wessels, Duane
- Re: [DNSOP] Updated KSK Sentinel document Warren Kumari
- Re: [DNSOP] Updated KSK Sentinel document 神明達哉
- Re: [DNSOP] Updated KSK Sentinel document John Dickinson
- Re: [DNSOP] Updated KSK Sentinel document Geoff Huston
- Re: [DNSOP] Updated KSK Sentinel document John Dickinson
- Re: [DNSOP] Updated KSK Sentinel document Warren Kumari
- Re: [DNSOP] Updated KSK Sentinel document Warren Kumari
- Re: [DNSOP] Updated KSK Sentinel document Vladimír Čunát
- Re: [DNSOP] Updated KSK Sentinel document 神明達哉
- Re: [DNSOP] Updated KSK Sentinel document Warren Kumari
- Re: [DNSOP] Updated KSK Sentinel document Paul Hoffman