Re: [DNSOP] Updated KSK Sentinel document

Vladimír Čunát <vladimir.cunat+ietf@nic.cz> Tue, 13 February 2018 17:45 UTC

Return-Path: <vladimir.cunat@nic.cz>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1784712D860 for <dnsop@ietfa.amsl.com>; Tue, 13 Feb 2018 09:45:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.01
X-Spam-Level:
X-Spam-Status: No, score=-7.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nic.cz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DOB37ob2toH0 for <dnsop@ietfa.amsl.com>; Tue, 13 Feb 2018 09:45:39 -0800 (PST)
Received: from mail.nic.cz (mail.nic.cz [IPv6:2001:1488:800:400::400]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EBDB3128896 for <dnsop@ietf.org>; Tue, 13 Feb 2018 09:45:38 -0800 (PST)
Received: from [IPv6:2001:1488:fffe:6:9c32:1bff:fe1e:9162] (unknown [IPv6:2001:1488:fffe:6:9c32:1bff:fe1e:9162]) by mail.nic.cz (Postfix) with ESMTPSA id C6D5E622DA; Tue, 13 Feb 2018 18:45:35 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nic.cz; s=default; t=1518543936; bh=ivlDSDIlbpDFxSaHeuKpreEjWqMef4Kb7/tIWqq0BzM=; h=To:From:Date; b=Y89cxatcBu1yVHSlcdxrbIZeKcTSR8/bpq2hIvAZE7/BRvLKgNFXifQA855Wth1RS WT0IGV0A4JgI1VFg93R1XP4Ey9L7RCIVikPRTDsP+tdJbeifblVhRw6GRzrEFYti8N v5MTlaV72735PIZLqKnnYVdEzpagsHa3ZxLcJwwY=
To: Bob Harold <rharolde@umich.edu>
Cc: dnsop <dnsop@ietf.org>
References: <CAHw9_iJ5Dr0sHw3EkWyHeAVDDb3k=8C6XOfrA02-_bQzd4n2Sg@mail.gmail.com> <CA+nkc8AeY2+Azw7Rk-y4s5Gfp=amYZNiN=_kxtetgS9s8kcEYg@mail.gmail.com>
From: =?UTF-8?B?VmxhZGltw61yIMSMdW7DoXQ=?= <vladimir.cunat+ietf@nic.cz>
Message-ID: <ac1c8e00-ba0f-72df-83f5-47c3e935e447@nic.cz>
Date: Tue, 13 Feb 2018 18:45:35 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0
MIME-Version: 1.0
In-Reply-To: <CA+nkc8AeY2+Azw7Rk-y4s5Gfp=amYZNiN=_kxtetgS9s8kcEYg@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Content-Language: en-US
X-Virus-Scanned: clamav-milter 0.99.2 at mail
X-Virus-Status: Clean
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/xzkU2I3RQNPJyrWcAeaxP4G6KAA>
Subject: Re: [DNSOP] Updated KSK Sentinel document
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Feb 2018 17:45:41 -0000

On 02/13/2018 06:10 PM, Bob Harold wrote:
> [...] If an entry could be put in the root zone, that is signed only
> with the new key, then could users query that and always get a yes/no
> answer to whether they will be affected? 

I don't think that's possible.  This is about the _single_ root DNSKEY
RRset - switching which key signs the set (tags 19036 and 20326). 
Resolvers will either successfully validate this RRset or not, and
consequently they either can validate all other signatures in the root
zone or they can't trust anything in the whole DNS tree.

--Vladimir