Re: [DNSOP] Would you please review our draft on deploying new DNSSEC crypto algorithms?
Shane Kerr <shane@time-travellers.org> Tue, 15 November 2016 15:05 UTC
Return-Path: <shane@time-travellers.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 14207129677 for <dnsop@ietfa.amsl.com>; Tue, 15 Nov 2016 07:05:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xvq_g5odk3TG for <dnsop@ietfa.amsl.com>; Tue, 15 Nov 2016 07:05:52 -0800 (PST)
Received: from time-travellers.nl.eu.org (c.time-travellers.nl.eu.org [IPv6:2a02:2770::21a:4aff:fea3:eeaa]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DFFAD128B37 for <dnsop@ietf.org>; Tue, 15 Nov 2016 07:05:51 -0800 (PST)
Received: from [221.147.10.131] (helo=pallas.home.time-travellers.org) by time-travellers.nl.eu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.80) (envelope-from <shane@time-travellers.org>) id 1c6fJI-0000KA-Go; Tue, 15 Nov 2016 15:06:08 +0000
Date: Wed, 16 Nov 2016 00:05:30 +0900
From: Shane Kerr <shane@time-travellers.org>
To: Dan York <york@isoc.org>
Message-ID: <20161116000530.19ed440a@pallas.home.time-travellers.org>
In-Reply-To: <87A84F21-FA45-4F05-85DA-26C892D18722@isoc.org>
References: <87A84F21-FA45-4F05-85DA-26C892D18722@isoc.org>
X-Mailer: Claws Mail 3.14.1 (GTK+ 2.24.31; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha256"; boundary="Sig_/JJORF5x+KNXlGB9Ng.pSte."; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/y2UoPM_N5tuL6L2W5w7kFlrWEXk>
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] Would you please review our draft on deploying new DNSSEC crypto algorithms?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Nov 2016 15:05:54 -0000
Dan, At 2016-11-15 12:41:01 +0000 Dan York <york@isoc.org> wrote: > The draft is at either of: > > https://datatracker.ietf.org/doc/draft-york-dnsop-deploying-dnssec-crypto-algs/ > https://tools.ietf.org/html/draft-york-dnsop-deploying-dnssec-crypto-algs-04 > > Please send any comments to the list or to us as authors. > > I also am maintaining this over in Github at: > https://github.com/danyork/draft-deploying-dnssec-crypto-algs If you > are a Github user you are welcome to file an issue there or send text > in a pull request. > > Regardless, we'd just like any feedback (even if to say that it looks > good). I'm curious about this section: Note that the key and signatures with the new algorithm will need to co-exist with the existing key and signatures for some period of time. This will have an impact on the size of the DNS records. [NOTE(OS): Shouldn't we just update the language that requires the resolver to be so strict and finally be done with this requirement? Or just give a recommendation in the paragraph on resolver here?] One issue that has been identified is that not all commonly-used signing software releases include support for an algorithm rollover. This software would need to be updated to support rolling an algorithm before any new algorithms could be deployed. Is there an RFC which says that you have to have multiple signatures? In principle, shouldn't it be possible to (for example) add a new DNSKEY record of a ZSK with a new algorithm, wait until you are sure that all resolvers have the new DNSKEY, and then start signing using only that key (as for a usual roll)? So there would indeed need to be two copies of the key, but not double signature, right? I'm not sure if this is ever possible to do for a KSK roll, but honestly that doesn't matter too much since extra signatures on the DNSKEY RRSET is not going to affect much traffic in a usual case. ---- A possibly more important concern is that the RIPE NCC did an algorithm roll last year, and discovered that Unbound and Verisign DNS require that the algorithm used by the DS be used to sign the entire zone - not just the DNSKEY RRSET: https://labs.ripe.net/Members/anandb/dnssec-algorithm-roll-over I think this deserves special merit and probably mention in the draft, because it means that you have to do both the KSK and ZSK roll together. The root cause of this is probably considered a bug in the Unbound and Verisign DNS software and has been fixed... but also consider that Unbound is a fairly popular DNS software and likely to have lots of old versions lying around. That means basically that unless you don't care about breaking a large portion of the Internet we are stuck with this limitation. :( Of course, rolling to a brand new algorithm (post-2015) that arrives in the future should be fine, since it will only be implemented in newer versions of the software which support rolling properly. :) ---- Finally, mostly as a whine, it's a pity that RFC 6975 forbids authoritative servers from filtering RRSIG. From a client point of view this would have been a real motivator to including this information, since an authoritative server could provide the best signatures possible (smallest/fastest/most secure/patent-free/whatever), and ONLY those signatures. As it is now, I doubt many (any?) resolvers actually include this option since it will just add pointless bytes to query packets. If clients included this it would be of great help to zone owners and authority server operators in deciding whether a new algorithm is deployable. :( Cheers, -- Shane
- [DNSOP] Would you please review our draft on depl… Dan York
- Re: [DNSOP] Would you please review our draft on … Shane Kerr
- Re: [DNSOP] Would you please review our draft on … Mark Andrews
- Re: [DNSOP] Would you please review our draft on … Matthijs Mekking
- Re: [DNSOP] Would you please review our draft on … Ask Bjørn Hansen
- Re: [DNSOP] Would you please review our draft on … Shane Kerr
- Re: [DNSOP] Would you please review our draft on … Mark Andrews
- Re: [DNSOP] Would you please review our draft on … Shane Kerr
- Re: [DNSOP] Would you please review our draft on … Rose, Scott
- Re: [DNSOP] Would you please review our draft on … Edward Lewis