IETF Logo Mail Archive

Re: Practical issues deploying DNSSEC into the home.

Joe Abley <jabley@hopcount.ca> Tue, 10 September 2013 16:13 UTC

Return-Path: <jabley@hopcount.ca>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 67ABA11E81E3 for <ietf@ietfa.amsl.com>; Tue, 10 Sep 2013 09:13:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EAG9hlO+FisD for <ietf@ietfa.amsl.com>; Tue, 10 Sep 2013 09:13:03 -0700 (PDT)
Received: from mail-yh0-x22c.google.com (mail-yh0-x22c.google.com [IPv6:2607:f8b0:4002:c01::22c]) by ietfa.amsl.com (Postfix) with ESMTP id A105A11E81E0 for <ietf@ietf.org>; Tue, 10 Sep 2013 09:13:03 -0700 (PDT)
Received: by mail-yh0-f44.google.com with SMTP id f64so1924055yha.3 for <ietf@ietf.org>; Tue, 10 Sep 2013 09:13:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hopcount.ca; s=google; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=ZSW2JvQ/DJjOabrmnl/oLpUq+ejpR2YJgTALWqhdzIY=; b=Dn8aSZbMhoatXYayDtPHyXovWSg+3iBSu8o+psAdoUYokE43tDRr6y2DLCjLKTCSUJ dNPk2Zz1QLOjawZSxXyJmvsc5l+LFhet8WUcH7zHWiw3Rcd7kO5BNafB/KkH4D2Y5L7F 2Iwc9bmthVmaUlRmvjgjqvj+0x9uO8BGdTdic=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=ZSW2JvQ/DJjOabrmnl/oLpUq+ejpR2YJgTALWqhdzIY=; b=GirKCl9t7at7lBaGlHp+KWWelU9+pCVZWSrdZfxbe5xdNkdQaxw64zIRQL+09OsLtz Of5QcVZDiMtNRJY5BodNmjUu2iRcLUbYNxvwNUrXNAbiqBPeS9OJ5fA2wEbQleRh50H9 L9IdRF36tEuwN6Ok7wsh9BYymT5O9b0m7I5E1hF3i7s1mRA/rmY2RMubCwv6mSC8n2yk Ilkmm03KdpN7lHvyYCru0wG+qKpXspijeYOWo0mql/lmFt+ilb0cE6cFeorklvPtwiNY 8EBUunaS8tSfOwOp1JesIn67+CjsUbdYzxYtkSDcKeJd+Ck7/qXlCD4XZEhmaBJJGyk8 IXFw==
X-Gm-Message-State: ALoCoQkKjzwE5NZ/xXd/8L30wYdocIEKs/o6vI/dvbhvFesGZ2JA0XZONC4yEDTMNZ47LUmUYaIz
X-Received: by 10.236.168.166 with SMTP id k26mr1683103yhl.113.1378829582032; Tue, 10 Sep 2013 09:13:02 -0700 (PDT)
Received: from dh26.r1.hopcount.ca ([135.23.68.78]) by mx.google.com with ESMTPSA id f67sm25746250yhi.10.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 10 Sep 2013 09:13:01 -0700 (PDT)
Content-Type: text/plain; charset="iso-8859-1"
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
Subject: Re: Practical issues deploying DNSSEC into the home.
From: Joe Abley <jabley@hopcount.ca>
In-Reply-To: <CAGhGL2APj-XfuMUHgLsELnZRbRNCLrjMBxFBtcg4zx+5SG7Bag@mail.gmail.com>
Date: Tue, 10 Sep 2013 12:12:59 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <FA4F0AA8-A309-4D66-ACBA-2A5F5E84FDE7@hopcount.ca>
References: <CAGhGL2APj-XfuMUHgLsELnZRbRNCLrjMBxFBtcg4zx+5SG7Bag@mail.gmail.com>
To: Jim Gettys <jg@freedesktop.org>
X-Mailer: Apple Mail (2.1508)
Cc: ietf@ietf.org, dns-security@lists.tislabs.com
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Sep 2013 16:13:04 -0000

Hi Jim,

On 2013-09-10, at 11:55, Jim Gettys <jg@freedesktop.org> wrote:

> We uncovered two practical problems, both of which need to be solved to enable full DNSSEC deployment into the home:
> 
> 1) DNSSEC needs to have the time within one hour.  But these devices do not have TOY clocks (and arguably, never will, nor even probably should ever have them).  
> 
> So how do you get the time after you power on the device?  The usual answer is "use ntp".  Except you can't do a DNS resolve when your time is incorrect.  You have a chicken and egg problem to resolve/hack around :-(.
> 
> Securely bootstrapping time in the Internet is something I believe needs doing....  and being able to do so over wireless links, not just relying on wired links.

Dave and I wrote up a proposal for this, which may be of interest. If you find this document, let me know and we can work to rejuvenate it (it withered on the I-D vine).

http://tools.ietf.org/html/draft-jabley-dnsop-validator-bootstrap-00

> 2) when you install a new home router, you may want to generate certificates for that home domain (particularly so it can be your primary name server, which you'd really like to be under your control anyway, rather than delegating to someone else who could either intentionally on unintentionally subvert your domain).  

I think as a starting point, you could safely assume that any local domain you host for the purpose of home users could be unsigned. Users behind the home gateway are trusting the cache on the home gateway anyway; serving signed, authoritative local data doesn't seem like it would add much benefot over serving the same data unsigned.


Joe

v2.23.0 | Report a Bug | By Email