[Quoting Edward Lewis, on Oct 16, 21:22, in "Re: DNSSEC and Paren ..."]
> At 9:49 AM -0400 10/13/00, Ted Lindgreen wrote:
> >Reason to ask this, is that there seems no security-technical reason
> >to have this SIG in the parent zonefile instead.
>
> How about this:
>
> Having the parent publish the keys eliminates a beneficial three-way
> handshake. (How beneficial is open to question.) Given the current
> definition:
I fully agree that a three-way handshake is desirable. However,
I am not sure that having the parent publish the keys eliminates
this handshake:
> 1) The child "signals" the intent to be secure by submitting keys to the
> parent.
>
> 2) The parent "acknowledges" the child's desire to be secure by signing
>
> 3) The child "accepts" this invitation by publishing the keys. The
In case (only) the parent publishes the SIG over the child new KEY,
1) and 2) do not change. In 3) the child can also "accept" the
invitation by starting to use the new KEY to sign its zone.
> important part of this step is that the child has the option, once the
> parent has returned the signature, to decide if the signature is right.
Cryptograhically, or security-technically I see no difference
between a child:
1. verifying a parent-SIG over own-KEY with parent-KEY, then
including the parent-SIG in own zonefile, and then starting
to use the new KEY.
2. verifying a parent-SIG over own-KEY with parent-KEY, and
starting to use the new KEY.
Please note, that in order to verify the parent-SIG, one has to
consult the parent-zone anyway to collect the parent-KEY.
> I.e., what if someone adds or modifies the keys between the time the child
> sends them and the parent receives them? The parent won't know this and
> publishing the erroneous keys and the signature would be a problem.
This is a very serious problem. In fact, we see the verification by
the parent before signing a childs zone-KEY as the most critical
part (in terms of security) of implementing DNSSEC at TLDs.
However, this problem is independend of where the SIG will be
located after having been generated.
Regards,
-- Ted.
