[DNSOP] Key algorithm rollover and RFC5011 (Was: I-D Action:draft-ietf-dnsop-rfc4641bis-04.txt)

Wed, 04 Aug 2010 07:46:05 -0700 

On 2.8.2010 17:45, [email protected] wrote:

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Domain Name System Operations Working Group of 
the IETF.


        Title           : DNSSEC Operational Practices, Version 2
        Author(s)       : O. Kolkman
        Filename        : draft-ietf-dnsop-rfc4641bis-04.txt
        Pages           : 56
        Date            : 2010-08-02
This is just a follow up for the discussion in Maastrich on RFC5011 and key algorithm rollovers.
I thought of sending the text, but I have re-read the 5011 and it looks more complicated :-(. 

Just a reminder: RFC4035 section 2.2 says:

   There MUST be an RRSIG for each RRset using at least one DNSKEY of
   each algorithm in the zone apex DNSKEY RRset.  The apex DNSKEY RRset
   itself MUST be signed by each algorithm appearing in the DS RRset
   located at the delegating parent (if any).

RFC5011 sections:

2.1. Revocation

If you have a key A with alg1 and key B with alg2, you:

a) cannot revoke any of the keys
b) we must define that revoked key as an exception to RFC4035 2.2

2.2 Add Hold-Down

Basically same situation.
If you add key C with new algorithm, you need to immediately sign whole zone with new algorithm regardless of the hold-down timer. 

6.1 Adding a Trust Anchor
The scenario is incorrect in step 4 and you need to follow the procedure outlined in draft-ietf-dnsop-rfc4641bis-04.txt 

6.2 Deleting a Trust Anchor

Is correct, but it still needs to follow the:

- remove DNSKEY
- wait for DNSKEY TTL
- remove signatures

after step 2.

6.3 Key Roll-over (and 6.4 and 6.5)

If the 'C' has different algorithm then the step 2. and 4. are incorrect.

6.6 Trust Point Deletion
Is incorrect. If the new key has different algorithm, you need to publish DNSKEY first and only after it's there (and expired in caches) you can update DS at parent.
So it get's much more complicated. And you cannot revoke old-keys at the same time you add new keys. 

Ondrej
--
 Ondřej Surý
 vedoucí výzkumu/Head of R&D department
 -------------------------------------------
 CZ.NIC, z.s.p.o.    --    Laboratoře CZ.NIC
 Americka 23, 120 00 Praha 2, Czech Republic
 mailto:[email protected]    http://nic.cz/
 tel:+420.222745110       fax:+420.222745112
 -------------------------------------------
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to