On Apr 19, 2013, at 11:37, Olafur Gudmundsson wrote: > > Serious answer: CDS becomes part of the Trust Anchor authentication chain, in > RFC5011 Trust Anchor Maintainers only accept new trust anchors that > are signed by the old Trust Anchor, and CDS copied that requirement.
I don't buy into that. That 5011 depends on "X" (which is fine) does not imply to me that the CDS has to also have that requirement. Once 5011 believes the new trust anchor is earnest, why does this need to be further checked? And, in the case of a compromise of a key's secrecy, which I see as a problem for 5011, is the situation any better if the CDS is signed by a KSK? The point I am coming back to is that if a ZSK is exposed, false RRSIGs will validate until the ZSK disappears from the DNSKEY set (in caches). The zone administrator can roll out of the compromised ZSK to eventually end the abuse - but in the interim the false ZSK can be used to extend signatures over the DNSKEY for a very long time. Only when the DS set (which is beyond the ZSK's reach) eliminates a chain through the ZSK can the abuse end. Question: If you get a DNSKEY set that has these records: $TTL=1 week ZSK - compromised KSK - "safe" RRSIG by KSK good from now until May 1, 2013 RRSIG by ZSK good from now until December 31, 2038 would you validate this on April 30, 2013 and hold it for a week? Assuming that there's still a DS record that "works?" (Would this extend the damage?) I.e., sometimes rolling out the ZSK isn't enough, the KSK/DS has to go too. It seems to me that no matter what key is compromised, KSK or ZSK - or even a CSK - the DS has to be changed. The DS is a "second factor" here because it would take a different key compromise to game that (assuming cross-organizational delegations). Sorry folks, this discussion is probably a bit much in email, but it's the only venue we have. I appreciate the reluctance to have long, boring yes/no debates, but I think there's some fundamental issues to hammer out first. When I say I'm unconvinced, I don't mean the requirement is wrong, I mean that I don't see a clear reason for what I think is potentially just an invitation for yet another corner case. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NeuStar You can leave a voice message at +1-571-434-5468 There are no answers - just tradeoffs, decisions, and responses.
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
