Re: [DNSOP] Simplified Updates of DNS Security Trust Anchors, for rolling the root key

Tue, 30 Jun 2015 06:36:22 -0700 


On 29/06/2015 21:48, Warren Kumari wrote:

I'd appreciate any feedback, the draft announcment is here:
Name:           draft-wkumari-dnsop-trust-management
Revision:       00
Title:          Simplified Updates of DNS Security (DNSSEC) Trust Anchors
Document date:  2015-06-29
Group:          Individual Submission
Pages:          8
URL:
https://www.ietf.org/internet-drafts/draft-wkumari-dnsop-trust-management-00.txt
Status:
https://datatracker.ietf.org/doc/draft-wkumari-dnsop-trust-management/
Htmlized:
https://tools.ietf.org/html/draft-wkumari-dnsop-trust-management-00


Hi,

This draft appears to be trying to solve several problems.

1. Signalling by a validator to an authoritative server which keys it 
knows about.
2. Signalling by an authoritative server the mechanism it is using to 
roll it's keys

3. Defining an alternative to 5011 with a different mechanism to roll keys.

This seems a big ask for one draft.


I have been planning to write a draft to address 1 by having validators 
send the DS of known TA's in an edns0 option code. This info, could then 
be logged by the authoritative nameservers.



For problem 2 I was going to suggest advice to implementers of 
validators to (by default) treat all TA's as potentially 5011. A non 
5011 TA is just one that is never seen to do 5011 stuff.



Given the above, My feeling is that there is no need to propose an 
alternative to 5011 unless it adds a significant increase in 
security/ease of use.



In addition, if I have understood your intent correctly, I have a few 
questions regarding the security of your proposed mechanism.



Assuming the traditional large (strong) KSK used as trust anchor and 
smaller ZSK scenario.
It appears that the TDS RRSet will be signed only by the smaller ZSK. 
Doesn't this effectively create a circular dependency that effectively 
reduces the security of the zone down to the strength of the ZSK?



You mention nothing like the add hold down timer in 5011. There seems to 
be good justification its need in 5011.


regards
John

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop























					Reply via email to