On 29/06/2015 21:48, Warren Kumari wrote:
I'd appreciate any feedback, the draft announcment is here:
Name: draft-wkumari-dnsop-trust-management
Revision: 00
Title: Simplified Updates of DNS Security (DNSSEC) Trust Anchors
Document date: 2015-06-29
Group: Individual Submission
Pages: 8
URL:
https://www.ietf.org/internet-drafts/draft-wkumari-dnsop-trust-management-00.txt
Status:
https://datatracker.ietf.org/doc/draft-wkumari-dnsop-trust-management/
Htmlized:
https://tools.ietf.org/html/draft-wkumari-dnsop-trust-management-00
Hi,
This draft appears to be trying to solve several problems.
1. Signalling by a validator to an authoritative server which keys it
knows about.
2. Signalling by an authoritative server the mechanism it is using to
roll it's keys
3. Defining an alternative to 5011 with a different mechanism to roll keys.
This seems a big ask for one draft.
I have been planning to write a draft to address 1 by having validators
send the DS of known TA's in an edns0 option code. This info, could then
be logged by the authoritative nameservers.
For problem 2 I was going to suggest advice to implementers of
validators to (by default) treat all TA's as potentially 5011. A non
5011 TA is just one that is never seen to do 5011 stuff.
Given the above, My feeling is that there is no need to propose an
alternative to 5011 unless it adds a significant increase in
security/ease of use.
In addition, if I have understood your intent correctly, I have a few
questions regarding the security of your proposed mechanism.
Assuming the traditional large (strong) KSK used as trust anchor and
smaller ZSK scenario.
It appears that the TDS RRSet will be signed only by the smaller ZSK.
Doesn't this effectively create a circular dependency that effectively
reduces the security of the zone down to the strength of the ZSK?
You mention nothing like the add hold down timer in 5011. There seems to
be good justification its need in 5011.
regards
John
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop