At 12:42 +0200 6/8/05, Olaf M. Kolkman wrote:
#1.2 Time Definitions
# o "Key effectivity period"
# The period which a key pair is expected to be effective. This
# period is defined as the time between the first inception time
# stamp and the last expiration date of any signature made with
# this key.
# The key effectivity period can span multiple signature validity
# periods.
Can it be discontinuous? I.e., only on Tuesdays and Thursdays in May?
I do not know what the "formal definition" is.
But I take it to be that even when signatures made with this key
appear with a sig-inception Tuesday 00:00 and sig-expiration Tuesday
23:59 and signatures with sig-inception Thursday 00:00 and
sig-expiration Thursday 23:59, the Key effectivitiy period would be
Tuesday 00:00 to Thursday 23:49.
If there is a better way of phrasing this definition as appears now I
will need text.
Formal or not, I think you want the effectivity period to be from
first signing to last (useful) time, regardless of discontinuities.
It's just simpler.
Of course, if you are likely to have keys that are in use in a
discontinuous manner, you are probably not a conventional
administrator.
----------------------------------------------------------------------
# o "Maximum/Minimum Zone TTL"
# The maximum or minimum value of the TTLs from the complete set
# of RRs in a zone.
This has nothing to do with the last number in the SOA RR, right? Right?
Correct you take all the TTL values in the zone and take the minimum
and the maximum of that set. Is the text that is there now ambiguous?
The problem is this text from 1035:
#RFC 1035 Domain Implementation and Specification November 1987
#
#MINIMUM The unsigned 32 bit minimum TTL field that should be
# exported with any RR from this zone.
Maybe you should make an explicit reference that the Minimum Zone TTL
may be less that the MINIMUM field in the SOA RR.
----------------------------------------------------------------------
#2. Keeping the Chain of Trust Intact
# For the verifying clients it is important that data from secured
# zones can be used to build chains of trust regardless of whether the
# data came directly from an authoritative server, a caching nameserver
# or some middle box. Only by carefully using the available timing
# parameters can a zone administrator assure that the data necessary
# for verification can be obtained.
I don't think that the last sentence is right. If an admin is
unaware of the
timing parameters, data will only be delayed.
Let me try to reprhasese that last sentence.
Only by carefully timing their actions zone administrators can
assure that the data necessary for verification can be obtained by
validating clients.
I think that the sentence is too ambiguous to be useful. "Carefully
timing" sounds like there is much to be fearful of, without defining
the concerns.
How about...
DNS has inherent delays in the propagation of data, e.g., from the
master to slave, caches timing out old copies before retrieving fresh
authoritative data. Because of this administrators need to prepare
for changes in advance and sequence actions appropriately to achieve
smooth transitions. Preparations include adjusting the TTL of
records and RRSIG expirations. Sequencing has to account for the
worst case scenarios of data laying in compliant caches.
...that should be a high level description of the problem.
----------------------------------------------------------------------
It might be good to note that
the time from master to slave is negligible when using NOTIFY and IXFR,
increasing by reliance on AXFR, and more if you rely on the SOA timing
parameters for zone refresh. (Non-standard means of zone transfers have
other timing concerns.) When it comes to freshness of data within caches,
the TTL is the only pertinent parameter, with a shorter setting increasing
freshness at the cost of fewer cache "hits."
I propose to modify the 3rd paragraph of section 2 by appending your
text:
Administrators of secured zones will have to keep in mind that data
published on an authoritative primary server will not be
immediately seen by verifying clients; it may take some time for
the data to be transfered to other secondary authoritative
nameservers and clients may be fetching data from caching
non-authoritative servers. In this light ist is good to note that
the time from master to slave is negligible when using NOTIFY and
IXFR, increasing by reliance on AXFR, and more if you rely on the
SOA timing parameters for zone refresh.
s/ist/it/ - in there somewhere. Any other comments?
----------------------------------------------------------------------
I don't know what detail you want to include, but you should mention the
sliding scale of performance between master and slave, and a note on what
parameter(s) effect cache performance.
Is the detail in the above paragraph sufficient? If not could you help
us out with suggestions for text?
Probably enough. I'd be curious to hear from others on this too.
Maybe I'm glossing over something.
----------------------------------------------------------------------
#3.1 Zone and Key Signing Keys
#
# The DNSSEC validation protocol does not distinguish between DNSKEYs.
# All DNSKEYs can be used during the validation. In practice operators
Is that true? Is that because DNSKEYs must have the zone key bit set?
I forget how we resolved TKEY stuff the type code roll.
What about:
The DNSSEC validation protocol does not distinguish between DNSKEYs
with the SEP flag set or cleared. Both DNSKEYs can be used during the
validation. ...
Probably the original text is better. No reason to mention the SEP
flag here, I had forgotten that we kept the old KEY RR for TKEY stuff.
----------------------------------------------------------------------
#3.3 Key Effectivity Period
# For Key Signing Keys a reasonable key effectivity period is 13
# months, with the intent to replace them after 12 months. An intended
# key effectivity period of a month is reasonable for Zone Signing
# Keys.
Shouldn't this be linked to some minimum size of the key?
What about prepending a line to the above paragraph introducing a new
one sentence paragraph directly after that:
+ From a purely operational perspective a reasonable key effectivity
+ period for Key Signing Keys is 13 months, with the intent to
replace them after 12 months. An intended key effectivity period
of a month is reasonable for Zone Signing Keys.
+ For a key-size that matches these effectivity periods see section 3.5
Using these recommendations will lead to rollovers occurring
frequently enough to become part of 'operational habits'; the
procedure does not have to be reinvented every time a key is
replaced.
Key effectivity periods can be made very short, as in the order of a
few minutes. But when replacing keys one has to take the
considerations from Section 4.1 and Section 4.2 into account.
I have two answers to this.
One is that I think recommending a span of changes is good, and
saying that you should fit the key size to the span. (As opposed to
trying to worry about how long a key of a certain size will last.)
Operations can deal with the calendar better than less tangible
"events" (such as the time until a key is exposed or guessed).
The other answer is that I have heard suggestions that the KSK ought
to be longer lived - like 3 or so years. For the root, because of
the pain of putting it into anchor positions, even longer. This is
counter to "keep it regular so you get used to it" but it has appeal
to non-operations people.
I think it would be wise to recommend timing because there aren't a
lot of clear statements on this important issue. But perhaps you
need to recommend different time scales for different kinds of zone
administrations.
Others?
----------------------------------------------------------------------
#3.6 Private Key Storage
#
# It is recommended that, where possible, zone private keys and the
# zone file master copy be kept and used in off-line, non-network
# connected, physically secure machines only. Periodically an
# application can be run to add authentication to a zone by adding
# RRSIG and NSEC RRs. Then the augmented file can be transferred,
The problem with this recommendation is that a lot of the upper (sensitive)
zones have a "response time" pressure that pushes them to use
dynamic update.
Currently, dynamic update (tools) don't allow the inclusion of signatures,
this might have to be fixed. Left in limbo is the recommendation to
keep keys entirely off-line.
I understand your observation but I find it difficult to turn this
into document text. Do you have a suggestion?
Maybe...
When relying on dynamic update to manage a signed zone, be aware that
at least one zone's private key will have to reside on the master
server. This key is only as secure as the amount of exposure the
server receives to unknown clients and the security of the host.
Although not mandatory, administering DNS in this manner benefits if
the master is unavailable to the Internet, not listed in the NS
RRSet, an approach known as a "hidden master."
(Don't know if we've ever defined "hidden master."
# perhaps by sneaker-net, to the networked zone primary server machine.
It's ironic that this basic tenet of the DNSSEC world is somewhat out of
whack with what are labeled as the most sensitive zones.
The irony is not intentional. How can we improve?
I think it's a case of time passing the technology by. When we
started this process registries ran much slower. We've added dynamic
update, IXFR, etc., and there has been a demand for immediate
gratification when registering domain names.
The only way around this was to have DNSSECbis happen years ago. ;)
----------------------------------------------------------------------
#4.1.1 Time Considerations
#
# o We suggest the signature publication period to be at least one
# maximum TTL smaller than the signature validity period.
# Resigning a zone shortly before the end of the signature
# validity period may cause simultaneous expiration of data from
# caches. This in turn may lead to peaks in the load on
# authoritative servers.
This is confusing.
Are you suggesting that the publication period of a signature end at least
one maximum TTL duration before the end of the signature's validity period?
Yes, suggested rephrase:
o We suggest the publication period of a signature end at least one
maximum TTL duration before the end of the signature's validity
period.
Resigning a zone shortly before the end of the signature
validity period may cause simultaneous expiration of data
from caches. This in turn may lead to peaks in the load on
authoritative servers.
----------------------------------------------------------------------
# o We suggest the minimum zone TTL to be long enough to both fetch
# and verify all the RRs in the authentication chain. A low TTL
# could cause two problems:
# 1. During validation, some data may expire before the
# validation is complete. The validator should be able to keep
# all data, until is completed. This applies to all RRs needed
# to complete the chain of trust: DSs, DNSKEYs, RRSIGs, and the
# final answers i.e. the RR set that is returned for the initial
# query.
# 2. Frequent verification causes load on recursive nameservers.
# Data at delegation points, DSs, DNSKEYs and RRSIGs benefit from
# caching. The TTL on those should be relatively long.
A low TTL has been demonstrated in workshops to be detrimental. (Not a
"could.") Even in a close-in workshop, TTL's of under 5 or 10 minuted
disrupted operations. In the wide Internet, the floor of the TTL will
have to be much higher.
Do we have a reference to the minutes of these workshops? If not I
propose to start the above paragraph with:
o We suggest the minimum zone TTL to be long enough to both fetch
and verify all the RRs in the authentication chain. In workshop
environments it has been demonstrated [E.Lewis: private
communication] that a low TTL (under 5 to 10 minutes) caused
disruptions because of the following two problems:
We should locate notes...or use the WG list as reference. (Usually
docs don't explicitly reference the list of a WG, they indicate that
the doc is a product of a WG.)
----------------------------------------------------------------------
# When a slave server is out of sync with its master and data in
# a zone is signed by expired signatures it may be better for the
# slave server not to give out any answer.
# We suggest the SOA expiration timer being approximately one
# third or one fourth of the signature validity period. It will
# allow problems with transfers from the master server to be
# noticed before the actual signature time out.
One wording choice I noticed - "smaller" rather than "shorter." When we
are talking time durations, "longer" and "shorter" are more appropriate.
I agree with the recommendation here, but I am not sure about the build up.
I think that a slave ought to continue to serve up RRSIGs whose time has
passed in the face of having lost contact with the master. For two reasons,
one is that the clock on the slave might be wrong and the other is that
resolvers might be willing to accept past-due data or are
completely ignoring
DNSSEC.
But it will cause a black out for part of the clients that pull from
that "SOA timed out" server if the do not ignore DNSSEC and do not
ignore signature validity time. Lameness is probably better than
complete blackouts.
We use the "it may be better" consciously.
Unless there are objections or alternative text I intend to keep the
text as is.
----------------------------------------------------------------------
#4.2.1.1 Pre-publish key set Rollover
#
# normal pre-roll roll after
#
# SOA0 SOA1 SOA2 SOA3
# RRSIG10(SOA0) RRSIG10(SOA1) RRSIG11(SOA2) RRSIG11(SOA3)
#
# DNSKEY1 DNSKEY1 DNSKEY1 DNSKEY1
# DNSKEY10 DNSKEY10 DNSKEY10 DNSKEY11
# DNSKEY11 DNSKEY11
# RRSIG1 (DNSKEY) RRSIG1 (DNSKEY) RRSIG1(DNSKEY) RRSIG1 (DNSKEY)
# RRSIG10(DNSKEY) RRSIG10(DNSKEY) RRSIG11(DNSKEY) RRSIG11(DNSKEY)
RRSIG11(DNSKEY) RRSIG10(DNSKEY)
Those too?
No.. just as was written.
You introduce the key but you do not sign with it yet. You just allow
the public key to get "introduced" into the caches.
The public key is published but the key's effectivity period starts
only at the "roll".
I hope this is clear. It is the core of the document.
----------------------------------------------------------------------
# DNSKEY 10 is used to sign all the data of the zone, the zone-
# signing key.
# pre-roll: DNSKEY 11 is introduced into the key set. Note that no
# signatures are generated with this key yet, but this does not
# secure against brute force attacks on the public key. The minimum
# duration of this pre-roll phase is the time it takes for the data
# to propagate to the authoritative servers plus TTL value of the
# key set. This equates to two times the Maximum Zone TTL.
Aren't all keys required to sign the key set?
Only the keys a DS record points to.
----------------------------------------------------------------------
# roll: At the rollover stage (SOA serial 2) DNSKEY 11 is used to sign
# the data in the zone exclusively (i.e. all the signatures from
# DNSKEY 10 are removed from the zone). DNSKEY 10 remains published
# in the key set. This way data that was loaded into caches from
# version 1 of the zone can still be verified with key sets fetched
# from version 2 of the zone.
# The minimum time that the key set including DNSKEY 10 is to be
# published is the time that it takes for zone data from the
# previous version of the zone to expire from old caches i.e. the
# time it takes for this zone to propagate to all authoritative
# servers plus the Maximum Zone TTL value of any of the data in the
# previous version of the zone.
Not the maximum TTL, but the TTL of the key set.
You want data that is still cached and signed with signature 10 (as in
version SOA1 of the key) to expire before you remove key10 from
SOA2. That timing is set by the TTL of the zone data not the DNSKEY.
And also the REFRESH time in the SOA. "Pulling" a record from the
master won't pull it from a slave that isn't going to come back for
REFRESH seconds. It's like REFRESH + TTL at least. Even if you use
NOTIFY - recall that notifies are on UDP, hence not-guaranteed.
I also thought about this (the advantages of taking a real long time
to reply, I suppose). DNS allows a server to act as master and
slave, so it's possible that the first round of slaves wait REFRESH
seconds to get an updated zone from the master, and then their slaves
REFRESH seconds after that. "Regional masters" is one label I have
heard for this practice. In the extreme, it's conceivable that the
true time for a zone's propagation to all authoritative servers is
unbounded.
The text here ought to be general by saying that the admin should
allow for the maximum propagation delay to all authoritative servers
plus the TTL. Usually the propagation delay is small with NOTIFY,
may be REFRESH seconds for one layer of master server-slave server,
may be 2*REFRESH for slave servers that rely on other slave servers
for zone updates. Further chaining of slave servers increases the
potential delay, for this and other timing reasons, chaining of
servers ought to be kept to a minimum.
(This could be more
complicated as there would have been a TTL of one week yesterday, then
shortened to an hour today.)
Agreed... but I think mentioning this would complicate rather than
clarify.
You could actually also mention that one could take the 'maximum'
SIGNATURE expiration time of the data at the roll to determine when
the post-roll should occur. Caches should throw out the data when that
expiration time occurred. Since that provides you with an absolute time
to do the rollover that may actually be a good recommendation to give
too. (also see 4035 section 4.3 "The resolver SHOULD discard the
entire atomic entry when any of the RRs contained in it expire").
Any opinion from the working group?
I should draw some ascii art of the timeline. I'll do that after
sending this message and see what happens.
----------------------------------------------------------------------
#4.2.1.3 Pros and Cons of the Schemes
# Pre-publish-key set rollover: This rollover does not involve signing
# the zone data twice. Instead, before the actual rollover, the new
# key is published in the key set and thus available for
# cryptanalysis attacks. A small disadvantage is that this process
# requires four steps. Also the pre-publish scheme involves more
# parental work when used for KSK rollovers as explained in
# Section 4.2.
I don't think that cryptanalysis is possible without a signature to go
along with the public key, however, dictionary attacks are possible.
(As in "where have I seen this public key before and did I break it?")
The cryptanalysis attack was mentioned in 4.2.1.3, should we remove
that line?
Your editor needs guidance.
Does anyone else have an opinion. I've been led to believe my
comment by others professing cryptology expertise. Maybe I've been
misled or I misunderstood the problem.
----------------------------------------------------------------------
# The scenario above puts the responsibility for maintaining a valid
# chain of trust with the child. It also is based on the premises that
# the parent only has one DS RR (per algorithm) per zone. An
# alternative mechanism has been considered. Using an established
# trust relation, the interaction can be performed in-band, and the
# removal of the keys by the child can possibly be signaled by the
# parent. In this mechanism there are periods where there are two DS
# RRs at the parent. Since at the moment of writing the protocol for
# this interaction has not been developed further discussion is out of
# scope for this document.
Perhaps you should also show the DS set at the parent in the example.
Later you have one, but it is for the 2 DS at the parent option.
Ack, proposed diagram:
Parent:
normal between "roll"
and "after"
SOA0 SOA3
RRSIGpar(SOA0) RRSIGpar(SOA3)
DS1 DS2
RRSIGpar(DS) RRSIGpar(DS)
normal roll after
SOA0 SOA1 SOA2
RRSIG10(SOA0) RRSIG10(SOA1) RRSIG10(SOA2)
DNSKEY1 DNSKEY1 DNSKEY2
DNSKEY2
DNSKEY10 DNSKEY10 DNSKEY10
RRSIG1 (DNSKEY) RRSIG1 (DNSKEY) RRSIG2(DNSKEY)
RRSIG2 (DNSKEY)
RRSIG10(DNSKEY) RRSIG10(DNSKEY) RRSIG10(DNSKEY)
I would label this as four events - initial, new key, DS change, key removal.
I would also make the four look more asynchronous, like below:
initial new key DS change key removal
Parent Zone:
SOA0 --------> SOA3 -------->
RRSIGpar(SOA0) --------> RRSIGpar(SOA3) -------->
DS1 --------> DS2 -------->
RRSIGpar(DS) --------> RRSIGpar(DS) -------->
Child Zone:
SOA0 SOA1 --------> SOA2
RRSIG10(SOA0) RRSIG10(SOA1) --------> RRSIG10(SOA2)
DNSKEY1 DNSKEY1 --------> DNSKEY2
DNSKEY2 -------->
DNSKEY10 DNSKEY10 --------> DNSKEY10
RRSIG1 (DNSKEY) RRSIG1 (DNSKEY) --------> RRSIG2(DNSKEY)
RRSIG2 (DNSKEY) -------->
RRSIG10(DNSKEY) RRSIG10(DNSKEY) --------> RRSIG10(DNSKEY)
This isolates the steps at the child vs the parent.
----------------------------------------------------------------------
#4.2.3 Difference Between ZSK and KSK Rollovers
#
# Note that KSK rollovers and ZSK rollovers are different. A zone-key
# rollover can be handled in two different ways: pre-publish (Section
# Section 4.2.1.1) and double signature (Section Section 4.2.1.2).
They really aren't that different - it's just the interaction with the
parent and waiting on the parent that is different. To a KSK, the "entire"
zone is the DNSKEY set, as opposed to all sets for the ZSK.
Suggestion
Note that KSK rollovers and ZSK rollovers are slightly different.
^^^^^^^^
Maybe that's over simplifying it.
Note that a KSK rollover and a ZSK rollover are similar but differ in
one fundamental aspect. KSK rollovers involve requesting action by
the parent and the ensuing delay in waiting for it. Other than that,
both can be achieved by pre-publishing the new key or by using double
signatures during the rollover.
----------------------------------------------------------------------
#4.3 Planning for Emergency Key Rollover
#
# This section deals with preparation for a possible key compromise.
# Our advice is to have a documented procedure ready for when a key
# compromise is suspected or confirmed.
#
# When the private material of one of your keys is compromised it can
# be used for as long as a valid authentication chain exists. An
# authentication chain remains intact for:
# o as long as a signature over the compromised key in the
# authentication chain is valid,
# o as long as a parental DS RR (and signature) points to the
# compromised key,
This is a considerable problem. A reminder that DS records ought to be
conservatively signed.
Suggestion:
o as long as a parental DS RR (and signature) points to the
compromised key (also see 4.4.4 DS Signature Validity Period)
----------------------------------------------------------------------
#4.3.1 KSK Compromise
#
# When the KSK has been compromised the parent must be notified as soon
# as possible using secure means. The key set of the zone should be
# resigned as soon as possible. Care must be taken to not break the
# authentication chain. The local zone can only be resigned with the
# new KSK after the parent's zone has created and reloaded its zone
# with the DS created from the new KSK. Before this update takes place
# it would be best to drop the security status of a zone all together:
# the parent removes the DS of the child at the next zone update.
# After that the child can be made secure again.
During any emergency impacting a system, I don't expect the system to
continue operating smoothly. As here, if there is a compromised key,
I don't expect maintaining the authentication chain is a priority. Two
things might be reasonable - dropping security and publication of the
problem via other channels.
Minimizing an outage is a priority of course, meaning that one key ought
not cause disruption for sibling domains.
#
# An additional danger of a key compromise is that the compromised key
# can be used to facilitate a legitimate DNSKEY/DS and/or nameserver
# rollover at the parent. When that happens the domain can be in
# dispute. An authenticated out of band and secure notify mechanism to
# contact a parent is needed in this case.
It's never wise to secure a system only by using the system's security.
We already suggested alternative text please see:
http://darkwing.uoregon.edu/~llynch/dnsop/msg03461.html
I hope that text is clearer.
What I don't understand is how the "chain of trust is broken."
It's the resolver that evaluates the trustworthiness of an RRSet,
it's not set by the server. Hence, with the potential that someone
is maliciously publishing data via a compromised key, the honest
server can't break the chain of trust.
All the server can do is limit the exposure caused by the key and the
fallout of the problem.
First, using the private key must stop and the (if KSK) DR RR no
longer be signed by the parent. The latter begins to limit the
duration of the vulnerability.
You don't gain by pulling the key or DS RR before the latest
expiration of a legitimate key or DS because the attacker could be
using that in a replay tactic. The benefit of this is that you don't
"break" legitimate data still in caches.
However, overriding all of this, is the fact that until the latest
expiring copy of the key or DS expires, you do not have security
control of the zone. The big question is - how long is a zone admin
willing to allow this window of vulnerability?
Pulling data early doesn't effectively shorten this window.
----------------------------------------------------------------------
#4.4.3 Security Lameness
#
# Security Lameness is defined as what happens when a parent has a DS
# RR pointing to a non-existing DNSKEY RR. During key exchange a
# parent should make sure that the child's key is actually configured
# in the DNS before publishing a DS RR in its zone. Failure to do so
# could cause the child's zone being marked as Bogus.
I think it is dangerous to suggest that the parent check the health of the
child. During key rollover, I think the child ought to be looking to see
when the parent has changed the DS record before changing the
child's DNSKEYs.
Now I am confused. I can imagine you would not like to see the
suggestion that the parent checks the health of the child but you not
having a DNSKEY before the parent publishes a DS would really break
things. It would at least put the "double signature rollover" to the
dustbin and registries would then have to deal with multiple DSs in
their zone.
A child can list two KSK's in their zone, ask the parent to DS the
new one. When the new DS is signed, the old KSK is yanked. There is
no need for the parent to see if the requested DS corresponds to any
published KSK, the child ought to be indicating that the new KSK is
in place by making the request.
I don't see any reason that the parent has to have multiple DS
records (per algorithm). True, if the child requests a new DS and
hasn't put the KSK in the zone, none of the child's data will
validate. In this case, the child feels the pain and the child is
the one that can fix this.
If the parent has to find it - it's like looking for the bent needle
in a haystack. And the parent really can't fix the situation -
putting back in the old DS might prolong a vulnerability that
prompted the botched rollover.
If you have the child looking up and the parent looking down, you run the
risk of a control "loop." I think the burden ought to be on the child to
always make sure it is well represented in the parent, to keep the attention
focused in one direction. Also, a large delegating parent might waste time
on the well-run children instead of helping out the needy kids.
Consider too that a child knows better what it's outage (connectivity)
situation is (than does the parent), which could account for any "missing"
keys.
Does changing the "should" into "could" in the above paragraph address
your uneasiness.
"During key exchange a parent could make sure that the child's key is
actually configured"
Could, yes, but I would add "as part of a comprehensive delegation
check." I don't think we want to say that DNSSEC also incurs higher
maintenance just because it can - which is what I read here.
----------------------------------------------------------------------
#4.4.4 DS Signature Validity Period
#
# Since the DS can be replayed as long as it has a valid signature, a
# short signature validity period over the DS minimizes the time a
# child is vulnerable in the case of a compromise of the child's
# KSK(s). A signature validity period that is too short introduces the
# possibility that a zone is marked Bogus in case of a configuration
# error in the signer. There may not be enough time to fix the
# problems before signatures expire. Something as mundane as operator
# unavailability during weekends shows the need for DS signature
# validity periods longer than 2 days. We recommend the minimum for a
# DS signature validity period of a few days.
Weeks. For a large zone, days are not enough.
It's not the signing that's a problem, it the management of the registry
that is.
If the signing is not a problem than I do not understand why the
management of the registry is a problem; the DS RRs that are published
by the parent are not subject to change.
It's been long said that the signing of DNSSEC is the easiest part of
the problem - ever since the first complaints that the early signers
took a lot of time.
The problem is that, in operations, things go wrong. Hardware fails,
demand fluctuates, the world is not inherently cyclical no matter how
hard the ops staff tries to make it. Because of this, you want to
set up events that are easily identifiable (so you can tell if it
happened or not) and you want to leave spare time for catch up. If
ths signing process doesn't fire on Tuesday night because of an
upgrade to the air conditioning units, you have to allow for it to
happen a week later because maybe there is other work due on
Wednesdays.
Or is "the management of the registry" not a piece of software but
pieces of bio-ware that sets the minimal values?
A registry is not a software chunk, it's a conglomeration of
subsystems - including things like billing that are usually
forgotten, layered on top of utilities that have a mind of their own.
We've often said that DNSSEC complicates the delegations in DNS.
Delegations are hard enough to manage today. For this section, what
I ask is that we do not appear too optimistic in our timing
recommendations.
----------------------------------------------------------------------
# The maximum signature validity period of the DS record depends on how
# long child zones are willing to be vulnerable after a key compromise.
# Other considerations, such as how often the zone is (re)signed can
# also be taken into account.
#
# We consider a signature validity period of around one week to be a
# good compromise between the operational constraints of the parent and
# minimizing damage for the child.
One week is not realistic, one month is what to prepare for. IMHO,
putting any timescale in this document might create unrealistic
expectations unless the timescale is a necessary piece of the
protocol.
Hmmm, the document doesn;t force you to choose this particular compromise.
I do think that putting timescales in is something that the "DNSOP"
group can do even though the timing is not piece of the protocol. In
the document we argue the tradeoff and argue that the timescale is a
compromise.
I do get your point though, you would not like to see this document
being stuffed in your face if you do not meet these
recommendations. Maybe we can address this in the introduction of the
text by adding a line to the first paragraph of the Introduction:
During workshops and early operational deployment tests, operators
and system administrators gained experience about operating the DNS
with security extensions (DNSSEC). This document translates these
experiences into a set of practices for zone administrators. At the
time of writing, there exists very little experience with DNSSEC in
production environments; this document should therefore explicitly
+ not be seen as representing 'Best Current Practices'. The intention of
+ this document is to provide guidance, it should not be used to argue
+ that operators violate best practices when they choose not to follow
+ recommendations herein.
On the one hand, I see a few places where IETF documents have been
taken too seriously. On the other hand, I have seen a few places
where a lack of a clear statement has led to a morass of problems.
For example, statements made about IPv6 allocations that appeared in
IETF documents 5 years ago still rule conversations in the RIRs.
Alone this is not bad, but there are some who have taken time to
acknowledge that the IETF of 5 years ago has significantly less
experience than the operator community of today. (To emphasize my
point without engendering a flamefest - the IETF of 5 years ago has
much less operational experience than the IETF of today too, but I
didn't mean to compare that.) The documentation of years ago is
still pertinent, but some have refused to question it.
I also see where not saying enough leads to problems. Service level
agreements are needed to judge the expectations and performance on
either side of a contractural agreement. When there are many
contracts for similar service, there is a natural tendency to compare
the performers. This can't be fairly done if the service levels are
measured on an ad hoc basis - which is what happens in a vacuum of a
standard recommendation.
This is kind of long-winded in saying that I am concerned that the
words above may not be taken seriously but I think softening the
document in other areas is a mistake.
# In addition to the signature validity period, which sets a lower
# bound on the amount of times the zone owner will need to sign the
# zone data and which sets an upper bound to the time a child is
# vulnerable after key compromise, there is the TTL value on the DS
# RRs. By lowering the TTL, the authoritative servers will see more
# queries, on the other hand a low TTL increases the speed with which
# new DS RRs propagate through the DNS. As argued in Section 4.1.1,
# the TTL should be a fraction of the signature validity period.
A lower TTL doesn't really increase "the speed with which new DS RRs
propagate through the DNS." What is true is that it "lowers the persistence
of DS RRSets in caches, forcing more queries to the authoritative servers."
How about:
By lowering the TTL, the authoritative servers will see more
queries, on the other hand a low TTL lowers the persistence of old
DS RRSets in caches thereby increases the speed with which new DS
RRs propagate through the DNS.
Lowering the TTL, lowering the REFRESH, and flattening the zone transfer tree.
I would reword as this:
Shortening the TTL means that the authoritative servers will see more
queries. But on the other hand, a short TTL lowers the persistence of
DS RRSets in caches thereby increases the rapidity with which updated DS
RRSets propagate through the DNS.
----------------------------------------------------------------------
#Appendix A. Terminology
# Secure Entry Point key or SEP Key: A KSK that has a parental DS
# record pointing to it. Note: this is not enforced in the
# protocol. A SEP Key with no parental DS is security lame.
Yess.. this looks weird ... the last sentence is just wrong...
How about just:
Secure Entry Point key or SEP Key: A KSK that has a parental DS
record pointing to it or is configured as a trust-anchor Note:
this is not enforced in the protocol.
I'd leave off the "Note:..." I still don't know what that means.
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis +1-571-434-5468
NeuStar
If you knew what I was thinking, you'd understand what I was saying.
.
dnsop resources:_____________________________________________________
web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html
mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html
