Re: [DNSOP] public consultation on root zone KSK rollover
On 3 Apr 2013, at 17:38, Evan Hunt e...@isc.org wrote: Then there's the issue Paul mentioned -- gear configured with a root KSK that gets switched off and not rebooted for a few months or years, and then no longer works and can't recover. Validator vendors have to provide an out-of-band trust anchor update mechanism to cope with this. It needs to be coded and included in long-term support releases of validators and operating systems before rollover, I think. I am not sure if ICANN intend their trust anchor download server to be used for this purpose or if vendors are expected to provision their own mirrors. I also don't know how to assess the trustworthiness of ICANN's signatures on the trust anchor. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] public consultation on root zone KSK rollover
On 2013-04-06, at 16:55, Tony Finch d...@dotat.at wrote: On 3 Apr 2013, at 17:38, Evan Hunt e...@isc.org wrote: Then there's the issue Paul mentioned -- gear configured with a root KSK that gets switched off and not rebooted for a few months or years, and then no longer works and can't recover. Validator vendors have to provide an out-of-band trust anchor update mechanism to cope with this. It needs to be coded and included in long-term support releases of validators and operating systems before rollover, I think. draft-jabley-dnsop-validator-bootstrap. I am not sure if ICANN intend their trust anchor download server to be used for this purpose or if vendors are expected to provision their own mirrors. Our server is fine. Others' servers are also fine, although we would likely prefer to wrap some small process around contact info, notifications when there is new content, etc. I also don't know how to assess the trustworthiness of ICANN's signatures on the trust anchor. draft-jabley-dnsop-validator-bootstrap. There is some work required on the details, but the intended direction should be clear. Joe ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] public consultation on root zone KSK rollover
On 3 Apr 2013, at 16:11, Paul Wouters p...@nohats.ca wrote: It's the vendors of equipment supporting DNSSEC that have the real issues. If they shipped with a root anchor, and their stuff is offline for 5 years and turned on, their DNS will be broken and 5011 isn't going to be useful to them. The real problem occurs when the latest release of the validator software was published before the rollover, and you install it after the rollover. It is perfectly reasonable to install software that is a few months old. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] public consultation on root zone KSK rollover
On 6 Apr 2013, at 10:04, Joe Abley jab...@hopcount.ca wrote: On 2013-04-06, at 16:55, Tony Finch d...@dotat.at wrote: Validator vendors have to provide an out-of-band trust anchor update mechanism to cope with this. It needs to be coded and included in long-term support releases of validators and operating systems before rollover, I think. draft-jabley-dnsop-validator-bootstrap. Still needs implementation. My point about trustworthiness is that there is (as far as I know) no documentation of how the private keys are managed for the certificates / signatures on the trust anchor files, which rather undermines the elaborate root KSK management. I am also worried about being vulnerable to a screwup by any number of CAs; it would be good to pin the list of CA certs that might be used to verify the DNS trust anchor signatures. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] public consultation on root zone KSK rollover
Hi Tony, The intention was that those distributing code that relies upon retrieval of an authentic trust anchor would make arrangements with ICANN to sign trusted copies of the relevant objects themselves and have those signatures published alongside the ICANN-generated signatures. So, ISC could use the same PGP key as they use to sign BIND9 distributions, Apple could use a key derived from their code-signing CA, etc. In this way users could have the same trust in the retrieved trust anchor as they do in the software that has retrieved it. We have not had significant interest from vendors in developing this approach, but we remain interested. Joe Aue Te Ariki! He toki ki roto taku mahuna! On 2013-04-06, at 17:22, Tony Finch d...@dotat.at wrote: On 6 Apr 2013, at 10:04, Joe Abley jab...@hopcount.ca wrote: On 2013-04-06, at 16:55, Tony Finch d...@dotat.at wrote: Validator vendors have to provide an out-of-band trust anchor update mechanism to cope with this. It needs to be coded and included in long-term support releases of validators and operating systems before rollover, I think. draft-jabley-dnsop-validator-bootstrap. Still needs implementation. My point about trustworthiness is that there is (as far as I know) no documentation of how the private keys are managed for the certificates / signatures on the trust anchor files, which rather undermines the elaborate root KSK management. I am also worried about being vulnerable to a screwup by any number of CAs; it would be good to pin the list of CA certs that might be used to verify the DNS trust anchor signatures. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] public consultation on root zone KSK rollover
Moin! On 06.04.2013, at 11:04, Tony Finch d...@dotat.at wrote: On 3 Apr 2013, at 16:11, Paul Wouters p...@nohats.ca wrote: It's the vendors of equipment supporting DNSSEC that have the real issues. If they shipped with a root anchor, and their stuff is offline for 5 years and turned on, their DNS will be broken and 5011 isn't going to be useful to them. The real problem occurs when the latest release of the validator software was published before the rollover, and you install it after the rollover. It is perfectly reasonable to install software that is a few months old. I don't think that this is the real problem. The real problem is when a validator has a history of 5011 keys and gets shut down for a year or a couple of months while the root KSK rolls. Initially it might be better for validators instead of being shipped with a Key to follow draft-jabley-dnssec-trust-anchor to get the initial root key. There are some implementations out there that already do this. I think it might be good to extend draft-jabley-dnsop-validator-bootstrap to also cover problems introduced by root KSK rollover in order to give people guidance in case their bootstrap process is stuck. I'll also add these comments to the ICANN root key roll consultation page later (just returned from vacation). So long -Ralf --- Ralf Weber Senior Infrastructure Architect Nominum Inc. 2000 Seaport Blvd. Suite 400 Redwood City, California 94063 ralf.we...@nominum.com ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] public consultation on root zone KSK rollover
On 6 Apr 2013, at 10:28, Joe Abley jab...@hopcount.ca wrote: The intention was that those distributing code that relies upon retrieval of an authentic trust anchor would make arrangements with ICANN to sign trusted copies of the relevant objects themselves and have those signatures published alongside the ICANN-generated signatures. Sounds sensible to me. Really must press forward with implementing this well before the rollover. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] public consultation on root zone KSK rollover
On Apr 3, 2013, at 7:11 AM, Joe Abley jab...@hopcount.ca wrote: We have received a small number of responses which are accessible from that page. Maybe that should be a strong indication of how little people care about this? Note that none of the responses so far come from administrators of signed TLDs, the folks most directly affected by a roll. It is hard to tell why that might be, but I suspect that it involves trepidation and maybe outright fear. Of course, they cannot voice that publicly. If you have experience, opinions or expertise to contribute, The first and third are way more important that the second, although people with the second can certainly make it sound like they have the third. --Paul Hoffman ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] public consultation on root zone KSK rollover
On 2013-04-03, at 11:00, Paul Hoffman paul.hoff...@vpnc.org wrote: On Apr 3, 2013, at 7:11 AM, Joe Abley jab...@hopcount.ca wrote: We have received a small number of responses which are accessible from that page. Maybe that should be a strong indication of how little people care about this? Maybe, for sure. But in case it's because people just forgot the question had been asked, I thought I'd send a reminder. Note that none of the responses so far come from administrators of signed TLDs, the folks most directly affected by a roll. It is hard to tell why that might be, but I suspect that it involves trepidation and maybe outright fear. Of course, they cannot voice that publicly. I think there's an argument that the people most directly affected by a roll will be end users to whom DNS responses are being validated. A KSK rollover in the root zone has no impact on signing operations at TLDs, or at any other zone. If you have experience, opinions or expertise to contribute, The first and third are way more important that the second, although people with the second can certainly make it sound like they have the third. People with experience or expertise usually have opinions, in my experience :-) Joe ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] public consultation on root zone KSK rollover
On 2013-04-03, at 11:11, Paul Wouters p...@nohats.ca wrote: I'd say addressing that problem should be done before rolling the root key. It would be great to hear such opinions expressed as part of the public comment process, so that they can be used to identify the approach that will be followed. Joe ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] public consultation on root zone KSK rollover
On Apr 3, 2013, at 8:03 AM, Joe Abley jab...@hopcount.ca wrote: Note that none of the responses so far come from administrators of signed TLDs, the folks most directly affected by a roll. It is hard to tell why that might be, but I suspect that it involves trepidation and maybe outright fear. Of course, they cannot voice that publicly. I think there's an argument that the people most directly affected by a roll will be end users to whom DNS responses are being validated. There is such an argument, and there is a counter-argument. If rolling the root key causes visible problems (which I think most of us expect), it will be followed by lots of press articles that say see, DNSSEC isn't reliable. The diminishing of trust has a greater effect on those who have committed resources to making their zone trustable than to relying parties. A KSK rollover in the root zone has no impact on signing operations at TLDs, or at any other zone. Fully agree. If you focus just on the operations effects, it is easy to say that there will only be good coming from the roll. I prefer to look at the effect on the whole system, including the trust that the system is worthwhile. --Paul Hoffman (who probably should have sent this and the earlier reply to dnssec-deploy, not dnsop, given that they were about trust and not operations) ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] public consultation on root zone KSK rollover
On Wed, Apr 03, 2013 at 08:00:48AM -0700, Paul Hoffman paul.hoff...@vpnc.org wrote a message of 15 lines which said: Note that none of the responses so far come from administrators of signed TLDs, OK, signed TLD employee hat on. the folks most directly affected by a roll. IMHO, no, the people most affected will be the manager of the validating resolvers (and, by extension, of their users). Many have no easy way to change the root key, or even knowledge they may have to do so (don't shout 5011. Was RFC 5011 actually tested in a real rollover with the current resolvers?) ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] public consultation on root zone KSK rollover
On Wed, Apr 03, 2013 at 11:14:24AM -0400, Joe Abley jab...@hopcount.ca wrote a message of 14 lines which said: It would be great to hear such opinions expressed as part of the public comment process, Is there a way in this process to say me too? (A Like button, may be :-) Because I fully agree with David Burns and do not see the need to write a long message to just say +1 ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] public consultation on root zone KSK rollover
On Wed, Apr 03, 2013 at 05:17:35PM +0200, Stephane Bortzmeyer wrote: Was RFC 5011 actually tested in a real rollover with the current resolvers?) Depends what you mean by real. The BIND implementation has been tested with real keys, but obviously it's never been confronted with an actual real-world root-zone rollover. In principle there's no difference, but in practice I'm less confident: Rolling the root zone means exercising the RFC 5011 code in *many* validating resolvers, on different platforms with different configurations, and with high stakes in the event of failure. The possibility that we've overlooked a test scenario and some validators out there will fail to roll to the new trust anchor correctly is going to give me jitters until we've done it the first time. Then there's the issue Paul mentioned -- gear configured with a root KSK that gets switched off and not rebooted for a few months or years, and then no longer works and can't recover. Unfortunately, none of these concerns get smaller if we wait longer. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] public consultation on root zone KSK rollover
On 2013-04-03, at 11:20, Stephane Bortzmeyer bortzme...@nic.fr wrote: On Wed, Apr 03, 2013 at 11:14:24AM -0400, Joe Abley jab...@hopcount.ca wrote a message of 14 lines which said: It would be great to hear such opinions expressed as part of the public comment process, Is there a way in this process to say me too? (A Like button, may be :-) Because I fully agree with David Burns and do not see the need to write a long message to just say +1 Well, you could always comment and say that :-) Joe ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop