On 30 Nov 2016, at 14:49, John Levine wrote:
In article you
write:
On Wed, 30 Nov 2016, Matt Larson wrote:
Did you see my message earlier in the thread? Is there a reason you
don't include a third option: retrieving the trust anchor file
In article you write:
>On Wed, 30 Nov 2016, Matt Larson wrote:
>
>> Did you see my message earlier in the thread? Is there a reason you
>> don't include a third option: retrieving the trust anchor file published
>> by IANA/PTI
On 30 Nov 2016, at 8:00, Mikael Abrahamsson wrote:
On Wed, 30 Nov 2016, Matt Larson wrote:
Did you see my message earlier in the thread? Is there a reason you
don't include a third option: retrieving the trust anchor file
published by IANA/PTI
Matt Larson wrote:
>
> Is there a reason you don't include a third option: retrieving the trust
> anchor file published by IANA/PTI
> (https://data.iana.org/root-anchors/root-anchors.xml) and validating
> with the detached S/MIME signature published in the same place
>
On Wed, 30 Nov 2016, Matt Larson wrote:
Did you see my message earlier in the thread? Is there a reason you
don't include a third option: retrieving the trust anchor file published
by IANA/PTI (https://data.iana.org/root-anchors/root-anchors.xml) and
validating with the detached S/MIME
> On Nov 16, 2016, at 5:05 AM, George Michaelson wrote:
>
> On the current timeline, October 11 -> January 11 so three months.
>
> Vendors of sealed units who ship equipment from before October 11 with
> delivery held up for three months at the docks by a strike, or people
son
>Sent: November-16-16 8:45 PM
>To: Ondřej Surý
>Cc: dnsop
>Subject: Re: [DNSOP] DNSSEC operational issues long term
>
>On Thu, 17 Nov 2016, Ondřej Surý wrote:
>
>> Again, you are using unfair arguments. The devices have to cope with
>> that and it doesn't have
Edward Lewis wrote:
>
> There's been a lot of research consideration of how shelved or otherwise
> disconnected devices catch up. I recall 20 years ago this topic was
> amongst the issues in the labs where I worked, the usual use case
> involved submarines surfacing.
One
On Thu, 17 Nov 2016, Ondřej Surý wrote:
Mikael,
the operation of the root zone and signing of the root
zone is in the ICANN/IANA bailiwick. Therefore most of
the relevant document to the RZ DNSSEC operations can
be found at https://www.iana.org/dnssec/ and the document
you are most interested
/
- Original Message -
> From: "Mikael Abrahamsson" <swm...@swm.pp.se>
> To: "Ondřej Surý" <ondrej.s...@nic.cz>
> Cc: "dnsop" <dnsop@ietf.org>
> Sent: Thursday, 17 November, 2016 02:45:24
> Sub
- Original Message -
> From: "Mikael Abrahamsson" <swm...@swm.pp.se>
> To: "Ted Lemon" <mel...@fugue.com>
> Cc: "dnsop" <dnsop@ietf.org>
> Sent: Thursday, 17 November, 2016 01:44:59
> Subject: Re: [DNSOP] DNSSEC opera
btw this is not in any sense a novel problem. Anyone who owns a Dell,
and uses iDrac will be familiar with the "your certificate chain to
this console java app is expired" problem. It can be fixed, but it
requires effort.
And alongside the crypto age-out problem, the dependency on java is
Sent from my iPhone
> On Nov 16, 2016, at 22:41, Bob Harold wrote:
>
>> This is not well thought out, but what jumps to mind is to keep a chain of
>> signatures in the root DNS that links from the original KSK up through the
>> current KSK (or at least the last 10
On Nov 16, 2016, at 22:38, Philip Homburg wrote:
>> Did you see my original response? Proposals for automatic DNSSEC trust
>> anchor updating *do* exist.
>
> Is there any document that deals with the situation where a device has
> been in a box for 10 years and then
On Thu, 17 Nov 2016, Ted Lemon wrote:
Embedded systems of this sort need to have a management process so that
that can be updated. This is needed for more reasons than DNSSEC. Putting a
ten year old device on a network without upgrading the firmware is
irresponsible.
We have been discussing
On 11/17/16, 08:49, "Matthew Pounsett" wrote:
>On 17 November 2016 at 06:57, "joel jaeggli" wrote:
>
>>A decade is well within the service range of all sorts embedded systems.
>
>Service range, sure. But back-room storage range?
The day before I flew here I took time to unbox a printer my wife
In message , Dan York writes:
> Mark,
>
> I agree that a physical solution could be a workable option (and a nice
> one), BUT
>
> On Nov 17, 2016, at 6:46 AM, Mark Andrews
> > wrote:
>
> Is it that hard to add
;Mikael Abrahamsson"
> <swm...@swm.pp.se>
> Sent: Wednesday, 16 November, 2016 23:28:18
> Subject: Re: [DNSOP] DNSSEC operational issues long term
>
> On Nov 17, 2016, at 6:46 AM, Mark Andrews < [ mailto:ma...@isc.org |
> ma...@isc.org ] > wrote:
>
>
On 17 November 2016 at 06:57, joel jaeggli wrote:
>
> A decade is well within the service range of all sorts embedded systems.
>
Service range, sure. But back-room storage range? I agree it's an
unreasonably long time to have something to sit on a shelf, never-used, and
> On Nov 16, 2016, at 1:56 AM, Mikael Abrahamsson wrote:
>
> So if it's manufactured the day before a new key is publically released, when
> is the key material it has built in no longer viable to have successful
> DNSSEC validation?
Since we haven't done a root KSK roll
- Original Message -
> From: "Emily Shepherd" <em...@emilyshepherd.me>
> To: "Mikael Abrahamsson" <swm...@swm.pp.se>
> Cc: "dnsop" <dnsop@ietf.org>
> Sent: Wednesday, 16 November, 2016 14:26:53
> Subject: Re: [DNSOP] DNSSEC ope
Mark,
I agree that a physical solution could be a workable option (and a nice one),
BUT
On Nov 17, 2016, at 6:46 AM, Mark Andrews >
wrote:
Is it that hard to add a sim or sd card reader? This is the solution
the cable industry uses for its crypto
Embedded systems of this sort need to have a management process so that
that can be updated. This is needed for more reasons than DNSSEC. Putting a
ten year old device on a network without upgrading the firmware is
irresponsible.
On Nov 17, 2016 06:57, "joel jaeggli" wrote:
>
On 11/16/16 10:44 PM, Wessels, Duane wrote:
>
>> On Nov 16, 2016, at 10:18 PM, Mikael Abrahamsson wrote:
>>
>> As a whole, nobody seems to be interested in actually coming up with a
>> viable solution that actually fixes peoples problems. Everybody's just
>> punting the
There is also the physical solution. Have removable storage for
the key and update the key using this externally when reqired. Nano
sims or micro sd card would be a good form factor for this. Pick
a standard file name and you just have them sitting on the shelves
in stores with the key date
On Wed, Nov 16, 2016 at 08:41:03AM -0500, Bob Harold wrote:
> > Do you have a suggestion for a solution?
> >
> This is not well thought out, but what jumps to mind is to keep a chain of
> signatures in the root DNS that links from the original KSK up through the
> current KSK (or at least the last
Steve Crocker wrote:
> I recall a discussion several years about having a site that
> would have
> all of the keys accumulated over time. A query to it would return the
> current key. It's roughly analogous to using a root hints file
> to find a
> current root server and
I recall a discussion several years about having a site that would have all of
the keys accumulated over time. A query to it would return the current key.
It's roughly analogous to using a root hints file to find a current root server
and from that the full set of current servers.
This
Johan Ihren and I and Olaf had a competing ID that delt with shelf life and
embedded devices w/o an easy way to update key info. RFC 5011 won out
since shelf life and embedded devices were considered edge cases.
/Wm
On Wednesday, 16 November 2016, Tony Finch wrote:
> Wessels,
Wessels, Duane wrote:
>
> I don't think its possible to have a solution that works for devices on
> the shelf for an arbitrarily long time. You posed the problem as 10
> years, which I think is an unrealistically long time.
>
> You could probably have a useful discussion
Looks like someone else thought of it already:
https://tools.ietf.org/html/draft-wijngaards-dnsext-trust-history-03
Thanks to Jaap for that info.
Someone will probably point out that using keys for a long time increases
the chances that someone can break them, But in this case I think it is
On Wed, 16 Nov 2016, Bob Harold wrote:
This is not well thought out, but what jumps to mind is to keep a chain
of signatures in the root DNS that links from the original KSK up
through the current KSK (or at least the last 10 years). Perhaps a
different record type, so it is only sent if
Philip Homburg writes:
> >Did you see my original response? Proposals for automatic DNSSEC trust
> >anchor updating *do* exist.
>
> Is there any document that deals with the situation where a device has
> been in a box for 10 years and then has to bootstrap automatically?
>
> I'm not
> On Nov 16, 2016, at 10:18 PM, Mikael Abrahamsson wrote:
>
> As a whole, nobody seems to be interested in actually coming up with a viable
> solution that actually fixes peoples problems. Everybody's just punting the
> problem elsewhere or waving their hands and says "not
On Wed, Nov 16, 2016 at 8:30 AM, Dan York wrote:
>
> On Nov 16, 2016, at 10:18 PM, Mikael Abrahamsson wrote:
>
> As a whole, nobody seems to be interested in actually coming up with a
> viable solution that actually fixes peoples problems. Everybody's just
>
>Did you see my original response? Proposals for automatic DNSSEC trust
>anchor updating *do* exist.
Is there any document that deals with the situation where a device has
been in a box for 10 years and then has to bootstrap automatically?
I'm not aware of any. But maybe there is.
Note that by
On Nov 16, 2016, at 10:18 PM, Mikael Abrahamsson
> wrote:
As a whole, nobody seems to be interested in actually coming up with a viable
solution that actually fixes peoples problems. Everybody's just punting the
problem elsewhere or waving their hands
Ted Lemon wrote:
> Why would you put a device on the shelf for ten years?
The failure occurs if a device is on the shelf for the wrong 6 months
(second half of 2017) and this is a completely reasonable length of time
to hold stock.
> This is certainly a known issue that has
On Wed, Nov 16, 2016 at 10:56:35AM +0100, Mikael Abrahamsson wrote:
So if it's manufactured the day before a new key is publically
released, when is the key material it has built in no longer viable to
have successful DNSSEC validation?
The new KSK was generated at the end of October this
> On 16 Nov 2016, at 10:12, Jaap Akkerhuis wrote:
>
> Mikael Abrahamsson writes:
>
>> So if it's manufactured the day before a new key is publically released,
>> when is the key material it has built in no longer viable to have
>> successful DNSSEC validation?
>
> A
Mikael Abrahamsson writes:
> So if it's manufactured the day before a new key is publically released,
> when is the key material it has built in no longer viable to have
> successful DNSSEC validation?
A properly designed device will discover that its preconfgured trust
anchor differs from
> On Nov 16, 2016, at 18:56, Mikael Abrahamsson wrote:
>
> So if it's manufactured the day before a new key is publically released, when
> is the key material it has built in no longer viable to have successful
> DNSSEC validation?
Do the first (only) bootstrap without
On the current timeline, October 11 -> January 11 so three months.
Vendors of sealed units who ship equipment from before October 11 with
delivery held up for three months at the docks by a strike, or people
who put the sealed unit into a long-delay orbit to Mars to be turned
on by Matt Damon on
On Wed, 16 Nov 2016, George Michaelson wrote:
I feel this is a corner case. My experience with 'mom' whitegoods is
that they age out much faster than the 10+ year case. Shops do not hold
electronic goods for sale that long, if its old but unboxed, you have
taken yourself into a dark alley
I feel this is a corner case. My experience with 'mom' whitegoods is
that they age out much faster than the 10+ year case. Shops do not
hold electronic goods for sale that long, if its old but unboxed, you
have taken yourself into a dark alley deliberately. If you genuinely
were supporting your
Or your device needs an RTC...
On Wed, Nov 16, 2016 at 6:30 PM, Mikael Abrahamsson wrote:
> On Wed, 16 Nov 2016, Ted Lemon wrote:
>
>> Why would you put a device on the shelf for ten years? Is this a real
>> scenario? This is certainly a known issue that has been talked about
On Wed, 16 Nov 2016, Ted Lemon wrote:
Why would you put a device on the shelf for ten years? Is this a real
scenario? This is certainly a known issue that has been talked about at
length--the conclusion when it was discussed is that there is nothing we
can do about it, and it's relatively
I echo what Ted said. If its 'not well known' its a property of the
RFC ecology in general, that things we did know, and did document,
wind up buried in the RFC free text search.
>From memory, the specific issue was discussed across at least two
rounds of IETF, as a thing. I seem to recall Mike
Why would you put a device on the shelf for ten years? Is this a
real scenario? This is certainly a known issue that has been talked
about at length--the conclusion when it was discussed is that there is
nothing we can do about it, and it's relatively unlikely, and manually
fixable.
On Wed,
Hi,
today I have discovered something after talking to some people that know
more than I do.
Example:
I go to the store and buy two DNSSEC enabled devices that rely on DNSSEC
working for them to work.
I put one device on the network immediately and the other one on the
shelf. The one I
50 matches
Mail list logo