Re: [DNSOP] DNSSEC operational issues long term

On 30 Nov 2016, at 14:49, John Levine wrote: In article you write: On Wed, 30 Nov 2016, Matt Larson wrote: Did you see my message earlier in the thread? Is there a reason you don't include a third option: retrieving the trust anchor file

Re: [DNSOP] DNSSEC operational issues long term

In article you write: >On Wed, 30 Nov 2016, Matt Larson wrote: > >> Did you see my message earlier in the thread? Is there a reason you >> don't include a third option: retrieving the trust anchor file published >> by IANA/PTI

Re: [DNSOP] DNSSEC operational issues long term

On 30 Nov 2016, at 8:00, Mikael Abrahamsson wrote: On Wed, 30 Nov 2016, Matt Larson wrote: Did you see my message earlier in the thread? Is there a reason you don't include a third option: retrieving the trust anchor file published by IANA/PTI

Re: [DNSOP] DNSSEC operational issues long term

Matt Larson wrote: > > Is there a reason you don't include a third option: retrieving the trust > anchor file published by IANA/PTI > (https://data.iana.org/root-anchors/root-anchors.xml) and validating > with the detached S/MIME signature published in the same place >

Re: [DNSOP] DNSSEC operational issues long term

On Wed, 30 Nov 2016, Matt Larson wrote: Did you see my message earlier in the thread? Is there a reason you don't include a third option: retrieving the trust anchor file published by IANA/PTI (https://data.iana.org/root-anchors/root-anchors.xml) and validating with the detached S/MIME

Re: [DNSOP] DNSSEC operational issues long term

> On Nov 16, 2016, at 5:05 AM, George Michaelson wrote: > > On the current timeline, October 11 -> January 11 so three months. > > Vendors of sealed units who ship equipment from before October 11 with > delivery held up for three months at the docks by a strike, or people

Re: [DNSOP] DNSSEC operational issues long term

son >Sent: November-16-16 8:45 PM >To: Ondřej Surý >Cc: dnsop >Subject: Re: [DNSOP] DNSSEC operational issues long term > >On Thu, 17 Nov 2016, Ondřej Surý wrote: > >> Again, you are using unfair arguments. The devices have to cope with >> that and it doesn't have

Re: [DNSOP] DNSSEC operational issues long term

Edward Lewis wrote: > > There's been a lot of research consideration of how shelved or otherwise > disconnected devices catch up. I recall 20 years ago this topic was > amongst the issues in the labs where I worked, the usual use case > involved submarines surfacing. One

Re: [DNSOP] DNSSEC operational issues long term

On Thu, 17 Nov 2016, Ondřej Surý wrote: Mikael, the operation of the root zone and signing of the root zone is in the ICANN/IANA bailiwick. Therefore most of the relevant document to the RZ DNSSEC operations can be found at https://www.iana.org/dnssec/ and the document you are most interested

Re: [DNSOP] DNSSEC operational issues long term

/ - Original Message - > From: "Mikael Abrahamsson" <swm...@swm.pp.se> > To: "Ondřej Surý" <ondrej.s...@nic.cz> > Cc: "dnsop" <dnsop@ietf.org> > Sent: Thursday, 17 November, 2016 02:45:24 > Sub

Re: [DNSOP] DNSSEC operational issues long term

- Original Message - > From: "Mikael Abrahamsson" <swm...@swm.pp.se> > To: "Ted Lemon" <mel...@fugue.com> > Cc: "dnsop" <dnsop@ietf.org> > Sent: Thursday, 17 November, 2016 01:44:59 > Subject: Re: [DNSOP] DNSSEC opera

Re: [DNSOP] DNSSEC operational issues long term

btw this is not in any sense a novel problem. Anyone who owns a Dell, and uses iDrac will be familiar with the "your certificate chain to this console java app is expired" problem. It can be fixed, but it requires effort. And alongside the crypto age-out problem, the dependency on java is

Re: [DNSOP] DNSSEC operational issues long term

Sent from my iPhone > On Nov 16, 2016, at 22:41, Bob Harold wrote: > >> This is not well thought out, but what jumps to mind is to keep a chain of >> signatures in the root DNS that links from the original KSK up through the >> current KSK (or at least the last 10

Re: [DNSOP] DNSSEC operational issues long term

On Nov 16, 2016, at 22:38, Philip Homburg wrote: >> Did you see my original response? Proposals for automatic DNSSEC trust >> anchor updating *do* exist. > > Is there any document that deals with the situation where a device has > been in a box for 10 years and then

Re: [DNSOP] DNSSEC operational issues long term

On Thu, 17 Nov 2016, Ted Lemon wrote: Embedded systems of this sort need to have a management process so that that can be updated. This is needed for more reasons than DNSSEC. Putting a ten year old device on a network without upgrading the firmware is irresponsible. We have been discussing

Re: [DNSOP] DNSSEC operational issues long term

On 11/17/16, 08:49, "Matthew Pounsett" wrote: >On 17 November 2016 at 06:57, "joel jaeggli" wrote: > >>A decade is well within the service range of all sorts embedded systems. > >Service range, sure.  But back-room storage range? The day before I flew here I took time to unbox a printer my wife

Re: [DNSOP] DNSSEC operational issues long term

In message , Dan York writes: > Mark, > > I agree that a physical solution could be a workable option (and a nice > one), BUT > > On Nov 17, 2016, at 6:46 AM, Mark Andrews > > wrote: > > Is it that hard to add

Re: [DNSOP] DNSSEC operational issues long term

;Mikael Abrahamsson" > <swm...@swm.pp.se> > Sent: Wednesday, 16 November, 2016 23:28:18 > Subject: Re: [DNSOP] DNSSEC operational issues long term > > On Nov 17, 2016, at 6:46 AM, Mark Andrews < [ mailto:ma...@isc.org | > ma...@isc.org ] > wrote: > >

Re: [DNSOP] DNSSEC operational issues long term

On 17 November 2016 at 06:57, joel jaeggli wrote: > > A decade is well within the service range of all sorts embedded systems. > Service range, sure. But back-room storage range? I agree it's an unreasonably long time to have something to sit on a shelf, never-used, and

Re: [DNSOP] DNSSEC operational issues long term

> On Nov 16, 2016, at 1:56 AM, Mikael Abrahamsson wrote: > > So if it's manufactured the day before a new key is publically released, when > is the key material it has built in no longer viable to have successful > DNSSEC validation? Since we haven't done a root KSK roll

Re: [DNSOP] DNSSEC operational issues long term

- Original Message - > From: "Emily Shepherd" <em...@emilyshepherd.me> > To: "Mikael Abrahamsson" <swm...@swm.pp.se> > Cc: "dnsop" <dnsop@ietf.org> > Sent: Wednesday, 16 November, 2016 14:26:53 > Subject: Re: [DNSOP] DNSSEC ope

Re: [DNSOP] DNSSEC operational issues long term

Mark, I agree that a physical solution could be a workable option (and a nice one), BUT On Nov 17, 2016, at 6:46 AM, Mark Andrews > wrote: Is it that hard to add a sim or sd card reader? This is the solution the cable industry uses for its crypto

Re: [DNSOP] DNSSEC operational issues long term

Embedded systems of this sort need to have a management process so that that can be updated. This is needed for more reasons than DNSSEC. Putting a ten year old device on a network without upgrading the firmware is irresponsible. On Nov 17, 2016 06:57, "joel jaeggli" wrote: >

Re: [DNSOP] DNSSEC operational issues long term

On 11/16/16 10:44 PM, Wessels, Duane wrote: > >> On Nov 16, 2016, at 10:18 PM, Mikael Abrahamsson wrote: >> >> As a whole, nobody seems to be interested in actually coming up with a >> viable solution that actually fixes peoples problems. Everybody's just >> punting the

Re: [DNSOP] DNSSEC operational issues long term

There is also the physical solution. Have removable storage for the key and update the key using this externally when reqired. Nano sims or micro sd card would be a good form factor for this. Pick a standard file name and you just have them sitting on the shelves in stores with the key date

Re: [DNSOP] DNSSEC operational issues long term

On Wed, Nov 16, 2016 at 08:41:03AM -0500, Bob Harold wrote: > > Do you have a suggestion for a solution? > > > This is not well thought out, but what jumps to mind is to keep a chain of > signatures in the root DNS that links from the original KSK up through the > current KSK (or at least the last

Re: [DNSOP] DNSSEC operational issues long term

Steve Crocker wrote: > I recall a discussion several years about having a site that > would have > all of the keys accumulated over time. A query to it would return the > current key. It's roughly analogous to using a root hints file > to find a > current root server and

Re: [DNSOP] DNSSEC operational issues long term

I recall a discussion several years about having a site that would have all of the keys accumulated over time. A query to it would return the current key. It's roughly analogous to using a root hints file to find a current root server and from that the full set of current servers. This

Re: [DNSOP] DNSSEC operational issues long term

Johan Ihren and I and Olaf had a competing ID that delt with shelf life and embedded devices w/o an easy way to update key info. RFC 5011 won out since shelf life and embedded devices were considered edge cases. /Wm On Wednesday, 16 November 2016, Tony Finch wrote: > Wessels,

Re: [DNSOP] DNSSEC operational issues long term

Wessels, Duane wrote: > > I don't think its possible to have a solution that works for devices on > the shelf for an arbitrarily long time. You posed the problem as 10 > years, which I think is an unrealistically long time. > > You could probably have a useful discussion

Re: [DNSOP] DNSSEC operational issues long term

Looks like someone else thought of it already: https://tools.ietf.org/html/draft-wijngaards-dnsext-trust-history-03 Thanks to Jaap for that info. Someone will probably point out that using keys for a long time increases the chances that someone can break them, But in this case I think it is

Re: [DNSOP] DNSSEC operational issues long term

On Wed, 16 Nov 2016, Bob Harold wrote: This is not well thought out, but what jumps to mind is to keep a chain of signatures in the root DNS that links from the original KSK up through the current KSK (or at least the last 10 years). Perhaps a different record type, so it is only sent if

Re: [DNSOP] DNSSEC operational issues long term

Philip Homburg writes: > >Did you see my original response? Proposals for automatic DNSSEC trust > >anchor updating *do* exist. > > Is there any document that deals with the situation where a device has > been in a box for 10 years and then has to bootstrap automatically? > > I'm not

Re: [DNSOP] DNSSEC operational issues long term

> On Nov 16, 2016, at 10:18 PM, Mikael Abrahamsson wrote: > > As a whole, nobody seems to be interested in actually coming up with a viable > solution that actually fixes peoples problems. Everybody's just punting the > problem elsewhere or waving their hands and says "not

Re: [DNSOP] DNSSEC operational issues long term

On Wed, Nov 16, 2016 at 8:30 AM, Dan York wrote: > > On Nov 16, 2016, at 10:18 PM, Mikael Abrahamsson wrote: > > As a whole, nobody seems to be interested in actually coming up with a > viable solution that actually fixes peoples problems. Everybody's just >

Re: [DNSOP] DNSSEC operational issues long term

>Did you see my original response? Proposals for automatic DNSSEC trust >anchor updating *do* exist. Is there any document that deals with the situation where a device has been in a box for 10 years and then has to bootstrap automatically? I'm not aware of any. But maybe there is. Note that by

Re: [DNSOP] DNSSEC operational issues long term

On Nov 16, 2016, at 10:18 PM, Mikael Abrahamsson > wrote: As a whole, nobody seems to be interested in actually coming up with a viable solution that actually fixes peoples problems. Everybody's just punting the problem elsewhere or waving their hands

Re: [DNSOP] DNSSEC operational issues long term

Ted Lemon wrote: > Why would you put a device on the shelf for ten years? The failure occurs if a device is on the shelf for the wrong 6 months (second half of 2017) and this is a completely reasonable length of time to hold stock. > This is certainly a known issue that has

Re: [DNSOP] DNSSEC operational issues long term

On Wed, Nov 16, 2016 at 10:56:35AM +0100, Mikael Abrahamsson wrote: So if it's manufactured the day before a new key is publically released, when is the key material it has built in no longer viable to have successful DNSSEC validation? The new KSK was generated at the end of October this

Re: [DNSOP] DNSSEC operational issues long term

> On 16 Nov 2016, at 10:12, Jaap Akkerhuis wrote: > > Mikael Abrahamsson writes: > >> So if it's manufactured the day before a new key is publically released, >> when is the key material it has built in no longer viable to have >> successful DNSSEC validation? > > A

Re: [DNSOP] DNSSEC operational issues long term

Mikael Abrahamsson writes: > So if it's manufactured the day before a new key is publically released, > when is the key material it has built in no longer viable to have > successful DNSSEC validation? A properly designed device will discover that its preconfgured trust anchor differs from

Re: [DNSOP] DNSSEC operational issues long term

> On Nov 16, 2016, at 18:56, Mikael Abrahamsson wrote: > > So if it's manufactured the day before a new key is publically released, when > is the key material it has built in no longer viable to have successful > DNSSEC validation? Do the first (only) bootstrap without

Re: [DNSOP] DNSSEC operational issues long term

On the current timeline, October 11 -> January 11 so three months. Vendors of sealed units who ship equipment from before October 11 with delivery held up for three months at the docks by a strike, or people who put the sealed unit into a long-delay orbit to Mars to be turned on by Matt Damon on

Re: [DNSOP] DNSSEC operational issues long term

On Wed, 16 Nov 2016, George Michaelson wrote: I feel this is a corner case. My experience with 'mom' whitegoods is that they age out much faster than the 10+ year case. Shops do not hold electronic goods for sale that long, if its old but unboxed, you have taken yourself into a dark alley

Re: [DNSOP] DNSSEC operational issues long term

I feel this is a corner case. My experience with 'mom' whitegoods is that they age out much faster than the 10+ year case. Shops do not hold electronic goods for sale that long, if its old but unboxed, you have taken yourself into a dark alley deliberately. If you genuinely were supporting your

Re: [DNSOP] DNSSEC operational issues long term

Or your device needs an RTC... On Wed, Nov 16, 2016 at 6:30 PM, Mikael Abrahamsson wrote: > On Wed, 16 Nov 2016, Ted Lemon wrote: > >> Why would you put a device on the shelf for ten years? Is this a real >> scenario? This is certainly a known issue that has been talked about

Re: [DNSOP] DNSSEC operational issues long term

On Wed, 16 Nov 2016, Ted Lemon wrote: Why would you put a device on the shelf for ten years? Is this a real scenario? This is certainly a known issue that has been talked about at length--the conclusion when it was discussed is that there is nothing we can do about it, and it's relatively

Re: [DNSOP] DNSSEC operational issues long term

I echo what Ted said. If its 'not well known' its a property of the RFC ecology in general, that things we did know, and did document, wind up buried in the RFC free text search. >From memory, the specific issue was discussed across at least two rounds of IETF, as a thing. I seem to recall Mike

Re: [DNSOP] DNSSEC operational issues long term

Why would you put a device on the shelf for ten years? Is this a real scenario? This is certainly a known issue that has been talked about at length--the conclusion when it was discussed is that there is nothing we can do about it, and it's relatively unlikely, and manually fixable. On Wed,

[DNSOP] DNSSEC operational issues long term

Hi, today I have discovered something after talking to some people that know more than I do. Example: I go to the store and buy two DNSSEC enabled devices that rely on DNSSEC working for them to work. I put one device on the network immediately and the other one on the shelf. The one I