[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Do any DNSEXT participants care about TAK rollover security?

To: "Namedroppers" <namedroppers@ops.ietf.org>
Subject: RE: Do any DNSEXT participants care about TAK rollover security?
From: "Scott Rose" <scottr@nist.gov>
Date: Tue, 11 Jul 2006 14:00:33 -0400
Delivery-date: Tue, 11 Jul 2006 18:02:33 +0000
Envelope-to: namedroppers-data@psg.com

> -----Original Message-----
> From: owner-namedroppers@ops.ietf.org
> [mailto:owner-namedroppers@ops.ietf.org]On Behalf Of Thierry Moreau
>
> Thus, the question is whether any DNSEXT participants care about
> security. I suggest that those who do, if any, should speak up now.
>

FWIW, I care.  I don't know if TAK is the best solution for deployment
however.  My main concern is unfortunately more administrative than
technical.  It mainly concerns the pre-generation of keys and the dead
storage.

I can imagine a zone could generate all the operational keys it believes it
needs, but that means zone admins have to be good at predicting the future -
both key sizes and changes in algorithms.  Or a worst case scenario - a
weakness is found in either a key algorithm or the MASH algorithm used with
the scheme.

In these cases, it seems the only option is to restart the process from the
beginning and have every validator obtain the new information (keys, hashes,
etc).  Much like an emergency rollover, but any validator off line for an
extended period of time may miss this notice and loose track of the new
rollover list.

The concept of dead storage is good, but adds additional complexity to any
zone that changes administrative entities (say, a contractor operating the
zone for one year, then losing the contract to another entity).  Note:  I
realize this isn't a technical comment, but for some zones (the root and
tld's), technical problems are sometimes secondary to administrative ones.

I realize that these concerns may be FUD (I haven't thought it all through),
but these are the drawbacks I saw that other proposals lacked.  If I am
totally off base (which is possible), please elaborate.

Scott



> Incidentally, outside of the IETF, there might be some voices calling
> for the criticalness of security in the DNSSEC overall solution (e.g.
> the presentation made by Maria Zitkova about DNSSEC deployment in the
> .aero sponsored TLD for the airline industry,
> http://www.icann.org/meetings/marrakech/captioning-DNSSEC-28jun06.htm).
>
> So, I'm in Montreal next week during the IETF 66 meeting, but I'm still
> skeptical about DNSEXT ability to address the automated TAK rollover
> issue in a productive way. In any event, enjoy your stay in this
> marvelous city at the right time of the year!
>
> Regards,
>
> --
>
> - Thierry Moreau
>
> CONNOTECH Experts-conseils inc.
> 9130 Place de Montgolfier
> Montreal, Qc
> Canada   H2M 2A1
>
> Tel.: (514)385-5691
> Fax:  (514)385-5900
>
> web site: http://www.connotech.com
> e-mail: thierry.moreau@connotech.com
>
>
> --
> to unsubscribe send a message to namedroppers-request@ops.ietf.org with
> the word 'unsubscribe' in a single line as the message text body.
> archive: <http://ops.ietf.org/lists/namedroppers/>
>



--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

Prev by Date: Re: Last Call: 'DNS Name Server Identifier Option (NSID)' to Proposed Standard (draft-ietf-dnsext-nsid) (fwd)
Next by Date: comments on rollover-requirements-02
Previous by thread: Do any DNSEXT participants care about TAK rollover security?
Next by thread: Re: Do any DNSEXT participants care about TAK rollover security?
Index(es):
- Date
- Thread