On 21 Sep 2018, at 12:16, Eric Osterweil wrote:
Hi Marc,
Sorry, jumping back to this (even though there have been a few follow on emails)
On Sep 21, 2018, at 11:12 AM, Marc Blanchet <marc.blanchet@viagenie.ca> wrote:
On 21 Sep 2018, at 11:05, Eric Osterweil wrote:
I think the setting of this discussion is missing some key elements: the DNS Root KSK is a global root of trust. The extent to which we build on that is the extent to which software will need for this key to be well known, knowable, and learnable. As the frequency of its rollover increases, so too does the probability that software will have out of date keys (especially I the context of hyperlocal roots). If you factor DANE in, that root has even more importance to end-user perception. I think it needs to be a top priority to ensure that DNS Relying Party (RP) software knows how to maintain the current key, keep up with rollovers, and re-bootstrap when it loses the correct key (a failure mode that software absolutely will experience). As of now, I don’t think we have more than a few nascent ideas about how to handle this.
right but: - people are lazy: until there are real events (KSK rollover), they will not care or prepare. Therefore, we must have rollover enough frequent so people do act.
I would argue that we can (and should) do some more (tooling, analysis, etc.) to give them the ability to keep not caring without having to turn DNSSEC off altogether because it gives them a bad day. I strongly fear that those serious operators who opt to turn DNSSEC off will decide not to turn it back on again. All of this is in the context of comments above that DNSSEC is being used for, and able to be extended, for a lot of security protections beyond just DNSSEC itself.
yeap. agree. people are lazy. so some of them will just turn it off (and other priorities come by and never take time to put it back). I’ve managed provider networks and I can see that. sadly.
- there are mechanisms to help/automate rollover, such as RFC5011, which shall fit with most use cases.
Happy to have a discussion about this (here or elsewhere), but I worry that the 5011 mechanism might need more evaluation against threat models, and subsequent enhancements.
sure. but to me « good enough » for a lot of use cases.
As Ray brought up in a later comment on this, 5011 doesn't handle re-bootstrapping.
- for the use cases/reasons people not use RFC5011, then it is like any manual configuration management: you take the responsability to put whatever process in your org to handle that case, since you are aware that you are taking the manual route.
I definitely don’t think that’s sufficient. For real security concerns, I don’t think we can leave things at laissez faire.
laissez faire is not what I wrote. Some people prefer (for a lot of reasons, including security assessments and risks) to do manual. I’m just saying this is the reality and in that context, they have to take the responsability to do it « right ». Marc.
Eric
my 2c
Marc.
Just my 0.02,
Eric
On Sep 18, 2018, at 9:39 AM, Mark Elkins <mje@posix.co.za> wrote:
I agree with the sentiment that there should be a "regular" KSK Key roll-over - probably once every five years (though I roll my KSK's once a year).
However, I would agree that it first makes sense for this roll-over to complete first - along with some research to understand any mishaps.
Regarding people reaching out to their own communities - anyone got an outline of what such a communication would contain? In South Africa, up to 50% of lookups are via DNSSEC aware recursive resolvers according to https://stats.labs.apnic.net/dnssec - so this would seem like a worth while exercise.
On 09/18/2018 02:46 PM, Lars-Johan Liman wrote:
I agree too.
I think we should set an "intense" schedule (twice per year? once per year?) _beforehand_, to send the message that "there is no relief after this, there is only more pain ahead ... unless you automate!" to the DNS software community. There must be no way to hardcode the KSK in code. This will continue to be this painful until that message is received and understood.
Cheers, /Liman
kolkman@isoc.org:
I agree with Michael, albeit I would phrase it slightly differently: Rolling the key regularly is a strategic choise and makes a keyroll an operational reality. How regular (or how frequent) is a tactic. Whether That is yearly, no monthly or once half a decade is a tactic that takes into account some of our learnings. I would really like to see that strategic position being explicit.
Olaf. ---- Composed on mobile device, with clumsy thumbs and unpredictable autocorrect. ________________________________ From: ksk-rollover <ksk-rollover-bounces@icann.org> on behalf of Michael StJohns <msj@nthpermutation.com> Sent: Tuesday, September 18, 2018 5:04:31 AM To: Matt Larson Cc: ksk-rollover@icann.org Subject: Re: [ksk-rollover] ICANN board meeting result and the Current status of KSK-Rollover On 9/17/2018 3:57 PM, Matt Larson wrote: > The answer I've given when people ask this question is that we > need to > get through the first rollover and analyze how it goes before we > can > discuss subsequent rollovers. One can imagine that how the first > rollover goes could have a material effect on the timing of the > next one. This seems like a bad approach given how that we currently have interest and opportunity in the roll-over that could catalyze planning for a second roll. This does not - and should not - need to be single threaded. AFAICT, you're going to know most everything you need to know a few seconds to a few days after you stop signing the the old key. So - I suggest you pick a date now. Start planning for the next roll now. If your post analysis shows a problem - adapt and overcome and adjust the dates if you need to. It's hard to hit a target if you don't put it on calendar. Later, Mike
_______________________________________________ ksk-rollover mailing list ksk-rollover@icann.org https://mm.icann.org/mailman/listinfo/ksk-rollover _______________________________________________ ksk-rollover mailing list ksk-rollover@icann.org https://mm.icann.org/mailman/listinfo/ksk-rollover
ksk-rollover mailing list ksk-rollover@icann.org https://mm.icann.org/mailman/listinfo/ksk-rollover
-- Mark James ELKINS - Posix Systems - (South) Africa mje@posix.co.za Tel: +27.128070590 Cell: +27.826010496 For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
_______________________________________________ ksk-rollover mailing list ksk-rollover@icann.org https://mm.icann.org/mailman/listinfo/ksk-rollover
_______________________________________________ ksk-rollover mailing list ksk-rollover@icann.org <mailto:ksk-rollover@icann.org> https://mm.icann.org/mailman/listinfo/ksk-rollover <https://mm.icann.org/mailman/listinfo/ksk-rollover>