[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


To: dnsop@cafax.se
From: Miek Gieben <miekg@nlnetlabs.nl>
Date: Wed, 11 Oct 2000 11:22:42 +0200
Sender: owner-dnsop@cafax.se
Subject: DNSSEC and child sigs 

Hello,

(I've posted this on namedroppers, but was adviced to repost
it on dnsop)

Should the parent keep the child's key in its zone file or
should the child keep it in its zone file or both? 

The same can be asked about the parent's sig over the child's key.

We can identify the following situations:

                            A         B       C          D
  parent has ..         |key+sig  |key+sig|   -      |key+sig  |
  child has             |key+sig  |key    |key+sig   |   -     |
  ----------------------+---------+-------+----------+---------|
1 init. parent signing  |notify?  | ok    | oob      | ok      |
                        |         |       |          |         |
2 init. child signing   | ok      | ok    | ok       | ok      |
                        |         |       |          |         |
3 parent resign         |notify?  | ok    | oob      | ok      |
                        |         |       |          |         |
4 child resign          | ok      | ok    | ok       | ok      |
                        |         |       |          |         |
5 new parent key        |notify?  | ok    | oob      | ok      |
                        |         |       |          |         |
6 new child key         |oob      | oob   | oob      | oob     |

Explanation

A)
        1) parent signs its zone and notifies the child. But what if the
           child does not react on this notify? We then have a sig clash.
        2) child sign its zone, no problem.
        3) parent signature expires and resigns. The child must be
           informed of this update. This can be done by a DNS notify,
           but see 1.
        4) child sig expires. No problem. Child resigns zone.
        5) new parent key. Child must be updated with the new SIG.
           See 1&3.
        6) new child key. Out of band communication is needed here.

B)      
        3) child doesn't have the sig, no communication needed
        5) child doesn't have the sig, no communication needed
        1+2+4+6) see A.

C)
        1) The problem here is that the sig does not exist and will not
                be put in the parent's zone, so an out of band notification
                is needed to update the child
        3) the sig has expired. How does the parent know and out-of-band
           notification is needed to update the child?
        5) see 3.
        2+4+6) see A.

D)
        see B.
        With an added advantage that there is no duplicate information
        DNS. The child will have the key for configuration purposes
        anyway.

It seems that D is the most optimum and B also ranks high, but we see
that bind9 uses either A or C. Why?

Miek Gieben
NLnet Labs

to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.

----- End forwarded message -----

-- 
/*
 * Miek Gieben - miek@miek.nl
 * www.atoom.net  www.miek.nl
 */
Home | Date list | Subject list