To:
"'Johan Ihren'" <johani@autonomica.se>
Cc:
dnsop@cafax.se
From:
"Loomis, Rip" <GILBERT.R.LOOMIS@saic.com>
Date:
Wed, 23 Oct 2002 15:33:18 -0400
Sender:
owner-dnsop@cafax.se
Subject:
draft-ihren-dnsop-interim-signed-root-00.txt
Johan-- I started out to write comments on specific technical issues or possible clarifications of the draft, but I discovered that I had more fundamental questions to ask first. [KSK=Key Signing Key, and ZSK=Zone Signing Key in my notes below.] =-=-=-= Right now, to my knowledge, there is a single hidden master that all the roots obtain the zone from (AXFR+TSIG); it is also possible to download the root zone file with a detached signature. In both cases, there are fallback methods that may require a human-in-the-loop but which minimize the "single point of failure" issue. In the scheme you describe in the draft, you state that you are trying to eliminate single points of failure, but I'm not clear that the proposed scheme makes things better. For one thing, it appears that the proposed usage of the RIRs with respect to ZSKs doesn't really add anything to the security/reliability of the overall system. You state, "The RIRs should all perform the task of generating individual key-signing keys and signing the "keyset". However, only one keyset should be included in the signed zone file." I assume the former requirement is to ensure that all the RIRs are familiar with the procedure. However, what's the benefit here? If, in the final operational configuration, the root zone KSK would be expected to have a long lifetime (on the order of 13 - 36 months based on various discussions), then it's probably impossible to have multiple organizations that can generate/field a KSK *and* remember how to do it the next time it's their "turn" (I'm assuming you want to round-robin between RIRs.) This also brings up potential issues with different RIRs using different methods to protect the all-important private portion of the KSK public/private pair. In the end, I'm not convinced that there needs to be more than one organization involved in the KSK generation/fielding. It does need to be done well, and I admire your intent to remove single points of failure--but there's also such a thing as "learn to do something well, and then keep doing it well" instead of each RIR re-learning the process every several years. I think there only needs to be one entity generating/fielding/managing protecting KSKs--there need to be many distribution media to remove the single point of failure issue, and there probably does need to be some off-site secure backup of the KSK pair. (If that one entity gets physically destroyed and there *is* no backup of the KSK pair, the process of generating a new KSK pair is actually not that challenging but the recovery method to get the new trusted-key deployed would be painful.) If your scheme is simplified to a single point of origin (and multiple distribution channels) for the KSK, then it might actually work. I would strongly prefer to avoid even a pretense of "online while-you-wait" re-signing of the root zone with new ZSKs, though. As you state in the draft, "every change [to the root zone] is preceded by an administrative process that takes several days." There's no reason why that very deliberate process can't also include the action of signing the zone with the current ZSK(s) off-line prior to placing the zone on the hidden master. I'm not sure what the "signing primaries" bring to the mix, other than another level of complexity *and* online while-you-wait signing. Neither of those seems to be a Good Thing to me. If the goal is to run a signed root hierarchy in parallel with the "real" one, then a "signing primary" might make sense, but I think there already is such a testbed--and the root zone for such a testbed would differ from the "real" root zone anyway. I may have missed something in the focus of your draft--I do strongly (if it wasn't obvious) support getting the root signed, but I'm not sure that this is the right way to do the interim scheme. I'm writing operational procedures for a TLD to begin its signing (for testing, obviously) and I had not contemplated anything so complex. Please let me know if there are other behind-the-scenes reasons why your scheme is set up this way, but as it stands I would recommend against it. Please let me know if there's anything unclear in my rambling above, or any other questions I can help answer. Very Respectfully, -- Rip Loomis Senior Systems Security Engineer SAIC Secure Business Solutions Group #---------------------------------------------------------------------- # To unsubscripbe, send a message to <dnsop-request@cafax.se>.