DNSSEC mailing list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: Dan Massey <masseyd@isi.edu>, Ted.Lindgreen@tednet.nl
Cc: dnssec@cafax.se
From: ted@tednet.nl (Ted Lindgreen)
Date: Thu, 19 Apr 2001 11:14:42 +0200
Delivery-Date: Thu Apr 19 20:30:46 2001
In-Reply-To: "Dan Massey's message as of Apr 18, 20:59"
Reply-To: Ted.Lindgreen@tednet.nl
Sender: owner-dnssec@cafax.se
Subject: Re: Keys at apex problem

[Quoting Dan Massey, on Apr 18, 20:59, in "Re: Keys at apex pro ..."]

> On Wednesday, April 18, 2001 at 04:20PM, Ted Lindgreen wrote:
   <which KEY is used where>
...
> I've tried to walk through this from the resolvers point of view, 
> The only real result is that now I have a headache...
> 
> This sort of intersects with how a resolver works discussion and  I
> think the answer is different depending on whether the resolver
> uses trusted keys (option A) or TSIG (option B).

I don't think so, but a agree it is very confusing, because
the definitions are'nt clear.
Let's first make some definitions (not sure if these are
the correct ones, but please bear with me):

   stub-resolver  <------->  cachingforwarder  <------->  Internet-at-large
   |                                        |
   |________________________________________|
	           Resolver

Now, the TSIG issue and the various options, are about how the
stub-resolver and the cachingforwarder deal with each other.
There are various possibilities here, and further complication
is caused by the the cachingforwarder perhaps being authoritive
for something the stub-resolver wants. Hmmm, I understand your
headache...

What I tried to say earlier, was how I think the "Resolver" should
behave in case of multiple SIGs and KEYs. Let's redo it briefly:

 - someone wants the ssh-KEY of east.isi.edu.
 - the Resolver goes topdown (from its closest "secure entry point",
   let's say it is the root, but see also below), but of course
   using its cache as much as possible.
 - the Resolver knows root is secured, finds a delegation for .edu,
   finds and checks the .edu zoneKEY, sees this is a real KEY so
   .edu is secured. It then finds a delegation for isi.edu, same
   story. Then, it finds again a delegation for east.isi.edu,
   again same story.
 - At this point, the Resolver knows 3 things:
   1. the zone east.isi.edu is secured.
   2. the zoneKEY of east.isi.edu.
   3. there is no further delegation towards the requested RR.
 - So now, the Resolver gets the requested RR plus its SIG
   and checks it against the zoneKEY of the zone where the RR
   is found.

Remark about ""secure entry point": we know that neither root,
nor .edu is secured currently, but isi.edu is. That changes
the above a little bit:
 - the Resolver, which is secure aware and preconfigured with
   the KEY of isi.edu, starts checking SIGs from there instead
   of from the root.

Now between stub-resolver (your laptop) and IETF conference
cachingforwarder.

Option B assumes:
 1. you trust the IETF conference cachingforwarder.
 2. you can use TSIG to be sure you talk with this
    server, and not some faked one.
 In this case, your laptop (stub-resolver) is just asking
 for ssh-KEY of east.isi.edu with CD clear. The IETF
 conference cachingforwarder is doing all the work above
 and gives you back the requested RR with AD set.
 (ALternatively, you could also use your trusted cachingforwarder
 backhome using exactly the same protocol. Easier to setup, perhaps
 trustworthier, but cause a bit of extra traffic).

Option B assumes:
 1. you trust nobody.
 2. your laptop stub-resolver has a secure entrypoint
    preconfigured.
 In this case, your laptop stub-resolver must do the checking
 walkdown, but can be using the cached info from the IETF
 conference cachingforwarder. Because your laptop stub-resolver
 is checking itself it can set the CD and ignore the AD bit from
 the cachingforwarder.

>  .... Consider this 
> scenario:

I think with the above both scenarios can be filled in, as
long you keep the order in mind:
1. find out which zone is authoritive for the requested RR.
   (in practice: look for NS RRs)
2. find out whether this zone is secured
   (by getting and checking the zoneKEY).
3. then get RR and SIGs check the SIG from that zoneKEY (and
   ignore any other SIGs).

> In my opinion, 
> "KEYs other than zone KEYs MUST not be stored at apex of a zone"
> keeps looking better.  

I tend to agree more and more with this. But also the idea of using
KEY RR for zoneKEYs exclusively (and use an other RR type for
anything else) looks appealing.

Regards,
-- Ted.

Prev by Date: Re: Signature at parent (draft-ietf-dnsop-parent-sig-00.txt)
Next by Date: Re: Keys at apex problem
Prev by thread: Re: Keys at apex problem
Next by thread: Re: Keys at apex problem
Index(es):
- Date
- Thread

Home | Date list | Subject list