Re: Dynamic update, signed zones, and DS/Opt-in

[Michael Richardson <mcr@sandelman.ottawa.on.ca>]

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Loomis" == Loomis, Rip <GILBERT.R.LOOMIS@saic.com> writes:
    Loomis> All-- Is anyone on this list actively looking at how to
    Loomis> operationally deal with dynamic update of DNS information in
    Loomis> signed zones?  (I'm assuming secure dynamic update, protected
    Loomis> either with TSIG or GSS-TSIG).  Yes, I've just re-read
    Loomis> http://ops.ietf.org/dns/dynupd/secure-ddns-howto.html and the
    Loomis> relevant RFCs.

  The major operational issues that I have are issues with being unable
to edit the zone file properly. bind9, when it writes out the zone file,
writes out the .signed file, which then gets whiped out again. That is
currently keeping me from doing dynamic update more often.

    Loomis> The breakdown right now still seems to be that if I want to be
    Loomis> able to update my zone, and I want the zone to remain signed
    Loomis> more-or-less in its entirety, then I must have a zone signing key
    Loomis> online.  For a lot of reasons, I've been trying to avoid having
    Loomis> such keys online in the policy documents I've been writing for a
    Loomis> particular set of users.

  Understood. For now, I'm keeping the key online. Having a master
server which is not net accessible, but to which the secondaries can talk
(perhaps over IPsec) seems like the best idea, but I haven't seen that work
with dynupd yet, although it is supposed to.

    Loomis> It seems that the potential additions of DS and opt-in might make
    Loomis> things easier as follows: - With DS, I could use two keys--one to
    Loomis> appear in the parent DS record (and to be kept off-line for
    Loomis> higher assurance and rarely changed) and a second for the actual
    Loomis> zone signing (which I would allow to be online but which would

  I didn't know that DS made this possible.
  I'm not really clear what it will mean to a client to see one signature
and not the other.

    Loomis> - With opt-in on each record (which I was previously against, but
    Loomis> which is at least a possibility), I could allow dynamic hosts to
    Loomis> opt-out...so that I could secure the "main" records in a zone but
    Loomis> allow mobile/dynamic update folks to change their data without

  I think that dyndns is only interesting if the results are then signed.

    Loomis> Neither of the above items is a wonderful perfect solution, but
    Loomis> the intersection of "dynamic update" and "DNSSEC signed zones" is
    Loomis> an ugly one that Win2K is making a little uglier for me right
    Loomis> now.  It's especially annoying because some folks seem to think
    Loomis> that a flat namespace is a requirement, and that $large_number of
    Loomis> Win2K boxes should each have entries in a single zone
    Loomis> "place.company.com" so that they can logon to a single Win2K AD
    Loomis> domain.  Try as I might, I haven't been able to convince them

  secure-ddns-howto suggests that you put CNAMEs in place.company.com
pointing at place.dyndns.company.com, and only permit updates to
dyndns.company.com. You can just have an unsigned, or a weakly signed (key
online) zone for dyndns.company.com.
  I have been meaning to do this. 

  The lack of good support for following CNAMEs for other than PTRs have
stopped us from doing this for the reverse map.

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBPW02H4qHRg3pndX9AQFa4gP9E5kL7YNasmMFUv/WdPo9BGJAVYZXuDrK
a4E5VhJgyYfk1rSM8uoS4b7GBNpXsBPRsQv1EoSbB6cdNZtHdE076jAlD6TzSUry
vnLX+HYdSKJSUCrvko7gE5KovSqAXVyP+c97fTsx5AmHqDHADKFGED5ydLaGYHJj
TRg7Y8C/akQ=
=ZJlW
-----END PGP SIGNATURE-----