To:
Bill Manning <bmanning@isi.edu>, dnssec@cafax.se
From:
Edward Lewis <edlewis@arin.net>
Date:
Tue, 15 Oct 2002 12:03:21 -0400
In-Reply-To:
<200210151543.g9FFhfI12082@boreas.isi.edu>
Sender:
owner-dnssec@cafax.se
Subject:
Re: troubleshooting...
At 8:43 -0700 10/15/02, Bill Manning wrote: > > is this realistic? No. Oh, perhaps you would like a reason. Signature validity time and the serial number live in two different design spaces. Signature validity time is first driven by two security concepts - cryptographic lifetime and the limitation (in duration) of the impact of an attack. Serial number is an ingredient in two things - database coherency and availability - the mixture is because it crosses between the two because it is an enabler for the usefulness of multiple authoritative servers. Although the temptation is to string together these concepts, doing so is a first step into (yet another) complicating the relationships of the architectural components of DNS. If a slave realizes that signatures are expiring, this might be heuristically be used to fetch a new copy from the master regardless. Sounds like a good implementation idea - but I'd be careful architecturally. Perhaps the above check is beneficial, but don't let a security feature (sig validity) usurp a base (serial number) feature. On the other hand, perhaps we need to simplify the signature validity period setting by using zone expiration timer in the SOA as part of the automatic input to the period's setting. And from the thought heap of uncollated reasons why too this is a bad idea: If the master reloads with out updating the serial number, we'll have a master and slave agreeing on serial number and not contents. This is broken, let's not further the damage along by "covering it up." Using signature validity periods to mark the newerness of data isn't very reliable. It might be that the periods are shortened reversibly in advance of a major change in something. At 8:43 -0700 10/15/02, Bill Manning wrote: > with the existant tools, there is the possiblity that one may > resign a zone w/o changing the serial number. > > one of the common troubleshooting methods is to ensure that > all authoritative servers has the same serial number. > > in this case, the serial number is the same, its the signatures > that are distinct. My current thought is to check the expiration > time of the the signatures to detect varience in zones, and not > depend on a difference between serial numbers. > > is this realistic? > >-- >--bill -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis +1-703-227-9854 ARIN Research Engineer