Re: [DNSOP] Emergency KSK Rollover for locally secure zones.

2017-08-04 Thread Aanchal Malhotra
Thanks Warren. On Fri, Aug 4, 2017 at 4:11 PM, Warren Kumari wrote: > On Thu, Aug 3, 2017 at 6:11 PM, Aanchal Malhotra wrote: > > > > > > On Thu, Aug 3, 2017 at 11:49 PM, Michael StJohns > > > wrote: > >> > >> I answered the question that you asked. > > > > > > Yes, thanks Mike. That answers m

Re: [DNSOP] Emergency KSK Rollover for locally secure zones.

2017-08-04 Thread Warren Kumari
On Thu, Aug 3, 2017 at 6:11 PM, Aanchal Malhotra wrote: > > > On Thu, Aug 3, 2017 at 11:49 PM, Michael StJohns > wrote: >> >> I answered the question that you asked. > > > Yes, thanks Mike. That answers my question about the attack. It was not > clear that pre-published was synonymous with stand-

Re: [DNSOP] Emergency KSK Rollover for locally secure zones.

2017-08-04 Thread Tony Finch
Aanchal Malhotra wrote: > > What I am trying to say is that we do not have a solution to this problem > without a back-up key set? ... isn't that true for all kinds of disaster recovery plans? Tony. -- f.anthony.n.finchhttp://dotat.at/ - I xn--zr8h punycode Shannon, Rockall, Malin, Hebrid

Re: [DNSOP] Emergency KSK Rollover for locally secure zones.

2017-08-03 Thread Aanchal Malhotra
On Thu, Aug 3, 2017 at 11:49 PM, Michael StJohns wrote: > I answered the question that you asked. > Yes, thanks Mike. That answers my question about the attack. It was not clear that pre-published was synonymous with stand-by keys. > Other people are weighing in on the root and stand by keys.

Re: [DNSOP] Emergency KSK Rollover for locally secure zones.

2017-08-03 Thread Michael StJohns
I answered the question that you asked. Other people are weighing in on the root and stand by keys. Mike On 8/3/2017 5:05 PM, Aanchal Malhotra wrote: Hi Mike, On Thu, Aug 3, 2017 at 10:47 PM, Michael StJohns mailto:m...@nthpermutation.com>> wrote: On 8/3/2017 3:01 PM, Aanchal Malhot

Re: [DNSOP] Emergency KSK Rollover for locally secure zones.

2017-08-03 Thread Aanchal Malhotra
Hi Mike, On Thu, Aug 3, 2017 at 10:47 PM, Michael StJohns wrote: > On 8/3/2017 3:01 PM, Aanchal Malhotra wrote: > > A DNSKEY RRset with pre-published KSK is signed by the old (now > compromised) KSK. When the resolver uses RFC 5011 for the trust anchor > update, the attacker can inject a new KSK

Re: [DNSOP] Emergency KSK Rollover for locally secure zones.

2017-08-03 Thread Michael StJohns
On 8/3/2017 3:01 PM, Aanchal Malhotra wrote: A DNSKEY RRset with pre-published KSK is signed by the old (now compromised) KSK. When the resolver uses RFC 5011 for the trust anchor update, the attacker can inject a new KSK (signed by the compromised KSK). Which KSK is now the new T/rust Anchor /

Re: [DNSOP] Emergency KSK Rollover for locally secure zones.

2017-08-03 Thread Aanchal Malhotra
On Thu, Aug 3, 2017 at 10:06 PM, Wessels, Duane wrote: > > > On Aug 3, 2017, at 12:58 PM, Aanchal Malhotra wrote: > > > > However, I still don't see how it would help in case of trust anchor/KSK > compromise. > > This is why I wrote "I don't know if you consider it a solution." > > Even so, I th

Re: [DNSOP] Emergency KSK Rollover for locally secure zones.

2017-08-03 Thread Wessels, Duane
> On Aug 3, 2017, at 12:58 PM, Aanchal Malhotra wrote: > > However, I still don't see how it would help in case of trust anchor/KSK > compromise. This is why I wrote "I don't know if you consider it a solution." Even so, I think it could be useful, depending on the nature and scale of the zo

Re: [DNSOP] Emergency KSK Rollover for locally secure zones.

2017-08-03 Thread Aanchal Malhotra
Hi Duane, Thanks for pointing to RFC 8145. It's a very nice mechanism to allow zone administrators to know the status of key rollover in the DNSSEC signed zone to take further decisions. However, I still don't see how it would help in case of trust anchor/KSK compromise. With RFC 8145, the zone a

Re: [DNSOP] Emergency KSK Rollover for locally secure zones.

2017-08-03 Thread Warren Kumari
On Thu, Aug 3, 2017 at 3:01 PM, Aanchal Malhotra wrote: > Hi Scott, > > Thanks for the response. I have another question in that case. Please see > below. > > > On Thu, Aug 3, 2017 at 6:17 PM, Rose, Scott wrote: >> >> Hi, >> >> (800-81 author here) >> >> That needs to be updated as it was from th

Re: [DNSOP] Emergency KSK Rollover for locally secure zones.

2017-08-03 Thread Aanchal Malhotra
Hi Scott, Thanks for the response. I have another question in that case. Please see below. On Thu, Aug 3, 2017 at 6:17 PM, Rose, Scott wrote: > Hi, > > (800-81 author here) > > That needs to be updated as it was from the earlier revision of 800-81. It > really should stress the use of RFC 5011

Re: [DNSOP] Emergency KSK Rollover for locally secure zones.

2017-08-03 Thread Wessels, Duane
Hello Aanchal, I don't know if you consider this a solution, but you may want to take a look at RFC 8145, aka "Signaling Trust Anchor Knowledge." Per this RFC, validators can convey trust anchor contents to zone operators via periodic queries. By looking at the signal data you can see how many

Re: [DNSOP] Emergency KSK Rollover for locally secure zones.

2017-08-03 Thread Rose, Scott
Hi, (800-81 author here) That needs to be updated as it was from the earlier revision of 800-81. It really should stress the use of RFC 5011 automated trust anchor update process. The first version of the doc assumed RFC 5011 was not available in the majority of implementations, which is no

Re: [DNSOP] Emergency KSK Rollover for locally secure zones.

2017-08-03 Thread Aanchal Malhotra
Dear all, May be this has been discussed long ago on the list or elsewhere. Please guide me to proper pointers, if any. Section 11.2.1 in [1] states the following for KSK rollover for *locally secure zones*: "*In rolling