Skip to main content

Automated Updates of DNS Security (DNSSEC) Trust Anchors
draft-ietf-dnsext-trustupdate-timers-06

Revision differences

Document history

Date Rev. By Action
2012-08-22
06 (System) post-migration administrative database adjustment to the No Objection position for Tim Polk
2007-07-19
06 (System) IANA Action state changed to RFC-Ed-Ack from Waiting on RFC Editor
2007-07-19
06 (System) IANA Action state changed to Waiting on RFC Editor from Waiting on Authors
2007-07-17
06 (System) IANA Action state changed to Waiting on Authors from In Progress
2007-07-13
06 Amy Vezza State Changes to RFC Ed Queue from Approved-announcement sent by Amy Vezza
2007-07-13
06 (System) IANA Action state changed to In Progress
2007-07-12
06 Amy Vezza IESG state changed to Approved-announcement sent
2007-07-12
06 Amy Vezza IESG has approved the document
2007-07-12
06 Amy Vezza Closed "Approve" ballot
2007-07-12
06 Amy Vezza State Changes to Approved-announcement to be sent from IESG Evaluation::AD Followup by Amy Vezza
2007-07-12
06 Mark Townsley [Note]: 'Approved.' added by Mark Townsley
2007-07-05
06 Tim Polk [Ballot Position Update] Position for Tim Polk has been changed to No Objection from Undefined by Tim Polk
2007-07-05
06 Tim Polk [Ballot Position Update] Position for Tim Polk has been changed to Undefined from Discuss by Tim Polk
2007-05-25
06 (System) Removed from agenda for telechat - 2007-05-24
2007-05-24
06 Amy Vezza State Changes to IESG Evaluation::AD Followup from IESG Evaluation by Amy Vezza
2007-05-24
06 Cullen Jennings [Ballot Position Update] New position, No Objection, has been recorded by Cullen Jennings
2007-05-24
06 Jari Arkko [Ballot Position Update] New position, No Objection, has been recorded by Jari Arkko
2007-05-24
06 Jon Peterson [Ballot Position Update] New position, No Objection, has been recorded by Jon Peterson
2007-05-24
06 Lars Eggert [Ballot Position Update] New position, No Objection, has been recorded by Lars Eggert
2007-05-23
06 Ross Callon [Ballot Position Update] New position, No Objection, has been recorded by Ross Callon
2007-05-23
06 Ron Bonica [Ballot Position Update] New position, No Objection, has been recorded by Ron Bonica
2007-05-23
06 Sam Hartman [Ballot Position Update] Position for Sam Hartman has been changed to Yes from Discuss by Sam Hartman
2007-05-23
06 Sam Hartman [Ballot Position Update] New position, Discuss, has been recorded by Sam Hartman
2007-05-23
06 Lisa Dusseault [Ballot Position Update] New position, No Objection, has been recorded by Lisa Dusseault
2007-05-22
06 Russ Housley
[Ballot comment]
In his SecDir Review, Stefan Santesson said:
  >
  > This document introduce a rule set for revocation of a DNS key …
[Ballot comment]
In his SecDir Review, Stefan Santesson said:
  >
  > This document introduce a rule set for revocation of a DNS key
  > where revocation of that key requires use of the corresponding
  > private key.  This raises a question how you revoke a key that
  > may be compromised but where the private key has been lost. Is
  > there a non-recoverable security risk involved if a vital key
  > can't be revoked due to such situation?
  >
  The security considerations ought to discuss this point.  It already
  says that a non-compromised key is needed to recover.  However it
  does not say anything about the situation where a hardware module
  fails that contains the private key.  It is not compromised, but
  no one can make use of it.  (I'm ignoring backup of keys for
  simplicity.  I think the author will still understand the point.)
2007-05-22
06 Russ Housley [Ballot Position Update] New position, No Objection, has been recorded by Russ Housley
2007-05-22
06 Magnus Westerlund [Ballot Position Update] New position, No Objection, has been recorded by Magnus Westerlund
2007-05-21
06 Dan Romascanu [Ballot Position Update] New position, No Objection, has been recorded by Dan Romascanu
2007-05-18
06 Tim Polk
[Ballot discuss]
The key roll-over process described in section 6.3 results in a trust point with a single active
key  ('B') and no stand-by key …
[Ballot discuss]
The key roll-over process described in section 6.3 results in a trust point with a single active
key  ('B') and no stand-by key until the hold-down expires for the new key ('C').  Wouldn't it
be more prudent to revoke the old key ('A') after the add hold-down expires for the new key?

To meet the requirement for "Non-degrading trust" (as defined in Section 5.13 of
dnsext-rollover-requirements), new stand-by keys should be at least as strong as as the
current active keys.  This should be noted briefly in the security considerations section.
2007-05-17
06 Tim Polk
[Ballot discuss]
The key roll-over process described in section 6.3 results in a trust point with a single active
key  ('B') and no stand-by key …
[Ballot discuss]
The key roll-over process described in section 6.3 results in a trust point with a single active
key  ('B') and no stand-by key until the hold-down expires for the new key ('C').  Wouldn't it
be more prudent to revoke the old key ('A') after the add hold-down expires for the new key?
2007-05-17
06 Tim Polk
[Ballot comment]
Should we include an RFC Editor Note to update section 3 based on the assignment of a bit in
the DNSKEY flags field?  …
[Ballot comment]
Should we include an RFC Editor Note to update section 3 based on the assignment of a bit in
the DNSKEY flags field?  The current text of section 3 begins "Bit n of the DNSKEY Flags field",
and there is no inline note to the RFC editor to update the text...

In section 2.3, I don't think you need "MAX" in the definition of queryInterval. Similarly, I believe
there are issues with the definition of retryTime in the following paragraph.  I think both should
specify a range, but MAX gives us a scalar right?
2007-05-17
06 Tim Polk
[Ballot comment]
Should we include an RFC Editor Note to update section 3 based on the assignment of a bit in the
DNSKEY flags field?  …
[Ballot comment]
Should we include an RFC Editor Note to update section 3 based on the assignment of a bit in the
DNSKEY flags field?  The current text of section 3 begins "Bit n of the DNSKEY Flags field", and there is no inline note to the RFC editor to update the text...

In section 2.3, I don't think you need "MAX" in the definition of queryInterval. Similarly, I believe there are issues with the definition of retryTime in the following paragraph.  I think both should specify a range, but MAX gives us a scalar right?
2007-05-17
06 Tim Polk
[Ballot discuss]
The key roll-over process described in section 6.3 results in a trust point with a single active key  ('B') and no stand-by key …
[Ballot discuss]
The key roll-over process described in section 6.3 results in a trust point with a single active key  ('B') and no stand-by key until the hold-down expires for the new key ('C').  Wouldn't it be more prudent to revoke the old key ('A') after the add hold-down expires for the new key?
2007-05-17
06 Tim Polk
[Ballot comment]
Should we include an RFC Editor Note to update section 3 based on the assignment of a bit in the
DNSKEY flags field?  …
[Ballot comment]
Should we include an RFC Editor Note to update section 3 based on the assignment of a bit in the
DNSKEY flags field?  The current text of section 3 begins "Bit n of the DNSKEY Flags field", and there is no inline note to the RFC editor to update the text...
2007-05-17
06 Tim Polk [Ballot Position Update] New position, Discuss, has been recorded by Tim Polk
2007-05-14
06 Mark Townsley [Ballot Position Update] New position, Yes, has been recorded for Mark Townsley
2007-05-14
06 Mark Townsley Ballot has been issued by Mark Townsley
2007-05-14
06 Mark Townsley Created "Approve" ballot
2007-05-14
06 Mark Townsley State Changes to IESG Evaluation from Waiting for AD Go-Ahead::AD Followup by Mark Townsley
2007-05-14
06 Mark Townsley Placed on agenda for telechat - 2007-05-24 by Mark Townsley
2007-05-14
06 Mark Townsley [Note]: 'draft-ietf-dnsext-rollover-requirements-04 is the associated requirements document' added by Mark Townsley
2007-04-04
06 (System) Sub state has been changed to AD Follow up from New Id Needed
2007-04-04
06 (System) New version available: draft-ietf-dnsext-trustupdate-timers-06.txt
2007-04-03
06 Mark Townsley State Changes to Waiting for AD Go-Ahead::Revised ID Needed from Waiting for AD Go-Ahead by Mark Townsley
2007-01-30
06 Yoshiko Fong
IANA Last call Comment:

IANA understands that, upon approval of this document,
there is a single IANA Action that needs to be completed.

In the …
IANA Last call Comment:

IANA understands that, upon approval of this document,
there is a single IANA Action that needs to be completed.

In the DNSKEY FLAGS registry located at:

http://www.iana.org/assignments/dnskey-flags

a single value would be added:

Number Description
------ ------------------------------
TBD REVOKE

IANA understands that this is the only action required
upon approval of this document.
2007-01-29
06 (System) State has been changed to Waiting for AD Go-Ahead from In Last Call by system
2007-01-15
06 Amy Vezza Last call sent
2007-01-15
06 Amy Vezza State Changes to In Last Call from Last Call Requested by Amy Vezza
2007-01-15
06 Mark Townsley Last Call was requested by Mark Townsley
2007-01-15
06 Mark Townsley State Changes to Last Call Requested from Publication Requested by Mark Townsley
2007-01-15
06 (System) Ballot writeup text was added
2007-01-15
06 (System) Last call text was added
2007-01-15
06 (System) Ballot approval text was added
2006-12-21
06 Dinara Suleymanova
PROTO Write-up

1) Have the chairs personally reviewed this version of the ID and do
they believe this ID is sufficiently baked to forward to …
PROTO Write-up

1) Have the chairs personally reviewed this version of the ID and do
they believe this ID is sufficiently baked to forward to the IESG
for publication?

There are no nits according to idnits 1.108 (via tools.ietf.org). One
could argue that DNSSEC terminology should have been expanded at first
use, the chairs thinks this is not needed.


2) Has the document had adequate review from both key WG members and
key non-WG members? Do you have any concerns about the depth or
breadth of the reviews that have been performed?


Yes during last-call this document has been reviewed in depth by (at
least) the following people.

- Wouter Wijngaards
http://ops.ietf.org/lists/namedroppers/namedroppers.2006/
msg01270.html

- Sam Weiler
http://ops.ietf.org/lists/namedroppers/namedroppers.2006/
msg01357.html

- Scott Rose
http://ops.ietf.org/lists/namedroppers/namedroppers.2006/
msg01280.html

- Andrew Sullivan
http://ops.ietf.org/lists/namedroppers/namedroppers.2006/
msg01306.html

- Wesley Griffin
http://ops.ietf.org/lists/namedroppers/namedroppers.2006/
msg01372.html

- Robert Story
http://ops.ietf.org/lists/namedroppers/namedroppers.2006/
msg01373.html

- Suresh Krishnaswamy
http://ops.ietf.org/lists/namedroppers/namedroppers.2006/
msg01311.html

At an earlier phase the document has been reviewed by Eric Rescorla.
http://ops.ietf.org/lists/namedroppers/namedroppers.2006/msg01026.html

(Eric brought up a number of issues which were argued to be
operational issues concerning key handling and not relevant to the
protocol described in the draft.)

Reviewers have compared the properties of this rollover mechanism
with the goals as set in the rollover-requirements draft.

The reviewers are satisfied that the threshold-timers document
satisfies (see
section 5 of draft-ietf-dnsext-rollover-requirements)

1. Scalability
3. General Applicability
4. Support Private Networks
7. Planned and Unplanned Rollovers
8. Timeliness
10. New RR Types (unclear requirement, but no new RR type needed)
11. Support for Trust Anchor Maintenance Operations
(accomplishes replace w/ separate add/delete)
12. Recovery From Compromise
13. Non-degrading Trust

There have been ('non-blocking') comments about:

5. Stale Trust Anchor Detection
Depending on how many revoked DNSKEYs are in the RRset

6. Manual Operations
From the resolver point of view the operations may be difficult
to perform manually, on the zone-owner side manual operations is
not a problem.

9. High Availability

In particular the amount of revoked DNSKEYs could increase
the size of the DNSKEY RRset to


2. No Intellectual Property Encumbrance

Folk have been reluctant to comment on the status of the IPR
claims more about this at 4) below.


3) Do you have concerns that the document needs more review from a
particular (broader) perspective (e.g., security, operational
complexity, someone familiar with AAA, etc.)?


We think this document has had sufficient review, also from security
savvy reviewers, on the other hand a final review will never hurt.


4) Do you have any specific concerns/issues with this document that
you believe the ADs and/or IESG should be aware of? For example,
perhaps you are uncomfortable with certain parts of the document,
or whether there really is a need for it, etc., but at the same
time these issues have been discussed in the WG and the WG has
indicated it wishes to advance the document anyway.


The rollover-requirements draft states that the preferred solution
should not be IPR encumbered. Mr. Moreau claims that a patent applies
(see
http://ops.ietf.org/lists/namedroppers/namedroppers.2006/msg01283.html)
The editor does not agree with this statement.

We do not know if Mr. Moreau followed the instructions in 6.1.3 of
BCP79.

Besides, Diversinet claimed IPR
(see https://datatracker.ietf.org/public/ipr_search.cgi?
option=document_search&document_search=ietf-dnsext-trustupdate-timers)

It should also be noted that there were a number of proposals from
which this particular draft was selected. This included
draft-ietf-dnsext-trustupdate-threshold (covered by the same
Diversinet IPR claim) and draft-moreau-dnsext-takrem-dns-02.txt (see
https://datatracker.ietf.org/public/ipr_detail_show.cgi?ipr_id=639). The
draft-moreau-dnsext-takrem-dns-02 draft was published with a
non-derivative clause.

The working group has been made aware of the IPR claims and they were
not subject to further discussion about applicability.




5) How solid is the WG consensus behind this document? Does it
represent the strong concurrence of a few individuals, with others
being silent, or does the WG as a whole understand and agree with
it?


The selection for this particular proposal was done during the
face-2-face meeting in Montreal and met wide consensus. This consensus
was confirmed on-list. Also during the last call there were several
folk that supported this document explicitly.


6) Has anyone threatened an appeal or otherwise indicated extreme
discontent? If so, please summarize what are they upset about.

Mr. Moreau has indicated that he would abtain from providing input on
this draft because he is not satisfied with the requirements
draft. (http://ops.ietf.org/lists/namedroppers/namedroppers.2006/
msg01327.html).
He has not threatened with an appeal.



7) Have the chairs verified that the document adheres to _all_ of the
ID nits? (see http://www.ietf.org/ID-nits.html).


Yes.


8) For Standards Track and BCP documents, the IESG approval
announcement includes a writeup section with the following
sections:

- Technical Summary

The document describes a means for automatically updating public
keys that are configured in DNSSEC aware resolvers. New
trust-anchors are configured when signatures over them can be
validated using the previous trust-anchors. By introducing explicit
revocation and a delay mechanism the chances of an attacker
introducing a mala fide trust-anchor after a key compromise are
mitigated, albeit not solved.


- Working Group Summary

There is a broad consensus that this solution provides a workable
key-rollover. The working group is aware IPR issues.

- Protocol Quality

There are no implementations yet. The chairs are aware of at least
1 and maybe 2 independent organizations that plan on
implementing. At least one implementer has done in-depth review
during last call.

The chairs are of the opinion that after implementations are
written there is probably millage in documenting operational
experiences.
2006-12-21
06 Dinara Suleymanova Draft Added by Dinara Suleymanova in state Publication Requested
2006-11-30
05 (System) New version available: draft-ietf-dnsext-trustupdate-timers-05.txt
2006-11-08
06 (System) Request for Early review by SECDIR is assigned to Stefan Santesson
2006-11-08
06 (System) Request for Early review by SECDIR is assigned to Stefan Santesson
2006-09-08
04 (System) New version available: draft-ietf-dnsext-trustupdate-timers-04.txt
2006-07-17
03 (System) New version available: draft-ietf-dnsext-trustupdate-timers-03.txt
2006-01-10
02 (System) New version available: draft-ietf-dnsext-trustupdate-timers-02.txt
2005-08-16
01 (System) New version available: draft-ietf-dnsext-trustupdate-timers-01.txt
2005-03-08
(System) Posted related IPR disclosure: Diversinet Corp.'s statement about IPR claimed in draft-ietf-dnsext-trustupdate-timers-00.txt
2005-02-06
(System) Posted related IPR disclosure: Diversinet Corp.'s statement about IPR claimed in draft-ietf-dnsext-trustupdate-timers-00.txt
2004-10-27
00 (System) New version available: draft-ietf-dnsext-trustupdate-timers-00.txt