This is a discussion on The lifetime of a Trust Anchor Key - DNS ; To the DNSEXT working group: This post is in answer of a question asked during the IETF-64 DNSEXT wg session, about the lifetime of DNSKEY records for trust anchor keys. Indeed, there is no notion of "lifetime" for a trust ...
To the DNSEXT working group:
This post is in answer of a question asked during the IETF-64
DNSEXT wg session, about the lifetime of DNSKEY records for trust
Indeed, there is no notion of "lifetime" for a trust anchor key
in the current DNSSEC protocols. In the TAKREM for DNSSEC
presentations, I erroneously assumed that a DNSKEY TTL value,
and/or RRSIG validity period would carry a DNSKEY lifetime
information, while in fact the TTL information is for cached data
handling and the RRSIG validity period applies to every DNSKEY in
There is perhaps an broader issue of prevention of replay attacks
based on re-introducing and old signature key somewhere in the
DNSSEC architecture. For secure DNS delegations, the
verifications that should be made by a parent zone before signing
a DS record should prevent such replay attacks.
The replay attack threat is more acute for trust anchor keys
because there is no parental oversight of the current valid
key(s). For DNSSEC trust anchor keys rolled over with the TAKREM
proposal, I see three alternatives:
A validity period might be introduced to (a revised
definition of) the SDDA record format. This would affix an
explicit lifetime to a trust anchor key.
The DNS resolver might assume that a trust anchor key record
is expired when it disappeared from a zone's DNSKEY RRset
*AND* a new valid trust anchor key has been detected.
The revoked bit from the Mike St-Johns proposal
(draft-ietf-dnsext-trustupdate-timers-01.txt) can be used as
an indication that a trust anchor key has been revoked.
With any of these solution avenues, there is an implicit
requirement for the DNS resolver to remember the expired status
of past trust anchor keys, at least to the extent that the DNS
resolver local policy is to protect itself against Trust Anchor
Key replay attacks.
The details should be worked on later since the DNSEXT wg
attention is currently focused on trust anchor key management
- Thierry Moreau
CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Canada H2M 2A1
web site: http://www.connotech.com
to unsubscribe send a message to firstname.lastname@example.org with
the word 'unsubscribe' in a single line as the message text body.