[dns-operations] Key management and computer "mere mortals" (was: .Org DNSSEC key management policy feedback)

[Mark Andrews]

In message <3efd34cc0906241421i77a4cd82sa328f284639bea89 at mail.gmail.com>, bert hubert writes:
> On Wed, Jun 24, 2009 at 3:35 PM, Michael
> Monnerie<michael.monnerie at is.it-management.at> wrote:
> 
> > +1
> >
> > Currently DNS requires almost no maintenance, while for DNSSEC you'd
> > require tons of test tools who constantly monitor everything, and in
> > case of an error you manually need to do things that are not to-be-done
> > by the average admin, you'd need a real DNSSEC admin.
> 
> You also need a DNSSEC-capable support infrastructure to deal with
> questions about 'fuzz' and other 'it almost works' situations.
> 
> This is not going to be cheap.
> 
>    Bert

The tools are coming.  They are/will be built in nameservers.  We
have built/are building them into named as we speak.  Other vendors
are also doing so.

We already have nameservers that re-sign the zone for you so you
don't have to think about that.  I haven't re-signed my zones by
hand in over a year now.  The nameserver just does it for me.

We have nameservers that can convert a unsigned zone to a signed
zone and do the reverse.

We have nameservers that can change NSEC3 parameters on a zone.

We have nameservers that can convert zones from NSEC to NSEC3 on
the fly as well as the reverse.

We have nameservers where you can add and remove DNSKEYs and have
the signatures be generated as needed.

We have nameservers that can track trusted anchors via RFC 5011.

We will have nameservers that will mangage the authoritative side
of RFC 5011 automatically.  This will reduce the probabilty of
snafus happening.

We can build in the current root keys into distributions so that
RFC 5011 will work with them when the root is signed.

OS vendors will track the current root keys and publish them as
part of the normal maintence proceedures.

We can have nameservers that generate new ZSK's automatically as
required.

What we don't yet have is a agreeded on protocol for the nameserver
to update the DS records in the parent.  We could to this with
UPDATE or a NOTIFY extension if we could get agreement to allow the
software to bypass the registrar.  The registrar is only needed to
establish the initial trust relationship.  I don't believe RFC 5011
is really approriate for all zones and may actually be bad for some
as it forces you to maintain RFC 5011 basically forever.

If the registrar HAS to be in there as a middle man then we need a
machine protocol for talking to registrars.  Screen scraping is not
appropriate.  Hundreds of different methods are not appropriate.
There needs to be one method.  Registrars also introduce the problem
of "how do we work out where to send this data".  Going directly to
the registry / nameserver is so much simpler for a management point
of view.

Once we have such a protocol then the nameserver can generate new
keys as required by policy and push the DS records to the parent.

DNSSEC is almost set-and-forget.  A lot of what is required it there
now though it may need polishing.  More is coming.  There is one
missing link in the path as far as I can see.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org