[dns-operations] .fr has 5 DNSKEYs

George Barwood george.barwood at blueyonder.co.uk
Wed Jun 1 21:11:40 UTC 2011


----- Original Message ----- 
From: "Edward Lewis" <Ed.Lewis at neustar.biz>
To: "George Barwood" <george.barwood at blueyonder.co.uk>
Cc: "Stephane Bortzmeyer" <bortzmeyer at nic.fr>; "Paul Wouters" <paul at xelerance.com>; <dns-operations at mail.dns-oarc.net>
Sent: Wednesday, June 01, 2011 5:59 PM
Subject: Re: [dns-operations] .fr has 5 DNSKEYs


> At 17:18 +0100 6/1/11, George Barwood wrote:
> 
>>The other point : is it true that after the detected compomise of a key,
>>having a rescue key allows security to be restored faster.
> 
> Faster...than not having a rescue key?  Yes.
> 
>>You can start signing with rescue key, but the attacker can still
>>forge responses until the old DNSKEY RRsets have expired. So that's
>>not clear.
> 
> The goal is to 1) cause no more harm and 2) remove the old key's 
> effectiveness as quickly as possible.  By not having a rescue key you 
> have the choice to shock the system (violate #1) or introduce the new 
> key gracefully (lengthen the time to achieve #2).

What I'm suggesting is that doing the job gracefully
(1) Doesn't lengthen the time to achieve security,
(2) Isn't any quicker if you have a rescue key.

To make things concrete, suppose every record has a TTL of 1 day,
and every signature has an expiry of 1 week from time of signing.

Suppose we have detected that a  ZSK has been compromised.
A powerful attacker ( say one that has been installed into a router,
so can forge packets at will ) can feed the old DNSKEY RRset,
and forged signed zone data to a victim client, and the client will continue
to accept it as valid until the signature on the DNSKEY RRset
expires ( 1 week ). 

But rolling the ZSK in this situation only takes about 2 days or so
( introduce new ZSK, wait 1 day for DNSKEY to propagate, start
signing with new ZSK, wait 1 day for old RRSIGs to expire, remove old ZSK ).

The extra 1 day saved is lost, because we are in any case insecure for 1 week.
Only if the signature expiry time is less than 2 x TTL is there any saving,
and I don't think this is typical ( I expect this analysis isn't exactly right,
I'm just trying to give a rough outline ).

George








More information about the dns-operations mailing list