[dns-operations] Sad news today: systemd-resolved to be deployed in Ubuntu 16.10

Matt Larson matt at kahlerlarson.org
Tue Jun 7 20:50:31 UTC 2016 

Since starting at ICANN in mid-May, I'm now at the pointy end of the stick as project lead for the impending root KSK roll and have some comments about the subject.

First, regarding rolling the KSK or not, let me please remind everyone that the plan from the beginning, back in 2010 when we signed the root initially, was always to roll the KSK.  I refer you to the "Root Zone KSK Operator DPS" (DNSSEC Practices Statement) at https://www.iana.org/dnssec/icann-dps.txt:

> 6.5.  Key signing key roll-over
> 
>    Each RZ KSK will be scheduled to be rolled over through a key
>    ceremony as required, or after 5 years of operation.

We're actually late in rolling the key according to the original intentions.

Second, thanks to Ondřej for pointing out the ICANN root KSK roll web page at https://www.icann.org/resources/pages/ksk-rollover.  Note that page lists the planned high-level timeline, which is:

- New KSK generation at the November, 2016, key ceremony
- Publication of the new root KSK in July, 2017 (i.e., first appearance in the root zone)
- Actual rollover in October, 2017 (i.e., sign root DNSKEY RRset with new key rather than old).  (We're following a pre-publish model, so we'll cut from signing with the old KSK to the new KSK rather than double signatures by old and new KSKs for any period.)

And that schedule brings me to my third comment, which is related to systemd's trust anchor store maintenance.  While I'd like to see as much 5011 deployment as possible, also relying on what the upstream update mechanism provides--given proper authentication--makes for good belt and suspenders.  For software that doesn't support 5011, however, we're not going to spring a new trust anchor on anyone overnight.  Note the timetable above: it's going to be nearly a year from when the new trust anchor is generated until when the rollover occurs and everyone must have it configured.  During that time, one of ICANN's most important rollover tasks will be communicating not just with the general public but especially with software distributors and developers to make sure that those who supply the trust anchor in validator software know about the new one and get it into their products.

Matt


> On Jun 6, 2016, at 6:02 AM, Ondřej Surý <ondrej.sury at nic.cz> wrote:
> 
> No matter what, the KSK is going to be rolled, so it's futile to resist at this moment.
> 
> For a background see:
> 
> 1. https://www.icann.org/resources/pages/ksk-rollover
> 2. https://www.iana.org/reports/2016/root-ksk-rollover-design-20160307.pdf
> 
> This "The IANA Functions Contract requires ICANN to perform a Root Zone KSK rollover" mostly answers your question, but I agree it's good to practice a Root KSK rollover for operational purposes now and to change the algorithm in the future.
> 
> Cheers,
> Ondrej
> 
> --
> Ondřej Surý -- Technical Fellow
> --------------------------------------------
> CZ.NIC, z.s.p.o.    --     Laboratoře CZ.NIC
> Milesovska 5, 130 00 Praha 3, Czech Republic
> mailto:ondrej.sury at nic.cz    https://nic.cz/
> --------------------------------------------
> 
> ----- Original Message -----
>> From: "Florian Weimer" <fweimer at redhat.com>
>> To: "Paul Wouters" <paul at nohats.ca>, "Jan Včelák" <jan.vcelak at nic.cz>
>> Cc: dns-operations at dns-oarc.net
>> Sent: Monday, June 6, 2016 11:20:49 AM
>> Subject: Re: [dns-operations] Sad news today: systemd-resolved to be deployed in Ubuntu 16.10
> 
>> On 06/05/2016 08:31 PM, Paul Wouters wrote:
>>> On Fri, 3 Jun 2016, Jan Včelak wrote:
>>> 
>>>> I don't think this is necessarily a negative score point for systemd.
>>>> 
>>>> I already trust my Linux distribution in what they are shipping. I don't
>>>> mind whether it is a list of certification authorities or trust anchor
>>>> for DNSSEC. For me, the trust point is the distribution signing key. And
>>>> the package I can audit. I don't really fancy some software pulling in
>>>> another trust anchor.
>>> 
>>> If your machine is offline for the months during with a KSK rollover
>>> happens, can you get online with enough DNS to update your OS to get
>>> an updated trust anchor?
>> 
>> I still don't understand this.
>> 
>> Why would you do a KSK rollover if they key isn't compromised?  And if
>> the KSK *is* compromised, you don't want to perform an automated update.
>> 
>> Florian
>> _______________________________________________
>> dns-operations mailing list
>> dns-operations at lists.dns-oarc.net
>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>> dns-jobs mailing list
>> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

More information about the dns-operations mailing list