[dns-operations] DNS self-updates (was: DNSSEC deployment incentives)

Mark Andrews marka at isc.org
Thu Jun 20 02:39:23 UTC 2019 


> On 20 Jun 2019, at 10:01 am, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
> 
> On Thu, Jun 20, 2019 at 09:21:29AM +1000, Mark Andrews wrote:
> 
>>> One thing I'd like to see is the ability for a server to use its
>>> current private key and certs (that match its existing TLSA RRset)
>>> to use DNS "update" to publish a revised TLSA RRset (perhaps via
>>> SIG(0) with the TLSA records used as the ACL in the nameserver).
>>> If any of the implementors of BIND, NSD, PowerDNS, ... are interested,
>>> please reach out…
>> 
>> What do you want to do the update-policy doesn’t already support?
>> 
>> See grant self and self-sub.  They are designed to allow a machine to
>> update records associated with itself be the A, AAAA, SRV, TLSA, KEY,
>> SSHFP with control down to the record type.
> 
> What does "self" mean?  What authenticates an incoming update packet
> as "self"?  I'd be great if that were the content of the TLSA RRset.

A SIG(0) signed update of foo.example.com can update any records at
foo.example.com provided there is a matching KEY record in the zone.

Similarly a valid TSIG signed update request with TSIG key name
foo.example.com can update any records at foo.example.com.

self-sub allows *.<name> to be updated as well as <name> (SIG(0) and TSIG).

There are similar rules using Kerberos principal names (both KRB5 and Microsoft
flavours) provided the realm in the principal is authorised via TKEY and GSS-TSIG.

While it would be possible to do something from a CERT, the process would need
to be standardised.  It would also require a mechanism to restrict the CA’s that
can be used for a given name.  etc.

In my personal opinion we already have enough mechanisms to update a zone
securely.

One can also extract the public key from a CERT to produce a KEY record and
update the KEY RRset using the existing KEY when a CERT is updated using the
private part of old CERT or just have a seperate key pair for this.  The only
thing a CERT gives you is trace back to a CA for the initial addition. 

Mark

> -- 
> 	Viktor.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the dns-operations mailing list