Fwd: Key Coverage Tool Proposal
Curtis Blackburn
ckb at isc.org
Tue Mar 13 20:16:03 UTC 2012
Stephen Morris had this to say, and as he is not on the list I (with his permission) am forwarding it, in case anyone has further comment.
--
/***************************************\
* ISC offers support on many *
* of its products, including BIND 9. *
* If you depend on it, depend on us! *
\***************************************/
Curtis Blackburn
<ckb at isc.org>
Software Engineer,
BIND Development Team
Internet Systems Consortium
Begin forwarded message:
> From: Stephen Morris <stephen at isc.org>
> Subject: Key Coverage Tool Proposal
> Date: March 13, 2012 12:41:16 PM CDT
> To: Blackburn Curtis <ckb at isc.org>
>
> Curtis
>
> I'm afraid that I'm not subscribed to the bind-workers list, so I've
> cut and pasted the email about the key coverage tool from the list
> archives and am replying to you directly.
>
>> this is a work in progress and we are looking for feedback to make
>> this a better tool.
>>
>> As an administrator, I want a tool that allows me to be able to
>> make sure that all the activation dates for my keys are valid.
>
> Just as clarification, is this tool only advisory (i.e. it looks at
> the state of the zone and reports what it sees) or active (it actually
> handles the rolling of the key)?
>
>> This tool will be written in python.
>>
>> This key coverage tool: - ensure that there are no gaps in key
>> coverage - make sure that keys are published in your zone at least
>> 1 ttl before that key is to be published
> I think the second "published: should be "used to sign records in the
> zone".
>
>> - use refresh rate from SOA - e.g., ttl+refresh to insure that
>> key is published soon enough
>
> I suggest checking the DNSOP key timing draft
> (http://tools.ietf.org/html/draft-ietf-dnsop-dnssec-key-timing) for
> timing considerations concerning the rolling of keys. The draft has
> expired, but I am planning on resurrecting it immediately after this
> IETF. In particular, there are additional intervals that need to be
> considered, over and above the TTL.
>
> (There is also a -bis version in preparation, see
> tools.ietf.org/html/draft-mekking-dnsop-dnssec-key-timing-bis)
>
>> The following is a list of things that the tool will have to be
>> able to gracefully handle whether by emitting a warning, an error,
>> or information:
>>
>> we expect to see one or more algorithm within one algorithm we
>> expect to see both a KSK and a ZSK - usually these will be
>> different keys (warn if not?)
>
> Informational message may be, but not a warning. RFC 4641bis
> (http://tools.ietf.org/html/draft-ietf-dnsop-rfc4641bis) discusses the
> ZSK/KSK split and the idea of a single type signing scheme.
>
>> - usually the KSK will have the SEP flag (warn if not?)
> I think warn. RFC4641bis suggests that the SEP flag should be set on
> the KSK and on the key used in a single-type signing scheme.
>
>> - more than one KSK and ZSK is allowed
>>
>> keys can be signed or unsigned keys can be published or unpublished
>> keys can be active or inactive first look for any period of time
>> where a key becomes inactive -error if a key following it would not
>> be signed -error if a key following it would not be published
>> -error if a key following it would not be active
>
> I'm not clear what is meant by signed/unsigned here. Do you you mean
> that the DNSKEY is published in the DNSKEY RRset but the set is signed
> or not signed?
>
> (I presume that published and active have the same meaning as the key
> timing draft.)
>
>> warn if a ZSK remains published after it's been deactivated
>
> Assuming that "active" means "used to sign the zone", then there is a
> retirement period for keys; they need to remain in the zone until all
> RRs with signatures created by them have expired from caches.
>
>> -do not error as long as at least one ZSK is published and active
>>
>> in the case of complex key rolls involving both KSKs and ZKSs -we
>> will need to alert the user of the time of the KSK roll -the user
>> will need to ensure that the new DS is in place in the parent zone
>> (can we check this with the tool?)
>
> I advise checking the DS record with the tool. The DS record will
> usually be in a zone under different administrative control from the
> zone holding the KSKs, so processes and timescales for changes may be
> different.
>
> Note though that you can:
> a) add a DS to the parent, change the KSK and remove the old DS record
> b) add a new KSK to the zone, change the DS in the parent, remove the
> old KSK from the zone
> c) add the new DS and KSK at the same time, wait a bit, remove the old
> DS and old KSK at the same time.
>
> (see section 3.3 of the key timing draft.)
>
>> in the case of zones with more than one algorithm in use -???
>>
>> In the case of a zone being rolled from one algorithm to another
>> -???
>
> Have a look at 4641bis for considerations about algorithms.
>
>
>> private section is extensible - ensure that when the .private part
>> of KSKs and ZSKs is added to things continue to work
>
> Not sure what is meant by this.
>
>>
>> other possible scenarios that the tool may run into:
>>
>> -corrupted fields/other bad input
>
>> -a zone with just KSKs -a zone with just ZSKs
> Strictly speaking, the SEP flag is just a flag of convenience and the
> DNSSEC protocol makes no distinction between ZSK and KSK.
>
>> -deliberately going insecure
> This will mean removing the DS record from the parent. The zone will
> have to continue to be signed until the DS record has expired from
> caches, else the zone risks being tagged as bogus.
>
>> -nsec to nsec3 transitions -vice versa
> Also add the possibility of a zone with multiple NSEC3 chains.
>
>> -non-readable keys -non-writeable keys-(I do not think that this
>> will be an issue) -revoked keys -bad key directory/other arguments
>> -inaccessible zone file -it is possible to do some of the
>> checking without using the zone file at all,
> There is a distinction between the zone file - what should be in the
> zone - and what is actually in the zone. The simplest solution might
> be to just do the checking against the zone served by a particular
> nameserver. To check a zone file, load it into a locally-running copy
> of BIND and check against that.
>
>> do we want to do that? -what if the key rolls havent taken place
>> on time
> It depends how the key rolling system is set up. For example, it is
> entirely possible that the system is set to run at once a day, in
> which case we would expect events to occur up to 24 hours after they
> were scheduled (e.g. the system runs at 18:00 and the event is
> scheduled for 18:00:01; in this case, it would not occur until 18:00
> the next day).
>
> Stephen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-workers/attachments/20120313/23bdaac3/attachment.html>
More information about the bind-workers
mailing list