[Yeti DNS Discuss] 答复: Call for comment: Experiment proposal for Yeti Algorithm Rollover
Davey Song(宋林健)
ljsong at biigroup.cn
Sat Dec 29 04:00:41 UTC 2018
An idea come to my mind these days. Why not setup a sub-testbed under Yeti
project which is similar with ICANN's testbed
https://automated-ksk-test.research.icann.org/. We can deploy several
algorithm approaches and roll the algorithm back and forth every week and
ask people to join the testbed.
There are at least 3 approaches in my mind:
1) Roll the algorithm as it is done in KSK rollover. (Figure5 of RFC6781)
* Only roll the KSK
* Pre-publish the new KSK in the root zone to fit RFC5011.
* Wait a period of RFC5011 Add Hold-Down Time
* Change the RRSIG of DNSKEY in a flag day. No double signatures.
* Revoke the old KSK and sign DNSKEY RRset with both old and new key
* Remove the old KSK and RRSIG of DNSEKY
2) Roll the algorithm with liberal and double signature approach (Figure 4
of RFC6781)
* Only roll the KSK
* Add both the new KSK and RRSIG of DNSKEY in the zone to
* Wait a period of RFC5011 Add Hold-Down Time
* Revoke the old key and keep double signature in the zone
* Remove the old KSK and RRSIG of DNSEKY
3) Roll the algorithm both KSK and ZSK with double-signature approach
* Roll KSK and ZSK
* Add new ZSK and KSK as well as RRSIG signed by these keys in the
zone
* Wait a period of RFC5011 Add Hold-Down Time
* Revoke the old KSK and keep double signature in the zone
* Remove the old KSK and ZSK as well as the RRSIG signed by these
old keys
If we want to roll algorithm every week, we should ask resolver to set the
RFC5011 timer smaller. I notice there is a detail information of how to join
on ICANN testbed site but the mail system is closed.
https://automated-ksk-test.research.icann.org/mailman/listinfo/ksk-roll-week
-of-2017-03-19
If anyone save the information of that page, please let me know.
Davey
> -----邮件原件-----
> 发件人: Stephane Bortzmeyer [mailto:bortzmeyer at nic.fr]
> 发送时间: 2018年12月28日 0:46
> 收件人: Davey Song
> 抄送: discuss at lists.yeti-dns.org
> 主题: Re: [Yeti DNS Discuss] Call for comment: Experiment proposal for
Yeti
> Algorithm Rollover
>
> On Wed, Dec 26, 2018 at 03:35:01PM +0800, Davey Song
> <ljsong at biigroup.cn> wrote a message of 147 lines which said:
>
> > After some investigation of Algorithm rollover, and existing practice
> > in cctld (.se and .br). I proposed an algorithm rollover experiment
> > plan for Yeti.
> >
> > https://github.com/BII-Lab/Yeti-Project/blob/master/doc/Experiment-Alg
> > Roll.md
>
> > The reasons of only rolling KSK is that some people suggested that
> > some resolver may not tolerate a KSK and a ZSK using different
> > algorithms in the same zone (notably PowerDNS).
>
> This sentence is unclear. If some resolvers cannot tolerate a KSK and a
ZSK with
> different algorithms, it seems to imply the opposite: we need to change
the
> algorithm of the ZSK as well.
>
> Also, reading the excellent report
> <https://labs.ripe.net/Members/anandb/dnssec-algorithm-roll-over>, it
seems
> that some resolvers (that was three years ago) complained when the records
> were not signed with *all* the algorithms listed in the DS record. So,
when the
> new KSK will be accepted as a trust anchor, it may break these resolvers.
More information about the discuss
mailing list