1 / 11

Trust Anchor Update

Trust Anchor Update. draft-stjohns-dnssec-trustupdate-01.txt Mike StJohns 2 August 2004. Outline. Definitions Design Goals State Diagram Example. Definitions. Trust Point – A specific point on the DNS tree that a resolver treats as an origin of trust.

leland
Download Presentation

Trust Anchor Update

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Trust Anchor Update draft-stjohns-dnssec-trustupdate-01.txt Mike StJohns 2 August 2004

  2. Outline • Definitions • Design Goals • State Diagram • Example

  3. Definitions • Trust Point – A specific point on the DNS tree that a resolver treats as an origin of trust. • Trust Anchor – A specific DNSKEY located at a trust point

  4. Design Goals • Survive an N-1 key compromise (where N is the number of trust anchors at a trust point) • Minimize other attacks (e.g. add of new keys by compromiser) • Ensure common state at resolvers assuming resolvers query the DNSKEY RRSet in defined time.

  5. Resolver Trust Anchor State Machine NB: Differs slightly from ID version!

  6. Resolver Trust Anchor State Table -------------------------------------------------- FROM |Start |AddPend |Valid |Missing|Revoked|Removed| ---------------------------------------------------------- Start | |NewKey | | | | | ---------------------------------------------------------- AddPend |KeyRem | |AddTime| | | ---------------------------------------------------------- Valid | | | |KeyRem |Revbit | | ---------------------------------------------------------- Missing | | |KeyPres| |Revbit | | ---------------------------------------------------------- Revoked | | | | | |RemTime| ---------------------------------------------------------- Removed | | | | | | | ----------------------------------------------------------

  7. Example- Adding A Trust Anchor Assume an existing trust anchor key 'A'. • Generate a new key pair. • Create a DNSKEY record from the key pair and set the SEP and Zone Key bits. • Add the DNSKEY to the RRSet. • Sign the DNSKEY RRSet ONLY with the existing trust anchor key - 'A'. • Wait a while.

  8. Example - Deleting a Trust Anchor Assume existing trust anchors 'A' and 'B' and that you want to revoke and delete 'A'. • Set the revocation bit on key 'A'. • Sign the DNSKEY RRSet with both 'A' and 'B'. 'A' is now revoked. The operator SHOULD include the revoked 'A' in the RRSet for at least the remove hold-down time, but then may remove it from the DNSKEY RRSet.

  9. 5.3 Key Roll-Over Assume existing keys A and B. 'A' is actively in use (i.e. has been signing the DNSKEY RRSet.) 'B' was the stand-by key. (i.e. has been in the DNSKEY RRSet and is a valid trust anchor, but wasn't being used to sign the RRSet.) • Generate a new key pair 'C'. • Add 'C' to the DNSKEY RRSet. • Set the revocation bit on key 'A'. • Sign the RRSet with 'A' and 'B'. 'A' is now revoked, 'B' is now the active key, and 'C' will be the stand-by key once the hold-down expires. The operator SHOULD include the revoked 'A' in the RRSet for at least the remove hold-down time, but may then remove it from the DNSKEY RRSet.

  10. Example – Active Key Compromised This is the same as the mechanism for Key Roll-Over above assuming 'A' is the active key.

  11. Example – Stand-by Key Compromised Using the same assumptions and naming conventions as Key Roll-Over above: • Generate a new key pair 'C'. • Add 'C' to the DNSKEY RRSet. • Set the revocation bit on key 'B'. • Sign the RRSet with 'A' and 'B'. 'B' is now revoked, 'A' remains the active key, and 'C' will be the stand-by key once the hold-down expires. 'B' SHOULD continue to be included in the RRSet for the remove hold-down time.

More Related