key-signing key flag [1] & wildcard-optimization [2]
DESCRIPTION
key-signing key flag [1] & wildcard-optimization [2]. Olaf Kolkman [1] with Jakob Schlyter [2] with Johan Ihren and Roy Arends. Key Signing Key (KSK) Flag. draft-ietf-dnsext-keyrr-key-signing-flag-03 with Jakob Schlyter. The Gist. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: key-signing key flag [1] & wildcard-optimization [2]](https://reader036.vdocuments.net/reader036/viewer/2022062518/568143fa550346895db08ede/html5/thumbnails/1.jpg)
1Olaf M. Kolkman . IETF55, November 2002, Atlanta GA . http://www.ripe.net/disi/
key-signing key flag [1]
&wildcard-optimization [2]
Olaf Kolkman[1] with Jakob Schlyter
[2] with Johan Ihren and Roy Arends
![Page 2: key-signing key flag [1] & wildcard-optimization [2]](https://reader036.vdocuments.net/reader036/viewer/2022062518/568143fa550346895db08ede/html5/thumbnails/2.jpg)
Olaf M. Kolkman . IETF55, November 2002, Atlanta GA . http://www.ripe.net/disi/ 2
Key Signing Key (KSK) Flag
draft-ietf-dnsext-keyrr-key-signing-flag-03
with Jakob Schlyter
![Page 3: key-signing key flag [1] & wildcard-optimization [2]](https://reader036.vdocuments.net/reader036/viewer/2022062518/568143fa550346895db08ede/html5/thumbnails/3.jpg)
Olaf M. Kolkman . IETF55, November 2002, Atlanta GA . http://www.ripe.net/disi/ 3
The Gist
• Operational need to distinguish between key-singing keys and zone-signing keys.
• Not used in the protocol and verification process but useful for troubleshooting and key exchanges.
• Use the 15th bit so that the parity determines the ‘role’ of the key, that’s for us… humans.
![Page 4: key-signing key flag [1] & wildcard-optimization [2]](https://reader036.vdocuments.net/reader036/viewer/2022062518/568143fa550346895db08ede/html5/thumbnails/4.jpg)
Olaf M. Kolkman . IETF55, November 2002, Atlanta GA . http://www.ripe.net/disi/ 4
Example
Before:net 300 IN KEY 256 3 5 Ox1tVxw+j...
300 IN KEY 256 3 5 OTxq2ce5J...
After:
net 300 IN KEY 256 3 5 Ox1tVxw+j...
300 IN KEY 257 3 5 OTxq2ce5J...
KSK
![Page 5: key-signing key flag [1] & wildcard-optimization [2]](https://reader036.vdocuments.net/reader036/viewer/2022062518/568143fa550346895db08ede/html5/thumbnails/5.jpg)
Olaf M. Kolkman . IETF55, November 2002, Atlanta GA . http://www.ripe.net/disi/ 5
What’s next
• Final update and last call?
![Page 6: key-signing key flag [1] & wildcard-optimization [2]](https://reader036.vdocuments.net/reader036/viewer/2022062518/568143fa550346895db08ede/html5/thumbnails/6.jpg)
Olaf M. Kolkman . IETF55, November 2002, Atlanta GA . http://www.ripe.net/disi/ 6
DNSSEC Wildcard Optimization
draft-olaf-dnsext-dnssec-wildcard-optimization-01
with Johan Ihren and Roy Arends
![Page 7: key-signing key flag [1] & wildcard-optimization [2]](https://reader036.vdocuments.net/reader036/viewer/2022062518/568143fa550346895db08ede/html5/thumbnails/7.jpg)
Olaf M. Kolkman . IETF55, November 2002, Atlanta GA . http://www.ripe.net/disi/ 7
Background
– Assumption: One needs proof for non-existence of a wildcards.
– The proof is to be supplied in the common case where there is no wildcard in a zone.
– That proof is complicated and somewhat expensive in terms of computational resources and packet size.
– Is there a way to signal that there is no wildcard in a zone?
![Page 8: key-signing key flag [1] & wildcard-optimization [2]](https://reader036.vdocuments.net/reader036/viewer/2022062518/568143fa550346895db08ede/html5/thumbnails/8.jpg)
Olaf M. Kolkman . IETF55, November 2002, Atlanta GA . http://www.ripe.net/disi/ 8
Very common case
• Root will need to proof that *. does not exist.
• As an aside:– Some people love the idea of a wildcard
at the root
![Page 9: key-signing key flag [1] & wildcard-optimization [2]](https://reader036.vdocuments.net/reader036/viewer/2022062518/568143fa550346895db08ede/html5/thumbnails/9.jpg)
Olaf M. Kolkman . IETF55, November 2002, Atlanta GA . http://www.ripe.net/disi/ 9
The proposal
• Use a bit in the NXT RRs type bitmap to signal non-existence of wildcards
• The meaning: There is no wildcard expansion possible of any name in the zone’s namespace spanned by a NXT RR.
• Simplest algorithm to set the bit:– Turn it on on all NXT RRs in the zone if there are no
wildcards in the zone– Turn it of on all NXT RRs in the zone if there is any
wildcard in the zone
![Page 10: key-signing key flag [1] & wildcard-optimization [2]](https://reader036.vdocuments.net/reader036/viewer/2022062518/568143fa550346895db08ede/html5/thumbnails/10.jpg)
Olaf M. Kolkman . IETF55, November 2002, Atlanta GA . http://www.ripe.net/disi/ 10
Server side
• If the NXT RR proving the non-existence of an exact match has the bit set then no further NXT RRs are needed.
• If the bit is not set on that NXT RR a full denial of existence needs to be served.
![Page 11: key-signing key flag [1] & wildcard-optimization [2]](https://reader036.vdocuments.net/reader036/viewer/2022062518/568143fa550346895db08ede/html5/thumbnails/11.jpg)
Olaf M. Kolkman . IETF55, November 2002, Atlanta GA . http://www.ripe.net/disi/ 11
Resolvers Side
• When bit is set on the NXT RR proving the denial of existence of the QNAME, no further proof is needed;
• Full RFC2535 type proof of non existence is to be expected and processed if the bit is not set.
![Page 12: key-signing key flag [1] & wildcard-optimization [2]](https://reader036.vdocuments.net/reader036/viewer/2022062518/568143fa550346895db08ede/html5/thumbnails/12.jpg)
Olaf M. Kolkman . IETF55, November 2002, Atlanta GA . http://www.ripe.net/disi/ 12
Pros and ConsPro:• Shortcut to a simple and fast code path for server
and resolver in the case there are no wildcards.• Smaller footprint on the wire and in caches.
Con:• Although bypassed in the ‘common case; the
complicated verification code is still needed. • Special meaning of type bitmap bit:
– RR type code without RR.– Backwards incompatible (needs to piggyback on DS flag
date)
![Page 13: key-signing key flag [1] & wildcard-optimization [2]](https://reader036.vdocuments.net/reader036/viewer/2022062518/568143fa550346895db08ede/html5/thumbnails/13.jpg)
Olaf M. Kolkman . IETF55, November 2002, Atlanta GA . http://www.ripe.net/disi/ 13
Current version of doc.
• The suggested algorithm for setting the bit contains an error – Details will be posted to namedroppers
• Clarifications are needed
![Page 14: key-signing key flag [1] & wildcard-optimization [2]](https://reader036.vdocuments.net/reader036/viewer/2022062518/568143fa550346895db08ede/html5/thumbnails/14.jpg)
Olaf M. Kolkman . IETF55, November 2002, Atlanta GA . http://www.ripe.net/disi/ 14
What’s next
• Update the draft
• Does the working group think this is a sane path.
General comment:• DNSSEC protocol specs need to describe
algorithm for denial of authentication of wildcards– If not, resolver implementers will do it wrong.– No need for more than 2 NXT RRs? (Give me an
example that needs more.)
![Page 15: key-signing key flag [1] & wildcard-optimization [2]](https://reader036.vdocuments.net/reader036/viewer/2022062518/568143fa550346895db08ede/html5/thumbnails/15.jpg)
Olaf M. Kolkman . IETF55, November 2002, Atlanta GA . http://www.ripe.net/disi/ 15
Questions???
• http://www.ripe.net/disi• [email protected]