[ksk-rollover] Suggested update to the key ceremonies.

Michael StJohns msj at nthpermutation.com
Wed Feb 21 20:24:47 UTC 2018

On 2/21/2018 2:40 PM, Wessels, Duane wrote:
>> On Feb 21, 2018, at 2:28 PM, Geoff Huston <gih at apnic.net> wrote:
>>> So my base point is - don't try to fix the wrong problem.  Key tags are what they are and will remain as such.  With 16 bits, collisions are inevitable at some point and may actually occur *after* the keys are generated (- revoked keys).  Fix 8145 and KSK sentinel instead.
>>> (And by the way - does any of the 8145 or KSK sentinel implementations correctly match a revoked key with its unrevoked brother?)
>> I don't understand this question Mike - particularly “unrevoked brother” - could you describe in a little more detail what you are referring to here?
> Setting the revoke bit on a key changes its keytag.  Mike seems to be suggesting that maybe a query/signal for an unrevoked key should also match the revoked key.
> I'd say it should not in these cases.  Revoked keys should not be part of the trust anchor set and should not be matched.
> DW

Close to what I was thinking - but its more whether you can identify  a 
revoked key that *was* a trust anchor where you're trying to figure out 
the state of the trust anchors for a particular resolver.  5011 says to 
hang on to revoked keys for a bit  (remove hold down time) in the trust 
anchor store and depending on whether or not implementers followed that 
guidance you might be getting weird results.  (Note - I have not read 
either of the two documents deeply so this is more of a "have you 
considered" rather than a pointer to a bad situation.)

You may also want to consider the the situation of  Root DNSKEY RRset = 
{ Knew, Revoked(Kold)}   and where KeyTag(Knew) == KeyTag 
(Revoked(Kold)).    During the time that you're recording the revocation 
of KOld, there will be two RRSigs over the DNSKEY RRSet both with the 
same key tag - one by Kold and one by Knew

I don't know what that does for the various schemes, but is a condition 
that's possible.

Reviewing the key tag calculation - this is a basically the  sum of the 
key bytes expressed as big endian shorts with the carry bits added back 
in and masked to 16 bits.    I would have to run some simulations, but I 
would expect the values to have a bias of some amount - so not maybe a 1 
in 64K chance of collision.

*bleah* Mike

More information about the ksk-rollover mailing list