IETF Logo Mail Archive

Re: [Add] some background on split DNS with DNSSEC

Ben Schwartz <bemasc@google.com> Thu, 11 November 2021 12:09 UTC

Return-Path: <bemasc@google.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B56633A0E7C for <add@ietfa.amsl.com>; Thu, 11 Nov 2021 04:09:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.599
X-Spam-Level:
X-Spam-Status: No, score=-17.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hz5ABYP_8DmW for <add@ietfa.amsl.com>; Thu, 11 Nov 2021 04:09:10 -0800 (PST)
Received: from mail-ua1-x929.google.com (mail-ua1-x929.google.com [IPv6:2607:f8b0:4864:20::929]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E050C3A0E84 for <add@ietf.org>; Thu, 11 Nov 2021 04:09:09 -0800 (PST)
Received: by mail-ua1-x929.google.com with SMTP id l24so7064594uak.2 for <add@ietf.org>; Thu, 11 Nov 2021 04:09:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=DQfgDxZXOyECDIEuUL5fpGBAt809sDO5lHJXvYr5loQ=; b=mpcP1adjAkmETq8DhABMS2IjzFO5z7Z9hZ1252ojufVcuUOSUZOMleBkkGulyHI4YP +hQWPxGWCzp63b1o32SWwuUmgwLu8//Y9PONOoRoK4mTMm9DI9MPUZE7tISGt6QIjESL rFPkEnHYQ/Vg6H/vYq0vh2kz3nlNRI3kgj8B4Md8nEAfUwf7it9U37qXabttPqaXrfTF oYRDjp8G8iSV2seUsTsaWvwrrfWbxok7AHdREvMJ24AgZ9E5dwzyB7d+Ub7sHtznJBF0 PyEpQ/G3Eimf8GcTGnxhu+H80swhy4KqrM0qrABjKRvAgkU0/snKlD5I4YXDcvA1jrjX 1lYQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=DQfgDxZXOyECDIEuUL5fpGBAt809sDO5lHJXvYr5loQ=; b=NeqOvW9homoY+qLIftb5uqnexUyThCkyGT2CCGjaXsVRrBIkQUNIOp8LPpzSfzvwyB 7E7bTJG2+ksyRI1G/bIkGBjdvFt9YAYsIJfwji3rfgRHeKMhCFnBflwSlpdYz8Svs42k xv0rQ5px+yzgyn8RMbLvMkQfB5+S87elUeXGDmTwYtNquD4Lq24Vjx3fDbV44hVTt8tY e9Dm1DuAQPbZvuGeGlxLWbdn11cKgLUHygGMNkjWpvDMAtamywBEP3xEylm/aGMT/yXY NRHpmd8XlOYCyxrX7fcs9SFg6t9vEufGduioTOtIK2JZqakJiUJh49UDBT/BG3qxBT7M n6JA==
X-Gm-Message-State: AOAM531vlnOL/wfnvDrbcyd3N1/lb3X23ii4aE0dpUKBJGkq61t+kBz9 MXd6A4MYQApX5KRkrpTq3SqIi03h+J0+VWtUab8FH6wUNaU=
X-Google-Smtp-Source: ABdhPJw6ExFkOdByjiJIi18xklwvV0S9Je+ip6TboekqhcRt0j+/XZwJCpDX6YhinrI02hEhOEF+Z3jeb+iGYnHvCfY=
X-Received: by 2002:ab0:750c:: with SMTP id m12mr9657135uap.119.1636632546601; Thu, 11 Nov 2021 04:09:06 -0800 (PST)
MIME-Version: 1.0
References: <DD51ECDC-9787-4DEB-A2AF-39C3CF2ABEE8@nbcuni.com> <A3966F94-86DA-436A-903F-94724D3B5833@gmail.com> <CAHbrMsCdEhgeJOZd9JNqT3DMgQyoFEhhDBD3CbPDSy8Z8wkngg@mail.gmail.com> <CAFpG3gec8YH3Lh_BTgs2HO0H=Tsbs1vgGzc2j-og3dPxVd9wYg@mail.gmail.com>
In-Reply-To: <CAFpG3gec8YH3Lh_BTgs2HO0H=Tsbs1vgGzc2j-og3dPxVd9wYg@mail.gmail.com>
From: Ben Schwartz <bemasc@google.com>
Date: Thu, 11 Nov 2021 07:08:55 -0500
Message-ID: <CAHbrMsBGuDVyq_ro0zuJ+6gUne=Dd_p4uTgJFjvA9du_dTA-cA@mail.gmail.com>
To: tirumal reddy <kondtir@gmail.com>
Cc: Dan Wing <danwing@gmail.com>, "add@ietf org" <add@ietf.org>, "Deen, Glenn" <Glenn_Deen@comcast.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="000000000000aced8905d082354f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/IRQkKPsZACTOVFf8uTBOVm3jfS0>
Subject: Re: [Add] some background on split DNS with DNSSEC
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Nov 2021 12:09:15 -0000

On Thu, Nov 11, 2021 at 1:01 AM tirumal reddy <kondtir@gmail.com> wrote:

> On Thu, 11 Nov 2021 at 01:18, Ben Schwartz <bemasc=
> 40google.com@dmarc.ietf.org> wrote:
>
>>
>>
>> On Wed, Nov 10, 2021 at 12:43 PM Dan Wing <danwing@gmail.com> wrote:
>>
>>> On item 3,
>>>
>>> We could use DNSSEC to prove the PvD dnsZones is truthful to avoid
>>> asking the same question of the public DNS.
>>>
>>> However, we already need IPv6 (for RFC8801's PvD) and adding a DNSSEC
>>> requirement means we are deeper in the "room of non-deployability", a
>>> dreaded space for our D&D character.  That's why split-dns queries the
>>> public DNS:  the procedure in split-dns establishes a *similar* proof of
>>> domain ownership as DNSSEC could have provided.
>>>
>>
>> I think the right approach for this draft is to say that the client
>> should acquire independent confirmation of the delegation's validity before
>> proceeding, and not get too specific about how it should do that.  Valid
>> client behaviors should include:
>> * Send the NS query through the network's resolver and require a valid
>> DNSSEC signature chain**.
>> * Send the NS query through a trusted third-party resolver over a secure
>> channel.
>>
>
> Yes, first try DNSSEC and if it fails, fallback to a third-party resolver
> for the dnsZones domains. It allows the network admin to either deploy
> DNSSEC for split-horizon domains or use the existing mechanism proposed in
> the draft depending on the operational feasibility. It will also work for
> clients not validating DNSSEC. We will update the draft.
>

The group is not chartered to specify client or network operator resolver
selection policy, so I don't think it is a good idea to try to specify this
in the draft.  In my view, the important thing is to provide the mechanism
(normative) and inform each party of the relevant security considerations.


> * Same as above but requiring AD=1 in the response.
>> * Perform full iterative resolution for this NS query, requiring DNSSEC.
>>
>
> Please clarify the need for the above two mechanisms.
>

The first is effectively "delegated DNSSEC validation".  This is useful for
a client whose threat model includes network attackers on the public
internet, if it doesn't want to implement full DNSSEC validation locally.

The second is a valid client behavior.  It will work, and under our charter
we can't rule it out.  It also might work better in practice than
DNSSEC-via-network-resolver because stub-side DNSSEC validation is
nontrivial due to the need for chain walking.

v2.23.0 | Report a Bug | By Email