IETF Logo Mail Archive

Re: [Add] some background on split DNS with DNSSEC

tirumal reddy <kondtir@gmail.com> Fri, 12 November 2021 07:38 UTC

Return-Path: <kondtir@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1347A3A1334 for <add@ietfa.amsl.com>; Thu, 11 Nov 2021 23:38:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xtUY74HefY3U for <add@ietfa.amsl.com>; Thu, 11 Nov 2021 23:38:19 -0800 (PST)
Received: from mail-lj1-x235.google.com (mail-lj1-x235.google.com [IPv6:2a00:1450:4864:20::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 390983A1330 for <add@ietf.org>; Thu, 11 Nov 2021 23:38:19 -0800 (PST)
Received: by mail-lj1-x235.google.com with SMTP id 13so16880983ljj.11 for <add@ietf.org>; Thu, 11 Nov 2021 23:38:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=x8RsQ5Hqg+X3qYQCSOR9i5O9PUGdf7PGFxzxetWDwpc=; b=jkEygHZJsngbw+nvzwyhZi/E66T38Dxn0Ef6gD8Cul9qlzqQlf0M/EkhKT8K12pcBo mvoEqD8LPOWoyYHqNboVJXjZNFhCDfbUoXJwOF+9PkT5NeK3W5oTDUREJsHt36j/+b94 ukWMK/3qv8MeeLp1jMP8+xQZreAAgAd29pczz43uZvfKO/YEhpfCKfdw5hG0AI433JeT jvTvoi3tuK8CBkU4FRPKTeGJngkHtyjgSxMaCqG0IkitkShtrgqzUhCwT36z+W7YNkb/ 5XW9lTNQNpd99Fnda7XrG9rmLY56LcIk6hVCbkNMnqVeUklapTHbxC6UmMkEjdN3cODX 4VMw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=x8RsQ5Hqg+X3qYQCSOR9i5O9PUGdf7PGFxzxetWDwpc=; b=IDB3PoucG/NHiqb/EoWDs1CQRrzuvRkYdopE4GI1PYXhK+ClaRHljRO/qahs4gpzlA ypzrZyH0DvWIf1ZhrGP1EIP3Aeo/OGuHaP3TudsuvK8KY7REVbPn4GyO73alKMNfgDBp k/P+TkJr4J6kUhg6hVhweShbl+Hl95hZ4p4B/9SiY76bGHmHcmMotY/vhwPDxsQ7C5pY UTYNf2jq9rEFhQjXdgQxSIUsBmGj1AK+lOe8OIs/n1miHwfJdAdaQzQhS4Kwks/+vuB7 byLT6hhFBqp+HGiKPHYI+PDIQvhZhdkwJY25PRBb0MoLdWCLXRcXOnmPw6DEr+U2fcyw Vsyg==
X-Gm-Message-State: AOAM530SQXlc86RFJRtcN4NcCnzUw8Msjc3TxKi1AiDzD7zUtH8GCY0k c5aH5Y8kiEGzrIqktpBZNejr4k5RbsZahoYHgeY=
X-Google-Smtp-Source: ABdhPJxH2sG7Ug9rf2qcVOYRAYNmPZl/96QXJJbaz2e5iwYHvWG6ZUwJ1l9sZxyVqnI5RD8QI6eRQ1iT1bWkpYEh9ck=
X-Received: by 2002:a2e:92c4:: with SMTP id k4mr13340439ljh.271.1636702696207; Thu, 11 Nov 2021 23:38:16 -0800 (PST)
MIME-Version: 1.0
References: <DD51ECDC-9787-4DEB-A2AF-39C3CF2ABEE8@nbcuni.com> <A3966F94-86DA-436A-903F-94724D3B5833@gmail.com> <CAHbrMsCdEhgeJOZd9JNqT3DMgQyoFEhhDBD3CbPDSy8Z8wkngg@mail.gmail.com> <CAFpG3gec8YH3Lh_BTgs2HO0H=Tsbs1vgGzc2j-og3dPxVd9wYg@mail.gmail.com> <CAHbrMsBGuDVyq_ro0zuJ+6gUne=Dd_p4uTgJFjvA9du_dTA-cA@mail.gmail.com>
In-Reply-To: <CAHbrMsBGuDVyq_ro0zuJ+6gUne=Dd_p4uTgJFjvA9du_dTA-cA@mail.gmail.com>
From: tirumal reddy <kondtir@gmail.com>
Date: Fri, 12 Nov 2021 13:08:05 +0530
Message-ID: <CAFpG3ge+ZO-7-fMy_o_jujAvrPAqNJCcWkEfxKscoOYvs=L-Sw@mail.gmail.com>
To: Ben Schwartz <bemasc@google.com>
Cc: Dan Wing <danwing@gmail.com>, "add@ietf org" <add@ietf.org>, "Deen, Glenn" <Glenn_Deen@comcast.com>
Content-Type: multipart/alternative; boundary="000000000000cf779205d0928ae7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/QLi2mUhK8eIJvVkorlw8VHJLBPU>
Subject: Re: [Add] some background on split DNS with DNSSEC
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Nov 2021 07:38:24 -0000

On Thu, 11 Nov 2021 at 17:39, Ben Schwartz <bemasc@google.com> wrote:

>
>
> On Thu, Nov 11, 2021 at 1:01 AM tirumal reddy <kondtir@gmail.com> wrote:
>
>> On Thu, 11 Nov 2021 at 01:18, Ben Schwartz <bemasc=
>> 40google.com@dmarc.ietf.org> wrote:
>>
>>>
>>>
>>> On Wed, Nov 10, 2021 at 12:43 PM Dan Wing <danwing@gmail.com> wrote:
>>>
>>>> On item 3,
>>>>
>>>> We could use DNSSEC to prove the PvD dnsZones is truthful to avoid
>>>> asking the same question of the public DNS.
>>>>
>>>> However, we already need IPv6 (for RFC8801's PvD) and adding a DNSSEC
>>>> requirement means we are deeper in the "room of non-deployability", a
>>>> dreaded space for our D&D character.  That's why split-dns queries the
>>>> public DNS:  the procedure in split-dns establishes a *similar* proof of
>>>> domain ownership as DNSSEC could have provided.
>>>>
>>>
>>> I think the right approach for this draft is to say that the client
>>> should acquire independent confirmation of the delegation's validity before
>>> proceeding, and not get too specific about how it should do that.  Valid
>>> client behaviors should include:
>>> * Send the NS query through the network's resolver and require a valid
>>> DNSSEC signature chain**.
>>> * Send the NS query through a trusted third-party resolver over a secure
>>> channel.
>>>
>>
>> Yes, first try DNSSEC and if it fails, fallback to a third-party resolver
>> for the dnsZones domains. It allows the network admin to either deploy
>> DNSSEC for split-horizon domains or use the existing mechanism proposed in
>> the draft depending on the operational feasibility. It will also work for
>> clients not validating DNSSEC. We will update the draft.
>>
>
> The group is not chartered to specify client or network operator resolver
> selection policy, so I don't think it is a good idea to try to specify this
> in the draft.  In my view, the important thing is to provide the mechanism
> (normative) and inform each party of the relevant security considerations.
>

Works for me.


>
>
>> * Same as above but requiring AD=1 in the response.
>>> * Perform full iterative resolution for this NS query, requiring DNSSEC.
>>>
>>
>> Please clarify the need for the above two mechanisms.
>>
>
> The first is effectively "delegated DNSSEC validation".  This is useful
> for a client whose threat model includes network attackers on the public
> internet, if it doesn't want to implement full DNSSEC validation locally.
>

Okay.


>
> The second is a valid client behavior.  It will work, and under our
> charter we can't rule it out.  It also might work better in practice than
> DNSSEC-via-network-resolver because stub-side DNSSEC validation is
> nontrivial due to the need for chain walking.
>

I don't get how iterative resolution is better for the stub resolver than
the typical recursive mode.

-Tiru

v2.23.0 | Report a Bug | By Email