IETF Logo Mail Archive

Re: [Add] some background on split DNS with DNSSEC

Ben Schwartz <bemasc@google.com> Wed, 10 November 2021 19:48 UTC

Return-Path: <bemasc@google.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 714A13A12F7 for <add@ietfa.amsl.com>; Wed, 10 Nov 2021 11:48:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.6
X-Spam-Level:
X-Spam-Status: No, score=-17.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mXsb4rWO1BO1 for <add@ietfa.amsl.com>; Wed, 10 Nov 2021 11:48:03 -0800 (PST)
Received: from mail-ua1-x929.google.com (mail-ua1-x929.google.com [IPv6:2607:f8b0:4864:20::929]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D0D143A12F8 for <add@ietf.org>; Wed, 10 Nov 2021 11:48:02 -0800 (PST)
Received: by mail-ua1-x929.google.com with SMTP id o26so7211471uab.5 for <add@ietf.org>; Wed, 10 Nov 2021 11:48:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=EedsouI3Rg01XaruZLXVujHPCsEF6vjqTQYTUwVEY30=; b=hK2Ip+vG6PpoEw265+9nTNW7/fRTLdJ+pcYOWWp1h7M0RZbBHrWQnSHJiVnIotcknV Ct3JOXkTLIRYQuNJRGzKaTPKpKHHY3JWAtlmg+OmD1d8EtNflLIK2A3cBB6ADCofJTJM zBeiZiAcjDd8n+BHQaSk9kkIW6lEuagt3Jcv8omfT7I0975JNWNrK5zMq0h6eHFzOX+x ulHxG/FcKkQWX+nCgaHPmQaIBi8P45l/rKr406oafVXyh6bSNCTccDPzVgHzIlXW/Ik/ CN3VpvHj5mulo/MqI747VyJK7g8rtzQGhBN0T9ZdzQxy69P+jXVYhGmJjWzNFVaGGjfv fCZA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=EedsouI3Rg01XaruZLXVujHPCsEF6vjqTQYTUwVEY30=; b=8CpbGMk1V89DmoSwuNO9bifafkE6UQQakLefFEf5tcHz8TjFTb2xTNB1FtwoiWnrqQ b7tbubTjkisSEnrKNdCdq97aWFvAJOOSYz1jfzRXeqMtXcQdv2aBfIaV6kwRd5KVdvuv Ckbkj78rDQP0Oy/sPJaI9SFqPAvFchnPWDs+9TisBNhPB1ZpVg8IJxeJut6v4X+nSZws XwPYdjIcm64g0S8ovWHzN0PnPIt8OOfCgd1bYfXoUMTkrHkEgLXzprE+XUaLUvQ2uH32 DoxGQ1YKvmJt2KaQxfFtE6ezC2EJL7YEV8Z0A7H2lUojp36ZrpJoye6JCnwop3/EtduA BwUg==
X-Gm-Message-State: AOAM531a90m3H0MqTW9Mz0mCr/NRRb34t5SQvMaccDDZtpFrGOn50vzc pacREJqVPaDTqz0AVKV/yOTJ2KkHFqV6qL8m40Hg8Q==
X-Google-Smtp-Source: ABdhPJzTbbpD3EF62zeT7Em4zZ+CztzIiX3Swx+9tzD9vuofJ2oDVeSS6b6Iv3jOFxe2/NCJigOyl7I4p7WiVSYGD1Y=
X-Received: by 2002:a67:e90d:: with SMTP id c13mr2163694vso.12.1636573680802; Wed, 10 Nov 2021 11:48:00 -0800 (PST)
MIME-Version: 1.0
References: <DD51ECDC-9787-4DEB-A2AF-39C3CF2ABEE8@nbcuni.com> <A3966F94-86DA-436A-903F-94724D3B5833@gmail.com>
In-Reply-To: <A3966F94-86DA-436A-903F-94724D3B5833@gmail.com>
From: Ben Schwartz <bemasc@google.com>
Date: Wed, 10 Nov 2021 14:47:49 -0500
Message-ID: <CAHbrMsCdEhgeJOZd9JNqT3DMgQyoFEhhDBD3CbPDSy8Z8wkngg@mail.gmail.com>
To: Dan Wing <danwing@gmail.com>
Cc: "Deen, Glenn" <Glenn_Deen=40comcast.com@dmarc.ietf.org>, "add@ietf org" <add@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="000000000000ead61905d0748028"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/YbdRHzunYP9ny0B1HAjSLPwKkMs>
Subject: Re: [Add] some background on split DNS with DNSSEC
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Nov 2021 19:48:06 -0000

On Wed, Nov 10, 2021 at 12:43 PM Dan Wing <danwing@gmail.com> wrote:

> On item 3,
>
> We could use DNSSEC to prove the PvD dnsZones is truthful to avoid asking
> the same question of the public DNS.
>
> However, we already need IPv6 (for RFC8801's PvD) and adding a DNSSEC
> requirement means we are deeper in the "room of non-deployability", a
> dreaded space for our D&D character.  That's why split-dns queries the
> public DNS:  the procedure in split-dns establishes a *similar* proof of
> domain ownership as DNSSEC could have provided.
>

I think the right approach for this draft is to say that the client should
acquire independent confirmation of the delegation's validity before
proceeding, and not get too specific about how it should do that.  Valid
client behaviors should include:
* Send the NS query through the network's resolver and require a valid
DNSSEC signature chain**.
* Send the NS query through a trusted third-party resolver over a secure
channel.
* Same as above but requiring AD=1 in the response.
* Perform full iterative resolution for this NS query, requiring DNSSEC.
* etc.

If a network signs their domains, any participating clients will accept the
delegation.  Otherwise, some compliant clients might ignore the instruction
because it fails their validity check.  That seems fine to me.  Many
clients won't implement this at all, so operators already can't rely on it
unless they have knowledge of a specific client's behavior.

**This is harder than it sounds due to chain-walking, loose consistency,
etc.

v2.23.0 | Report a Bug | By Email