IETF Logo Mail Archive

Re: [Add] some background on split DNS with DNSSEC

Ben Schwartz <bemasc@google.com> Fri, 12 November 2021 15:38 UTC

Return-Path: <bemasc@google.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 09CDA3A0C34 for <add@ietfa.amsl.com>; Fri, 12 Nov 2021 07:38:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.6
X-Spam-Level:
X-Spam-Status: No, score=-17.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e5ujJMAzs3kF for <add@ietfa.amsl.com>; Fri, 12 Nov 2021 07:38:53 -0800 (PST)
Received: from mail-ua1-x92f.google.com (mail-ua1-x92f.google.com [IPv6:2607:f8b0:4864:20::92f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A2B9E3A0C17 for <add@ietf.org>; Fri, 12 Nov 2021 07:38:52 -0800 (PST)
Received: by mail-ua1-x92f.google.com with SMTP id y5so1700218ual.7 for <add@ietf.org>; Fri, 12 Nov 2021 07:38:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=jqTYyByhD4e5kaQWJ7E1HWV5D0Zd25gWitV6ZYtCLi0=; b=KWZnRhu7zmovclq58K5jEujrMR0BSK8I5hLpe1TadauFkUja0ZJZxrNkYGqrMJs1JL BcFOFaKAi7WkJMpvzWSuxLDUrrYY7c1xAp+RmP8KxqUmkpKlpu6XrpkFHOf9TE2M+4Qd H7W/4oN8/J/n1Y6xZL0pe/EMb1rmOQzHBNsMel9CfdI3SbZ1WRLMhgw7+RHKDP2eiApQ HDO1opqL//YrrpnpuyNIVLSErYwWI20ma5+Yfzxfky/k9nx1gw7ooN2eam1kD8blhjav iRVK0+5tvcBjiNp7/l1bEeSs4zQ8fQAaLXwmawBA4erAa8DPOI4VP2Elm+RK3kpF+Wuf iK1w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=jqTYyByhD4e5kaQWJ7E1HWV5D0Zd25gWitV6ZYtCLi0=; b=iHeuSTLqKtKXsyaGkbtpgvxgpjrBl9IzDVVSf2Y1gGsAvyfZ+AGaH0KRUHNKSMLtiP ot84C4mrWFpGMQgFlqMMWVwBUObv+Zp4iCQRRlK2HX3UNG/TS8anjQHEm68lSkoeEVBx nrErtc3xuFG3oDkJHCT5Z336tg07eul5sqq6UJnM41Bax4PbIrsT1/4l7HQ3hmPQhGON CM3pvEJh2jRYJm49XaJKey939NEt9zXQQGrxc7BOffq4C+f3ru2akjMeU45zQ4fQmH32 /k0HpjehH9J8E8t71W3sQ2zg16MIKk9TuRrMXgNFKq9D60H+tKTVVtJWcva19BX7j/+G +mcw==
X-Gm-Message-State: AOAM533e/sNNHcdr9WCGXZmcFfZxXFFzdrA4pqO8xeV0wy0IEkcwwLBw A6K+TjvUAQxPNKqSr7YBWpRuc3ON/yE2pgXBNxpeqw==
X-Google-Smtp-Source: ABdhPJwpWMs3tHNdc11hBuviKKJTH6rLpNmrrdIu07gafQVyIexv6GlsJ+ubcO5glhYaA0dXs9VCHalB+MQ122ZETDE=
X-Received: by 2002:ab0:6e91:: with SMTP id b17mr25122211uav.7.1636731530512; Fri, 12 Nov 2021 07:38:50 -0800 (PST)
MIME-Version: 1.0
References: <DD51ECDC-9787-4DEB-A2AF-39C3CF2ABEE8@nbcuni.com> <A3966F94-86DA-436A-903F-94724D3B5833@gmail.com> <CAHbrMsCdEhgeJOZd9JNqT3DMgQyoFEhhDBD3CbPDSy8Z8wkngg@mail.gmail.com> <CAFpG3gec8YH3Lh_BTgs2HO0H=Tsbs1vgGzc2j-og3dPxVd9wYg@mail.gmail.com> <CAHbrMsBGuDVyq_ro0zuJ+6gUne=Dd_p4uTgJFjvA9du_dTA-cA@mail.gmail.com> <CAFpG3ge+ZO-7-fMy_o_jujAvrPAqNJCcWkEfxKscoOYvs=L-Sw@mail.gmail.com>
In-Reply-To: <CAFpG3ge+ZO-7-fMy_o_jujAvrPAqNJCcWkEfxKscoOYvs=L-Sw@mail.gmail.com>
From: Ben Schwartz <bemasc@google.com>
Date: Fri, 12 Nov 2021 10:38:39 -0500
Message-ID: <CAHbrMsAB+7HrNMWPL2sCtcmg2PXvKPs1SLheMfaRFDcm1UbwPQ@mail.gmail.com>
To: tirumal reddy <kondtir@gmail.com>
Cc: Dan Wing <danwing@gmail.com>, "add@ietf org" <add@ietf.org>, "Deen, Glenn" <Glenn_Deen@comcast.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="0000000000007c8ba005d0994199"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/yjfBI1BO9TKwLZ0Dc9HCziMBRWY>
Subject: Re: [Add] some background on split DNS with DNSSEC
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Nov 2021 15:39:01 -0000

On Fri, Nov 12, 2021 at 2:38 AM tirumal reddy <kondtir@gmail.com> wrote:

> On Thu, 11 Nov 2021 at 17:39, Ben Schwartz <bemasc@google.com> wrote:
>
...

> * Perform full iterative resolution for this NS query, requiring DNSSEC.
>>>>
>>>
>>> Please clarify the need for the above two mechanisms.
>>>
>>
>> The first is effectively "delegated DNSSEC validation".  This is useful
>> for a client whose threat model includes network attackers on the public
>> internet, if it doesn't want to implement full DNSSEC validation locally.
>>
>
> Okay.
>
>
>>
>> The second is a valid client behavior.  It will work, and under our
>> charter we can't rule it out.  It also might work better in practice than
>> DNSSEC-via-network-resolver because stub-side DNSSEC validation is
>> nontrivial due to the need for chain walking.
>>
>
> I don't get how iterative resolution is better for the stub resolver than
> the typical recursive mode.
>

There have occasionally been suggestions in this working group that clients
might want to run full resolvers locally for privacy reasons.  However, I
was specifically referring to the problem of resolving full DNSSEC chains
as a stub.  Resolvers do not ordinarily provide the full chain to the stub
(absent RFC 7901), so validation requires the stub to walk "up" the chain,
querying for DNSKEY and DS records.  This is not easy to do correctly and
is not available in most stub resolver implementations.  It may be simpler
for the client to walk "down" the chain using a standard iterative resolver
implementation.

v2.23.0 | Report a Bug | By Email