Re: [dane] CT for DNSSEC

"Paul Hoffman" <> Fri, 17 March 2017 18:20 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 112D312706D; Fri, 17 Mar 2017 11:20:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id DM9WpxKhWnHW; Fri, 17 Mar 2017 11:20:10 -0700 (PDT)
Received: from (Opus1.Proper.COM []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 5E979124D68; Fri, 17 Mar 2017 11:20:10 -0700 (PDT)
Received: from [] ( []) (authenticated bits=0) by (8.15.2/8.14.9) with ESMTPSA id v2HIK0uI006297 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 17 Mar 2017 11:20:01 -0700 (MST) (envelope-from
X-Authentication-Warning: Host [] claimed to be []
From: "Paul Hoffman" <>
To: "Wei Chuang" <>
Date: Fri, 17 Mar 2017 11:20:06 -0700
Message-ID: <>
In-Reply-To: <>
References: <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; format=flowed
X-Mailer: MailMate (1.9.6r5347)
Archived-At: <>
Subject: Re: [dane] CT for DNSSEC
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS-based Authentication of Named Entities <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 17 Mar 2017 18:20:12 -0000

On 17 Mar 2017, at 9:31, Wei Chuang wrote:

> On Thu, Mar 16, 2017 at 10:25 AM, Paul Hoffman <>
> wrote:
>> On 16 Mar 2017, at 10:09, Wei Chuang wrote:
>> I saw there was significant interest
>>> <> in 
>>> exploring
>>> CT for DNSSEC back in 2014 of which a draft 
>>> draft-zhang-trans-ct-dnssec
>>> <> was 
>>> created.
>>> It seems to have quieted down since.  I believe the motivation is 
>>> still
>>> there which is to prevent a parent zone from potentially misbehaving 
>>> and
>>> spoofing the child zone.  Is there still interest in this?  From the 
>>> list
>>> archives, I can't see what the issues were though I'm guessing one 
>>> of them
>>> was respecifying the DS resource record to use a SCT which might 
>>> have
>>> caused compatibility concerns.  (But please correct me if I'm wrong)
>>> Other
>>> than that, the draft seems pretty reasonable.  Were there other 
>>> concerns?
>> There were two separate issues that got conflated at the time:
>> - Seeing evidence that a parent had spoofed DNSSEC keys for a child. 
>> A
>> transcript of the DS records in the parent is sufficient as long as 
>> the
>> child doesn't have relying parties create islands of trust (which is
>> relatively rare these days).
>> - Seeing evidence that a parent had spoofed any resource records for 
>> a
>> child. A transcript of the NS records in the parents is a good start,
>> although what is really needed is a transcript of everything that is 
>> seen
>> for the child.
> Is this because you're worried about the parent removing evidence of 
> for the child in the spoofing scenario?

No, this is because the parent can spoof any data for the child. It is 
unrelated to DNSSEC.

> If the parent tries to spoof with
> DNSSEC for the child I would assume that seeing the DS SCT's in the 
> log,
> that is sufficient to find evidence of spoofing.  That said I think it
> could be helpful to log NS as well for forensics.

Transcripts are useful even when the logged data is not cryptographic.

> One issue with logging all records seen is if webmail providers 
> publish
> SMIMEA there will be a potentially overwhelming number of records 
> logged,
> and a very large change rate.

Don't log what you can't log due to scale.

> Another issue is privacy of such records.

Sure, but there are unpredictable privacy issues with lots of DNS record 
data. It's not possible for us to predict what will and will not be 
considered private information now or in the future for anyone other 
than ourselves.

>> In both cases, having transcripts from various DNS looking glasses 
>> around
>> the Internet would give greater assurance of the integrity of the
>> transcript.
> I agree that would a good idea.

--Paul Hoffman