IETF Logo Mail Archive

Re: [dane] Two additions to draft-york-dane-deployment-observations-00

Viktor Dukhovni <ietf-dane@dukhovni.org> Sat, 08 November 2014 02:40 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE82A1A0145 for <dane@ietfa.amsl.com>; Fri, 7 Nov 2014 18:40:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.1
X-Spam-Level:
X-Spam-Status: No, score=0.1 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, J_CHICKENPOX_65=0.6] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HCmWXJ9g48G6 for <dane@ietfa.amsl.com>; Fri, 7 Nov 2014 18:40:19 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 32E771A0143 for <dane@ietf.org>; Fri, 7 Nov 2014 18:40:19 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 6FEA32AAC96; Sat, 8 Nov 2014 02:40:18 +0000 (UTC)
Date: Sat, 08 Nov 2014 02:40:18 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20141108024018.GD161@mournblade.imrryr.org>
References: <20141107232915.GA31913@laperouse.bortzmeyer.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20141107232915.GA31913@laperouse.bortzmeyer.org>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/ax1ZSBQAActI-Bc_5pCzW7NfnnU
Subject: Re: [dane] Two additions to draft-york-dane-deployment-observations-00
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 08 Nov 2014 02:40:21 -0000

On Fri, Nov 07, 2014 at 03:29:15PM -0800, Stephane Bortzmeyer wrote:

> The second one is the lack of monitoring solutions. DANE brings some
> new risks of discrepancies (people renewing the certificate and
> forgetting to update the TLSA record for the *-EE usages...) since the
> people who manage the certs may not be the same who manage the DNS. We
> really need Nagios plugins to monitor DANE sites. Unlike the first
> reason given above, I strongly buy this one.

Funny you should mention that.  That's something I'm working on,
and at least for SMTP with DANE.

Some of the early adopter domains I've been curating are getting
DNSSEC wrong.  The forget to re-sign, or secondaries fall out of
sync, or nameservers are buggy, ...  I've also seen some validation
failures with BIND 9.10.1 as the validating resolver that I don't
see with unbound.

The monitoring is at the DANE layer, getting detailed diagnostics
from DNSSEC validation errors would also be useful, but I don't
have the tools handy for that, "drill -S" is almost the right tool,
but I'm open for recommendations of validators that describe problems
more simply and concisely than:

    $ drill -S -D -t tlsa _25._tcp.fuhrt.de.
    ;; Number of trusted keys: 1
    ;; Chasing: _25._tcp.fuhrt.de. TLSA

    DNSSEC Trust tree:
    _25._tcp.fuhrt.de. (TLSA)
    |---Error in denial of existence: RR not covered by the given NSEC RRs
    |---cgokmsudli89pi41egv37cvqrq5bfug3.fuhrt.de. (NSEC3)
    |   |---fuhrt.de. (DNSKEY keytag: 22118 alg: 7 flags: 256)
    |       |---fuhrt.de. (DNSKEY keytag: 10069 alg: 7 flags: 257)
    |       |---fuhrt.de. (DS keytag: 10069 digest type: 2)
    |           |---de. (DNSKEY keytag: 56395 alg: 8 flags: 256)
    |               |---de. (DNSKEY keytag: 24220 alg: 8 flags: 257)
    |               |---de. (DS keytag: 24220 digest type: 2)
    |                   |---. (DNSKEY keytag: 22603 alg: 8 flags: 256)
    |                       |---. (DNSKEY keytag: 19036 alg: 8 flags: 257)
    |---Error in denial of existence: RR not covered by the given NSEC RRs
    |---2q3imqr0q2dntoohifcm0a6or78lropv.fuhrt.de. (NSEC3)
	|---fuhrt.de. (DNSKEY keytag: 22118 alg: 7 flags: 256)
	    |---fuhrt.de. (DNSKEY keytag: 10069 alg: 7 flags: 257)
	    |---fuhrt.de. (DS keytag: 10069 digest type: 2)
		|---de. (DNSKEY keytag: 56395 alg: 8 flags: 256)
		    |---de. (DNSKEY keytag: 24220 alg: 8 flags: 257)
		    |---de. (DS keytag: 24220 digest type: 2)
			|---. (DNSKEY keytag: 22603 alg: 8 flags: 256)
			    |---. (DNSKEY keytag: 19036 alg: 8 flags: 257)
    No trusted keys found in tree: first error was: RR not covered by the given NSEC RRs
    ;; Chase failed.

So we've not yet shaken out all the DNSSEC implementation and
operational errors.

On the DANE front, some users are confused about the difference
between the Cert(0) vs SPKI(1) selector, and occasionally forget
to update TLSA RRs when keys are rotated.

The raw scan for ietf.org reads:

    ietf.org. IN MX 0 mail.ietf.org.
    mail.ietf.org. IN A 4.31.198.44
    _25._tcp.mail.ietf.org. IN TLSA 3 1 1 0c72ac70b745ac19998811b131d662c9ac69dbdbe7cb23e5b514b56664c5d3d6
    ;; SSL: protocol = TLSv1.2, cipher = ECDHE-RSA-AES256-GCM-SHA384 (256 bits)
    ;; Passed(depth 0): mail.ietf.org. IN TLSA 3 1 1 0c72ac70b745ac19998811b131d662c9ac69dbdbe7cb23e5b514b56664c5d3d6

-- 
	Viktor.

v2.15.0 | Report a Bug | By Email