[dd] Challenges with DELEG awareness in DNSKEY
Bob Halley <bhalley@cloudflare.com> Wed, 20 March 2024 13:48 UTC
Return-Path: <bhalley@cloudflare.com>
X-Original-To: dd@ietfa.amsl.com
Delivered-To: dd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B078C14F711 for <dd@ietfa.amsl.com>; Wed, 20 Mar 2024 06:48:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.105
X-Spam-Level:
X-Spam-Status: No, score=-7.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c_dBEK_GWaEh for <dd@ietfa.amsl.com>; Wed, 20 Mar 2024 06:48:16 -0700 (PDT)
Received: from mail-pl1-x636.google.com (mail-pl1-x636.google.com [IPv6:2607:f8b0:4864:20::636]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DEB3EC14F605 for <dd@ietf.org>; Wed, 20 Mar 2024 06:48:16 -0700 (PDT)
Received: by mail-pl1-x636.google.com with SMTP id d9443c01a7336-1dd9568fc51so53182155ad.2 for <dd@ietf.org>; Wed, 20 Mar 2024 06:48:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google09082023; t=1710942496; x=1711547296; darn=ietf.org; h=content-transfer-encoding:to:subject:message-id:date:from :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=OvvEZ4ER/6u2RoDOSJrGneP2xuuQnL6VL3ofkGoWPl8=; b=JDSoQUXSsUBGDsp7qV1j9URERQ+1suZb435ykhQjdTxcdl7/AETBQshfUY3YEq5ofj je/pSWALimZt/BOaSJqSMIVTu63v2C+86nPREBW27sJIW1ZuCn2ZdZSBVFnIMEDgDtyr lk8TPyyGyzmTk3EI96pkp46XMgrW9Hyw9K2IoTy4GKKKKveVJUyRSALbAtjcM3E/1T8j essxH19fl7bcArjbjI98F6VkH710iafiIGVHxVZEQ9AOpv1Dff4LpcMEpJXiXlTU6S+X P6Vsnd+pum89CzWmmk0wkYI+lg7aQ1MJfQ9/4TLW95vKnUdBekRRnY+5tBA6sHgb3via Ge4g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710942496; x=1711547296; h=content-transfer-encoding:to:subject:message-id:date:from :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=OvvEZ4ER/6u2RoDOSJrGneP2xuuQnL6VL3ofkGoWPl8=; b=IOjoEUbgL3Ei2mZqlXaVjwdRpFINAbY+wlT4tnlC9gD6GVZ6f/jjpNZ4key25h9d4D dieKpJGAQnpskcW0cQxdSiSng94ec6N2F5mk6ZcQ7e3VQQdS/26+GnULXy+qEQlQuDDz NYUJYRCqZUkFhlAbi/E8KcWg7y/BB4eHatZRugLJrhoSJ2x4X1yDntzWEXEru3ZEFKoT Mqgo+E8ZyCk6R9UQ7BQAxAG4FXiAWgHRSlzx2XD+hY/PHIxQdOxJ8V3wKGaIN853L1gw p6BgWxXAJwkM5IFh2/qxbjVyHDTrUkmr9hZlycTkHdywhOmzDDXy9jpQ54yd5ReIx4Pe x+NA==
X-Gm-Message-State: AOJu0YyFcGOzTHZcfrHBLg5X6JGefiDkjV3luyS+YUrE0WvT/juMDKTD nAmnTD3nlHZRTcDB5KEsHEoXedrp3kRiNzPO7y5/vIEcQsJyjWL+7v3VpgkLJuK42ktOMXm0Lv3 MxZ7S9r4WDn3w6uDmLaoMnTrgygRYI1gLQgarl4Z3Rp/98gkaXq4=
X-Google-Smtp-Source: AGHT+IEo5oPx/n7DvnDxR2QhkTBuuoIua2SNJVVpOiQ5eWHTC6F2SLNaeExevaIhVt/5N3qeP0P6QcxEDlhe22cT7hM=
X-Received: by 2002:a17:902:ec81:b0:1e0:73d:9175 with SMTP id x1-20020a170902ec8100b001e0073d9175mr2542722plg.45.1710942495559; Wed, 20 Mar 2024 06:48:15 -0700 (PDT)
MIME-Version: 1.0
From: Bob Halley <bhalley@cloudflare.com>
Date: Wed, 20 Mar 2024 06:48:04 -0700
Message-ID: <CAB1+oZ5vkivgegiL7CaAN9GKpymqgMiC+VpXr_1X--ohVcd4cQ@mail.gmail.com>
To: dd@ietf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dd/E0s8-dilsiote4M2URjUWi3T9aM>
Subject: [dd] Challenges with DELEG awareness in DNSKEY
X-BeenThere: dd@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: DNS Delegation <dd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dd>, <mailto:dd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dd/>
List-Post: <mailto:dd@ietf.org>
List-Help: <mailto:dd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dd>, <mailto:dd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Mar 2024 13:50:29 -0000
Disclaimer: I like DELEG, and am not trying to bash it nor am I against its adoption. This document is solely considering specification and operational problems I’ve encountered while thinking about DELEG. I don’t think any of the issues are showstoppers, but I do think further consideration is warranted. If a validating resolver receives a delegation response from a secure zone that has neither a DELEG nor a proof that there is no DELEG, then either the authority is not DELEG-aware, or an adversary has removed the DELEG, possibly to downgrade communications with the delegated zone’s nameservers (e.g. queries will be sent in the clear instead of over DoT/DoH/DoH3/DoQ). To remediate this issue, the draft allocates a DELEG flag in the DNSKEY to indicate that the server is DELEG-aware and that any delegation will either provide a DELEG RRset or provide proof that there is no DELEG RRset. There are some specification and operational problems with this approach. 1) The draft talks about “the DNSKEY record” but the DNSKEY RRset of an authority may contain many keys. There may be KSKs and ZSKs, keys being published as part of key rollovers, emergency keys, support for multiple algorithms, etc. There is also no clear notion (from the resolver’s point of view) as to which keys are “the active keys” and which are not simply by inspecting the RRset. Resolvers see a signer name, an algorithm, and a key tag on a signature, and look for a compatible key that validates the signature. What then is the proper awareness signal? That any key has the DELEG flag? That all keys have the valid flag? Is it the key(s) used to sign the DS if there is a DS RRset? Is it the key(s) used in the proof that there is no DS when NSEC3 OPT-OUT is in use? Is it the KSK at the end of a proof chain? What if there are multiple signatures, some by a DELEG DNSKEY and some not? Also note that DNSSEC does not require that the same key be used in an entire proof chain. In a negative proof with multiple NSEC/NSEC3 it is legal to use a different key for each part of the signature (granted this is weird and improbable). 2) If the signal is not derived from the key of some particular signature, then all servers for the parent must be DELEG-aware before DELEG can be used to delegate, as in that case some “all or any” type rule must be used, and answers from the non-aware servers will not comply as they will not emit DELEG nor will they emit the appropriate negative proof where there is a DS. This is not necessarily a bad thing, but it's important to realize it's a consequence. Unfortunately, neither the “all” or “any” approaches are very appealing due to the lifecycle issues in the next point. 3) Validation of the zone by DELEG-aware recursors is tied to the key lifecycle. If you want to upgrade a server to be DELEG-aware in the future, then you can’t do the DNSKEY transition at the same time if using the "any" or "all" modes. The server would have to become DELEG aware first, and then transition to showing the DELEG awareness indication with a rollover, as otherwise it signals awareness too early. In the derived-from-signature method, you can prepublish the key and transition atomically. More seriously, transition from DELEG-aware to DELEG-non-aware, perhaps to deal with a serious software bug, requires a key rollover before dropping DELEG awareness no matter what the signaling scheme, as otherwise the DNSKEY DELEG flag will cause DELEG-aware resolvers to fail to validate when neither a DELEG nor the required negative proof are included in a secure delegation. If the awareness signal is in the KSK, not the ZSKs, this involves a potentially devastating KSK rollover where the zone is down for whatever TTL the authority’s parent zone imposes (often a day or more for TLDs). 4) Extra care is needed in “multi-operator” setups when DNSSEC is involved. E.g. if a registrant uses authorities from multiple operators to publish the data, then all the operators need to have DELEG awareness (or not) and transitions from one awareness state to another need to be carefully coordinated. Preliminary conclusions: * The awareness signal SHOULD NOT be in the KSK (or, more generally, not in the records published in the authority’s parent, for the case where the authority is not splitting the KSK and ZSK roles). * If the awareness signal is in the DNSKEY RRset, it should probably be in the key used to either sign the DS or in the most-enclosing part of the nonexistence proof for the DS and DELEG types. * Tying the awareness signal to the DNSKEY RRset imposes lower bounds on recovery times when going from aware to non-aware as you first have to turn off the awareness signal, then you have to disable DELEG. Bad data can be around for the TTL of the DNSKEY RRset plus the TTL of the DELEG set in this case. * Tying the awareness signal to the DNSKEY RRset imposes greater operational complexity as it’s not as simple as adding/removing a DELEG record at the delegation point. * For greater simplicity, DELEG rollouts for a zone should only happen when all authorities for the zone are DELEG-aware. * Multi-operator DNS setups need careful coordination. Most of what I’ve raised can be dealt with by being careful, though it seems a little scary. Some other possible mitigations: Do not use an awareness flag in the DNSKEY RRset. Resolvers can explicitly probe for DELEG and a secure server will have to prove that the type doesn’t exist in addition to delegating. This is simple, and resolvers already can have to do similar probes for DS in some cases. It is pretty suboptimal though, as in the early days a DELEG-aware server will make a lot of DELEG queries increasing resolution latency. Whether this really matters is debatable however, as caching and prefetching mean ordinary clients are not likely to experience latency from this unless the resolver has just restarted. Hackishly encode the awareness signal in the DS RRset at the delegation point, e.g. with a 0 tag and a special DELEG algorithm. The hash algorithm and hash fields would be available for other uses. The advantage here is that the DS will be included whether aware or unaware, and resolvers are already prepared to look for it when needed. Another advantage is that it allows awareness to be turned on and off per delegated zone; this is a small thing but useful if something in the subdomain's world might choke on the DELEG bit in a DNSKEY, even though it shouldn’t! The drawback here is the duplication of the awareness signal in every secure delegation, wasting space in the presumably common case where the authority is aware for all delegations. Personally I would not exploit this per-zone capability as I think the complexity to benefit tradeoff is not good, but I mentioned it for completeness. /Bob
- [dd] Challenges with DELEG awareness in DNSKEY Bob Halley
- Re: [dd] [Ext] Challenges with DELEG awareness in… Edward Lewis
- Re: [dd] Challenges with DELEG awareness in DNSKEY Roy Arends
- Re: [dd] Challenges with DELEG awareness in DNSKEY Petr Špaček