Re: [dns-privacy] New Version Notification for draft-bretelle-dprive-dot-for-insecure-delegations-01.txt
Tony Finch <dot@dotat.at> Thu, 28 March 2019 14:56 UTC
Return-Path: <dot@dotat.at>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD82C1204AC for <dns-privacy@ietfa.amsl.com>; Thu, 28 Mar 2019 07:56:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2CvZ1TBe3c0w for <dns-privacy@ietfa.amsl.com>; Thu, 28 Mar 2019 07:55:59 -0700 (PDT)
Received: from ppsw-43.csi.cam.ac.uk (ppsw-43.csi.cam.ac.uk [131.111.8.143]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 94484120482 for <dns-privacy@ietf.org>; Thu, 28 Mar 2019 07:55:59 -0700 (PDT)
X-Cam-AntiVirus: no malware found
X-Cam-ScannerInfo: http://help.uis.cam.ac.uk/email-scanner-virus
Received: from grey.csi.cam.ac.uk ([131.111.57.57]:44280) by ppsw-43.csi.cam.ac.uk (ppsw.cam.ac.uk [131.111.8.136]:25) with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) id 1h9WRh-0005OW-nB (Exim 4.91) (return-path <dot@dotat.at>); Thu, 28 Mar 2019 14:55:57 +0000
Date: Thu, 28 Mar 2019 14:55:56 +0000
From: Tony Finch <dot@dotat.at>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
cc: dns-privacy@ietf.org
In-Reply-To: <B5B7E98F-29E5-4315-8D8C-F3965DF67AF9@powerdns.com>
Message-ID: <alpine.DEB.2.20.1903281440400.13313@grey.csi.cam.ac.uk>
References: <CAArYzrLNWFBPU2p06mOOBD2GFGKCoM65Lh8wN6vpNx8QuDArwA@mail.gmail.com> <6EF66B71-918D-41D4-B784-814804A87D78@akamai.com> <20190324140711.GA28961@LK-Perkele-VII> <CAArYzrKS5XAL48hvLj3Wi7HzqDdwN-43pkpLXbcY38MwaFwhaA@mail.gmail.com> <B5B7E98F-29E5-4315-8D8C-F3965DF67AF9@powerdns.com>
User-Agent: Alpine 2.20 (DEB 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/Lfe_X4cvAl-YBVfxlM8TVHpX8uQ>
Subject: Re: [dns-privacy] New Version Notification for draft-bretelle-dprive-dot-for-insecure-delegations-01.txt
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Mar 2019 14:56:02 -0000
> >> This proposal actually reminds me a lot of idea I had that actually > >> used DS records instead of new record type. > >> > >> AFAIK: > >> - DNSsec ignores any such record (unknown algorithm) > >> -> No interference with DNSsec. > >> - CDS does not ignore such records. > >> -> Automated synchnonization. > >> - Lives on parent side of delegation. > >> -> No post-hoc authentication. There's a problem with CDS and unknown algorithms. RFC 7344 section 4.1 third bullet requires the parent to verify that the delegation will not be broken by new DS RRset. This means the parent needs to check that it is able to validate every algorithm, otherwise it could open up a downgrade attack. Note that this validation is not just checking that the DS records have matching DNSKEY records; the parent must also validate that at least one matching key has signed the DNSKEY RRset (because that's what normal validators will need to be able to do). So unknown algorithm hacks will not work with CDS as things currently are. Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/ Great Orme Head to the Mull of Galloway: Variable 3 or 4, becoming southwest 4 or 5. Smooth or slight. Fair. Good.
- Re: [dns-privacy] New Version Notification for dr… Peter van Dijk
- [dns-privacy] New Version Notification for draft-… manu tman
- Re: [dns-privacy] New Version Notification for dr… Reed, Jon
- Re: [dns-privacy] New Version Notification for dr… manu tman
- Re: [dns-privacy] New Version Notification for dr… Ilari Liusvaara
- Re: [dns-privacy] New Version Notification for dr… manu tman
- Re: [dns-privacy] New Version Notification for dr… Ilari Liusvaara
- Re: [dns-privacy] New Version Notification for dr… Tony Finch