IETF Logo Mail Archive

Re: [dns-privacy] [Fwd: New Version Notification for draft-vandijk-dprive-ds-dot-signal-and-pin-00.txt]

Peter van Dijk <peter.van.dijk@powerdns.com> Fri, 29 May 2020 19:56 UTC

Return-Path: <peter.van.dijk@powerdns.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 879383A102A for <dns-privacy@ietfa.amsl.com>; Fri, 29 May 2020 12:56:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.621
X-Spam-Level:
X-Spam-Status: No, score=-1.621 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, KHOP_HELO_FCRDNS=0.276, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fWiyTHnk2wbJ for <dns-privacy@ietfa.amsl.com>; Fri, 29 May 2020 12:56:15 -0700 (PDT)
Received: from mx3.open-xchange.com (alcatraz.open-xchange.com [87.191.39.187]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 054EF3A1029 for <dns-privacy@ietf.org>; Fri, 29 May 2020 12:56:14 -0700 (PDT)
Received: from open-xchange.com (imap.open-xchange.com [10.20.30.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx3.open-xchange.com (Postfix) with ESMTPS id 519DA6A307; Fri, 29 May 2020 21:56:13 +0200 (CEST)
Received: from plato (e82143.upc-e.chello.nl [213.93.82.143]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by open-xchange.com (Postfix) with ESMTPSA id 315313C0382; Fri, 29 May 2020 21:56:13 +0200 (CEST)
Message-ID: <a98818c2b2387a498883a48261ddafd21d9e40a0.camel@powerdns.com>
From: Peter van Dijk <peter.van.dijk@powerdns.com>
To: dns-privacy@ietf.org
Date: Fri, 29 May 2020 21:56:12 +0200
In-Reply-To: <alpine.LRH.2.21.2005291152560.31882@bofh.nohats.ca>
References: <158987990316.29446.4343920282978207647@ietfa.amsl.com> <a15e2d1df86820f2483516662d3712d8a60161cd.camel@powerdns.com> <alpine.LRH.2.21.2005191134560.13722@bofh.nohats.ca> <ec6bc9248179a9ab56ea490f82b14c7e90ffe819.camel@powerdns.com> <alpine.LRH.2.21.2005241222410.4172@bofh.nohats.ca> <77f7a9c38c6bd0a059679a7ab3027b4da9005512.camel@powerdns.com> <alpine.LRH.2.21.2005241710490.10453@bofh.nohats.ca> <5653e4dd2ab6daa648387808a3ac04e088bbc89b.camel@powerdns.com> <CAHbrMsDKQqfnoty+cRa5bJ=zVkONYTbFf-=8hzAj0E7pWeFXug@mail.gmail.com> <a8f44365b9b3a079753f8286cc19fbb241996bf5.camel@powerdns.com> <CAHbrMsAhKB9=nPfnmYzT-tu8-XMYNwyyuYM3T9106iWNzPpDAQ@mail.gmail.com> <alpine.LRH.2.21.2005272118320.18445@bofh.nohats.ca> <10319d748a2ecc2c4e8cad7b8fb545a1f65ff925.camel@powerdns.com> <alpine.LRH.2.21.2005291115060.31882@bofh.nohats.ca> <79c8d207a1215ed0a34d05236ca5dda228ac09a6.camel@powerdns.com> <alpine.LRH.2.21.2005291152560.31882@bofh.nohats.ca>
Organization: PowerDNS.COM B.V.
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.30.5-1.1
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/fUDJCcHNaCrKRYsRR5S_K57bUbU>
Subject: Re: [dns-privacy] [Fwd: New Version Notification for draft-vandijk-dprive-ds-dot-signal-and-pin-00.txt]
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 May 2020 19:56:17 -0000

On Fri, 2020-05-29 at 11:59 -0400, Paul Wouters wrote:
> On Fri, 29 May 2020, Peter van Dijk wrote:
> 
> > > - Takes DNSKEY, only does syntax checks ---> we dont need to publish anything
> > 
> > Yes.
> 
> Actually I was wrong. We still need to publish something so the child
> proves the parent was not maliciously publishing a DS record. So we
> would probably publish it as a CDS to keep it out of the DNSSEC
> validation path and make it easy to compare parent DS to client CDS.

I know you have spent a lot more time thinking about attacks from a
parent to a child zone, so I'm probably missing something that's
obvious to you.

I'm not even sure what my question is, so let's try this: if a
malicious parent has the ability to publish a malicious DS record, why
wouldn't that parent also change the NS records in some subtle way?
Then the real client side CDS becomes invisible. I have trouble seeing
a specific combination of attacker choices that makes sense here.

> > > - Takes DNSKEY, but verifies it is a supported algorithm --> we have to convince them to support our pseudo alg
> > 
> > Yes, and, we found out and will put in -01: to allow 'weird' flags for
> > at least that algo.
> 
> See my other email about DNSKEY algo 253 and 254. Since that's in the RFC,
> you will have a better case arguing they have to support those.

Assuming we (our draft, or some loosely related variant like the couple
of other proposals in this thread) get to RFC, IANA will assign a
number (or perhaps even before that). I'm not worried about getting the
algo number on the registries' allowlist.. eventually.

(see my reply to the other email, that I had missed before, for why I
think 253/254 are not appropriate)

Kind regards,
-- 
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/

v2.23.0 | Report a Bug | By Email