IETF Logo Mail Archive

Re: Last Call: 'Minimally Covering NSEC Records and DNSSEC On-line Signing' to Proposed Standard

Geoffrey Sisson <geoff@nominet.org.uk> Mon, 05 December 2005 15:18 UTC

Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EjI6n-0007yI-Bd for dnsext-archive@megatron.ietf.org; Mon, 05 Dec 2005 10:18:29 -0500
Received: from psg.com (mailnull@psg.com [147.28.0.62]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA01369 for <dnsext-archive@lists.ietf.org>; Mon, 5 Dec 2005 10:17:39 -0500 (EST)
Received: from majordom by psg.com with local (Exim 4.60 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1EjI27-0001a5-7D for namedroppers-data@psg.com; Mon, 05 Dec 2005 15:13:39 +0000
X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on psg.com
X-Spam-Status: No, score=-1.3 required=5.0 tests=AWL,BAYES_00,BIZ_TLD autolearn=no version=3.1.0
Received: from [213.248.199.23] (helo=mx3.nominet.org.uk) by psg.com with esmtp (Exim 4.60 (FreeBSD)) (envelope-from <geoff@nominet.org.uk>) id 1EjI26-0001Zq-6A for namedroppers@ops.ietf.org; Mon, 05 Dec 2005 15:13:38 +0000
Received: from staff.nominet.org.uk ([213.248.199.129]) by mx3.nominet.org.uk with ESMTP; 05 Dec 2005 15:13:32 +0000
X-IronPort-AV: i="3.99,217,1131321600"; d="scan'208"; a="2044817:sNHT25839152"
Received: (from geoff@localhost) by staff.nominet.org.uk (8.12.9/8.12.9) id jB5FDVpY029710; Mon, 5 Dec 2005 15:13:31 GMT
Date: Mon, 05 Dec 2005 15:13:31 +0000
From: Geoffrey Sisson <geoff@nominet.org.uk>
Message-Id: <200512051513.jB5FDVpY029710@staff.nominet.org.uk>
To: Edward Lewis <Ed.Lewis@neustar.biz>
Subject: Re: Last Call: 'Minimally Covering NSEC Records and DNSSEC On-line Signing' to Proposed Standard
Cc: namedroppers@ops.ietf.org, iesg@ietf.org
In-Reply-To: <a06200705bfb667a0af2d@[10.31.32.96]>
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk

Edward Lewis <Ed.Lewis@neustar.biz> wrotes:

> At 10:53 -0500 11/22/05, The IESG wrote:
> >http://www.ietf.org/internet-drafts/draft-ietf-dnsext-dns-name-p-s-01.txt
> 
> #   This document describes two methods:
> #
> #   1.  An ``absolute method'', which returns the immediate predecessor
> #       or successor of a domain name such that no valid DNS name could
> #       exist between that DNS name and the predecessor or successor.
> #
> #   2.  A ``modified method'', which returns a predecessor and successor
> #       which are more economical in size and computation.  This method
> #       is restricted to use with zones consisting exclusively of owner
> #       names that contain no more than one label more than the owner
> #       name of the apex, where the longest possible owner name (i.e. one
> #       with a maximum length left-most label) would not exceed the
> #       maximum DNS name length.  This is, however, the type of zone for
> #       which the technique of online signing is most likely to be used.
> 
> I have two comments to make on this.
> 
> One is that I think it's unwise to design a standard part of the 
> protocol based on the data content of the zone.  I'm referring to the 
> sentiment in the last sentence of the quoted section.  This is not a 
> concrete comment, just a design guideline, and it is less important 
> than my next comment.

Note that -ietf-dnsext-dns-name-p-s has been requested for publication
as Experimental, so it's not part of the protocol.  The described
methods are provided as an aid to implementors and are not normative.

> Keeping in mind that we discourage (or should, I recall talking about 
> this) caches from being used to speak authoritatively about data and 
> the behavior of negative caches, does it really matter if the NSEC 
> contents are "true?"  Especially when what is "true" can change with 
> dynamic update.
> 
> My point here is, perhaps the modified method is all that is needed, 
> regardless of the kind of data in the zone.  Can we get away with one 
> approximately good method instead of having to define two exacting 
> methods?  Can't we simplify this?

The "modified method" would be quite broken for some types of zones,
e.g. ones with lots of deeply-nested empty non-terminals.  For example:

    $ORIGIN 5.6.8.1.4.4.e164.arpa.

    1.1.2.2.3.3 IN NAPTR <blah>

    9.9.2.2.3.3 IN NAPTR <blah>

    . . .

When using the modified method, a query with a QNAME of
4.4.2.2.3.3.5.6.8.1.4.4.e164.arpa. would produce this response:

    2\255{62}.5.6.8.1.4.4.e164.arpa. IN NSEC 3\000.5.6.8.1.4.4.e164.arpa. ...

This would potentially deny the existence of quite a few existing DNS
names, substantially increasing it's utility for replay attacks.

Geoff

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.23.0 | Report a Bug | By Email