IETF Logo Mail Archive

Re: [dnsext] Clarifying the mandatory algorithm rules

"W.C.A. Wijngaards" <wouter@NLnetLabs.nl> Fri, 19 November 2010 09:45 UTC

Return-Path: <wouter@nlnetlabs.nl>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D02E43A68EE for <dnsext@core3.amsl.com>; Fri, 19 Nov 2010 01:45:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.45
X-Spam-Level:
X-Spam-Status: No, score=-2.45 tagged_above=-999 required=5 tests=[AWL=-0.150, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7hXCHboe0-uF for <dnsext@core3.amsl.com>; Fri, 19 Nov 2010 01:45:58 -0800 (PST)
Received: from open.nlnetlabs.nl (open.nlnetlabs.nl [IPv6:2001:7b8:206:1::1]) by core3.amsl.com (Postfix) with ESMTP id 6295C3A67C2 for <dnsext@ietf.org>; Fri, 19 Nov 2010 01:45:58 -0800 (PST)
Received: from gary.nlnetlabs.nl (gary.nlnetlabs.nl [IPv6:2001:7b8:206:1:216:76ff:feb8:1853]) (authenticated bits=0) by open.nlnetlabs.nl (8.14.4/8.14.4) with ESMTP id oAJ9kjUK014172 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Fri, 19 Nov 2010 10:46:45 +0100 (CET) (envelope-from wouter@nlnetlabs.nl)
Message-ID: <4CE64785.7090401@nlnetlabs.nl>
Date: Fri, 19 Nov 2010 10:46:45 +0100
From: "W.C.A. Wijngaards" <wouter@NLnetLabs.nl>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.12) Gecko/20101027 Fedora/3.1.6-1.fc13 Lightning/1.0b3pre Thunderbird/3.1.6
MIME-Version: 1.0
To: Ondřej Surý <ondrej.sury@nic.cz>
References: <alpine.BSF.2.00.1011180553250.83352@fledge.watson.org> <4CE50C01.4010104@nic.cz> <alpine.BSF.2.00.1011180630550.83352@fledge.watson.org> <4CE5898C.7050801@nic.cz>
In-Reply-To: <4CE5898C.7050801@nic.cz>
X-Enigmail-Version: 1.1.2
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.6 (open.nlnetlabs.nl [IPv6:2001:7b8:206:1::1]); Fri, 19 Nov 2010 10:46:45 +0100 (CET)
Cc: Samuel Weiler <weiler@watson.org>, dnsext@ietf.org
Subject: Re: [dnsext] Clarifying the mandatory algorithm rules
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Nov 2010 09:45:59 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

On 11/18/2010 09:16 PM, Ondřej Surý wrote:
> The idea is that just adding a new key with algorithm B (the strong)
> without chaining it to the parent zone doesn't add any new security,
> since the chain of trust is secured by the (the weak) algorithm A.

Today, the RFC has rules for DS-DNSKEY and rule for DNSKEY-DATA.  You
want to create new rules for DS-DATA.

> So, yes the RFCs need a clarification and yes the unbound is
> unnecessarily strict since such strict implementation doesn't add any
> additional security (because you don't have a chain of trust leading to
> a key).  Wouter, object now or never :).

You called?  Yes, unbound is strict, it enforces the exact zone signing
requirements from the RFC.  But, I am not objecting to you strongly.  I
want to caution making changes to RFC4035, there must be backwards
compatibility.

But the above makes the algorithm-set determined by the parent.
Now, the algorithm set is determined by the child (when you get there).
I appreciate the concern that if you want to protect a downgrade, then
you must signal this at the parent.

(the security of that parent is that of a new zone; with different owners).

Mark Andrews wrote:
> Additionally the MUST is a directive to *zone operators*.  A zone
> operator can comply with that MUST but validation will still fail
> with unbound as unbound requires that a zone be signed with DNSKEYs
> which are NOT in the zone prior to adding the DNSKEY to the zone
> due to caching.  On this alone it is clear that unbound is in the
> wrong.

Let me try to understand this and then respond.  You talk about having
to prepublish signatures before the keys are published.

This is necessary with the current rules today for algorithm-support
reasons.  It does not go away if unbound has less strict checking.  The
affected servers could be bind, unbound or other implementations.

Your change to the rules makes it possible to add the key, and then
signatures slowly, with a new algorithm, (as long as the DS is not added
yet).  I appreciate that niceness.

You are correct that you must also take the trust-anchors into account
to do it properly (and I do not do that today).

Best regards,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkzmR4UACgkQkDLqNwOhpPh6FACeLAsw/oeIyPpsA4YIL0Bn0jom
YBoAnRm3491f7m5Y4ipbNc5bpYPNTb6U
=e/Yn
-----END PGP SIGNATURE-----

v2.23.0 | Report a Bug | By Email