Re: [dnsext] Reminder: two WGLC closing in one week
Mark Andrews <Mark_Andrews@isc.org> Wed, 24 September 2008 01:01 UTC
Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 359AD3A6D0C; Tue, 23 Sep 2008 18:01:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.166
X-Spam-Level:
X-Spam-Status: No, score=-2.166 tagged_above=-999 required=5 tests=[AWL=0.433, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DQMNuFZRFPl3; Tue, 23 Sep 2008 18:01:47 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 7C1543A6CF6; Tue, 23 Sep 2008 18:01:46 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KiIcr-00059p-9W for namedroppers-data@psg.com; Wed, 24 Sep 2008 00:53:05 +0000
Received: from [2001:470:1f00:820:214:22ff:fed9:fbdc] (helo=drugs.dv.isc.org) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <marka@isc.org>) id 1KiIci-00058n-87 for namedroppers@ops.ietf.org; Wed, 24 Sep 2008 00:52:59 +0000
Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (8.14.3/8.14.2) with ESMTP id m8O0qk2S090645; Wed, 24 Sep 2008 10:52:46 +1000 (EST) (envelope-from marka@drugs.dv.isc.org)
Message-Id: <200809240052.m8O0qk2S090645@drugs.dv.isc.org>
To: Michael StJohns <mstjohns@comcast.net>
Cc: Andrew Sullivan <ajs@commandprompt.com>, namedroppers@ops.ietf.org
From: Mark Andrews <Mark_Andrews@isc.org>
Subject: Re: [dnsext] Reminder: two WGLC closing in one week
In-reply-to: Your message of "Tue, 23 Sep 2008 12:28:27 -0400." <20080923162831.54AE3114088@mx.isc.org>
Date: Wed, 24 Sep 2008 10:52:46 +1000
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
In message <20080923162831.54AE3114088@mx.isc.org>, Michael StJohns writes: > I think you're getting too much into the minutia of arguing about how things a > re done with DNAME if you apply the "rules" and not enough into thinking about > whether or not the rules for DNAME need to be different or clarified.... > > > At 02:18 AM 9/23/2008, Mark Andrews wrote: > > >> > >> So the last question is what goes on when you have the same three queries - > exc > >> ept the last one now validates, and the DO bit wasn't set from the stub res > olve > >> r? (e.g, I won't understand the lack of AD bit) > > > > You return the answer. > > > >> The simple answer would be to return the three RRSets - but is that the rig > ht a > >> pproach or only one of several correct approaches? > >> > >> I could argue the paranoids point, that once the answer becomes secure, unl > ess > >> it becomes securely unsecure (by proving there's no DS at a delegation poin > t), > >> then the final answer must either be secure or bogus. In other words, if I > get > >> a referral via a CNAME or DNAME into unsecure space, then the final answer > sho > >> uld be "bogus". > > > > No. Everything that is not at or below a TA is deemed to > > be insecure. > > Actually, there is a pretty large difference in considering security between: > > Insecure: Someone I trusted told me that data doesn't need to be signed (e.g. > secure delegation to an unsecure zone) > and > Unknown: I have no idea whether or not that data should be secure - it's not u > nder a trust anchor *I KNOW ABOUT* - and because of that I can't make useful s > tatement about its actual security. As far as your validator is concerned it *is* to treat the data as insecure. This is what RFC 4035 says to do with it. There are no "if", "maybe" or "what if". This is clearly stated. Insecure: An RRset for which the resolver knows that it has no chain of signed DNSKEY and DS RRs from any trusted starting point to the RRset. This can occur when the target RRset lies in an unsigned zone or in a descendent of an unsigned zone. In this case, the RRset may or may not be signed, but the resolver will not be able to verify the signature. If a name is not under a TA then the first sentence is met. The second and subsequent sentences give the non trivial example of when the first sentence can be met. It's not "This will occur", it's "This can occur" and "In this case". Perhaps we should have split this into two paragraphs and as you have failed to see the trivial case add it. Insecure: An RRset for which the resolver knows that it has no chain of signed DNSKEY and DS RRs from any trusted starting point to the RRset. This can occur when the target RRset lies in an unsigned zone or in a descendent of an unsigned zone. In this case, the RRset may or may not be signed, but the resolver will not be able to verify the signature. Alternatively this can occur when there is no trusted starting point at or above the name. The only time a record is unknown is prior to attempting to validate or when you can't reach the servers to get the DNSKEY/DS in the chain that would allow you to validate. Indeterminate: An RRset for which the resolver is not able to determine whether the RRset should be signed, as the resolver is not able to obtain the necessary DNSSEC RRs. This can occur when the security-aware resolver is not able to contact security-aware name servers for the relevant zones. You can ALWAYS reach you TA's as they are part of the validator's configuration. Therefore you can ALWAYS validate data which is not under a TA. That validation ALWAYS returns insecure. If you use DLV then you need to check with the DLV registry to detemine if the name is secure or not. I have exactly the reverse arguement when someone complained that we should be returning insecure when the DLV lookup timed out. With DLV you have to prove that the name is not covered by a DLV record. However if you still have a island that is not covered by either a TA or a DLV record then the records are insecure. > >> The above is different than the secure delegation to an unsecure zone: The > sig > >> ned delegation to an unsigned zone is controllable by the delegator. The s > igne > >> d CNAME or DNAME referral to an zone carries no information about whether t > he r > >> eferrer/signer believes the target zone/name should be signed. > >> > >> I'm trying to reconcile this with the general policies on how data is retur > ned > >> from a validating recursive resolver to a non-DNSSEC aware stub resolver. > The > >> VRR returns an RCODE 2 for any data below a trust anchor it can't validate > (bog > >> us), and returns the data which has no superior trust anchor (unknown), > > > > No, it is NOT unkown. It is insecure. You are attempting to introdu > ce > > a state which does not exist. > > > > secure -> passes validation > > insecure -> no TA or there is a insecure delegation from a secure zon > e. > > bogus -> fails validation > > yeah - we've had this discussion a number of times. If I have no basis on whic > h to make a security determination, it is indeterminate or unknown. In VRR pro > cesing, that generally means the data is passed along with the AD bit off whic > h is no different than the result for insecure data. The fact the end result > is identical from the POV of the querier does not mean the trust states are id > entical. > > With respect to the current problem: > > If the middle chain is insecure (e.g. I did CNAME/DNAME into a zone below I tr > ust anchor the VRR has, but that is below a secure unsecure delegation), is th > is more trustworthy than if the middle chain resolved to an RRSet that had no > superior trust anchor? > > Again, paranoid's argument suggests that I might consider the former a non-bog > us answer and the latter a bogus answer given general DNSSEC principles. Go read the definition of INSECURE in RFC4035. > >> returns > >> the data it was able to validate (secure), and returns the data which was b > elo > >> w an unsecure delegation point (unsecure). > >> > >> I'm not sure I can argue that a DNAME or CNAME into an unknown/unsecure zon > e fr > >> om a secure zone is equivalent to an unsecure delegation from that secure z > one > >> to a subsidiary, because the target of the DNAME/CNAME can change the DNSSE > C st > >> atus at any time after the CNAME/DNAME is published. Unfortunately, I can' > t se > >> e any way of encoding the DNAME/CNAME signers expectation of security for t > he t > >> arget zone in the current definitions. > > > > Each QNAME when following a CNAME chain is independently > > validated. When you return the final answer you look at > > all the components to determine whether the final answer > > is secure (AD could be set if requested) or not. > > Agreed, but the current argument is whether or not there is a meta policy that > needs to be applied and not just a min() of all of the independent chain resu > lts. What you're identifying is the obvious, but possibly incorrect/insecure > approach. > > > > >> So if I follow the principal of "if it started out secure and I can't prove > it > >> was meant to be unsecure then it should be bogus if I can't validate it" wh > ich > >> we follow for on-tree delegations, shouldn't I follow it for off-tree deleg > atio > >> ns? > > > Except you can validate that it is insecure. > > Actually, you can't. If the middle chain is not under a trust anchor (or rath > er if the resolver holds no trust anchor) no validation is possible and an att > acker can literally do whatever he wants with the result data. And the fact > of the AD bit being set or not is mostly irrelevant - the end system is still > going to see the data. If the middle chain IS under a trust anchor - there ha > s to be an unsecure delegation for an attacker to get traction. Name not under TA => INSECURE. > The more I think about this, the more I begin to believe that for consistency, > if you start under a trust anchor, you better be able to end under a trust an > chor and that all chains must be able to be validated/authenticated UNLESS you > find an unsecure delegation along the way. Otherwise you get this weird st > ate where the originator of the data thought he was doing the right thing (a s > ecure DNAME referral into a secure zone), but that the resolver could find its > elf returning data that was actually bogus (because it was lacking a trust anc > hor for the referred zone and an attacker got to it). > > The tradeoff here is that doing it this way makes the combination of DNSSEC an > d DNAME or off-tree CNAME less useful. But what's the right answer from a sec > urity perspective? Do we address this by forcing a resolver behavior, or simp > ly by noting the security issues with off-tree DNAME/CNAME referrals? > > I obviously don't think the simple answer is as correct as you think it is. T > hat's a matter of opinion and the one for discussion. > > Mike > > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/namedroppers/>
- [dnsext] Reminder: two WGLC closing in one week Andrew Sullivan
- Re: [dnsext] Reminder: two WGLC closing in one we… Scott Rose
- Re: [dnsext] Reminder: two WGLC closing in one we… Michael StJohns
- Re: [dnsext] Reminder: two WGLC closing in one we… Mark Andrews
- Re: [dnsext] Reminder: two WGLC closing in one we… Edward Lewis
- Re: [dnsext] Reminder: two WGLC closing in one we… Michael StJohns
- Re: [dnsext] Reminder: two WGLC closing in one we… Mark Andrews
- Re: [dnsext] Reminder: two WGLC closing in one we… Michael StJohns
- Re: [dnsext] Reminder: two WGLC closing in one we… Mark Andrews
- Re: [dnsext] Reminder: two WGLC closing in one we… Michael StJohns
- Re: [dnsext] Reminder: two WGLC closing in one we… Mark Andrews
- Re: [dnsext] Reminder: two WGLC closing in one we… Michael StJohns
- Re: [dnsext] Reminder: two WGLC closing in one we… Mark Andrews
- DNAME (and CNAME) vs DNSSEC (Was: [dnsext] Remind… Andrew Sullivan
- Re: [dnsext] Reminder: two WGLC closing in one we… Michael StJohns
- Re: [dnsext] Reminder: two WGLC closing in one we… Mark Andrews
- [dnsext] Re: DNAME (and CNAME) vs DNSSEC Wes Hardaker
- Re: DNAME (and CNAME) vs DNSSEC (Was: [dnsext] Re… Edward Lewis
- [dnsext] recommeded contents for Re: DNAME (and C… Edward Lewis
- [dnsext] flip-flopping secure and unsecure DNAME/… Edward Lewis
- Re: [dnsext] recommeded contents for Re: DNAME (a… Scott Rose
- [dnsext] Re: DNAME (and CNAME) vs DNSSEC Wes Hardaker
- Re: [dnsext] flip-flopping secure and unsecure DN… Michael StJohns
- Re: [dnsext] flip-flopping secure and unsecure DN… Mark Andrews
- Re: [dnsext] Reminder: two WGLC closing in one we… John Dickinson
- Re: [dnsext] Reminder: two WGLC closing in one we… Florian Weimer
- Re: [dnsext] Reminder: two WGLC closing in one we… Mark Andrews
- Re: [dnsext] Reminder: two WGLC closing in one we… Florian Weimer
- Re: [dnsext] Reminder: two WGLC closing in one we… Olafur Gudmundsson
- Re: [dnsext] flip-flopping secure and unsecure DN… Edward Lewis
- the DO bit Re: [dnsext] Reminder: two WGLC closin… Edward Lewis
- Re: the DO bit Re: [dnsext] Reminder: two WGLC cl… bmanning
- Re: the DO bit Re: [dnsext] Reminder: two WGLC cl… David Conrad
- Re: [dnsext] flip-flopping secure and unsecure DN… Ben Laurie
- Re: [dnsext] flip-flopping secure and unsecure DN… Michael StJohns
- Re: [dnsext] flip-flopping secure and unsecure DN… Wouter Wijngaards
- Re: [dnsext] flip-flopping secure and unsecure DN… Ben Laurie
- Re: [dnsext] flip-flopping secure and unsecure DN… Alex Bligh
- Re: [dnsext] flip-flopping secure and unsecure DN… Ben Laurie
- CNAME/DNAME - Re: [dnsext] flip-flopping secure a… Edward Lewis
- Re: [dnsext] flip-flopping secure and unsecure DN… Shane Kerr
- Re: [dnsext] flip-flopping secure and unsecure DN… Alex Bligh
- Interpreting DNSSEC was Re: [dnsext] flip-floppin… Edward Lewis
- Re: [dnsext] flip-flopping secure and unsecure DN… Nicholas Weaver
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Alex Bligh
- Re: [dnsext] flip-flopping secure and unsecure DN… Michael StJohns
- Re: [dnsext] flip-flopping secure and unsecure DN… Michael StJohns
- Re: CNAME/DNAME - Re: [dnsext] flip-flopping secu… Michael StJohns
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Michael StJohns
- Re: [dnsext] flip-flopping secure and unsecure DN… Michael StJohns
- Re: CNAME/DNAME - Re: [dnsext] flip-flopping secu… Edward Lewis
- Re: CNAME/DNAME - Re: [dnsext] flip-flopping secu… Michael StJohns
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Edward Lewis
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Ben Laurie
- Re: CNAME/DNAME - Re: [dnsext] flip-flopping secu… Edward Lewis
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Edward Lewis
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Ben Laurie
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Edward Lewis
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Nicholas Weaver
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Michael StJohns
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Mark Andrews
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Michael StJohns
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Wouter Wijngaards
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Edward Lewis
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Ben Laurie
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Michael StJohns
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Edward Lewis
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Michael StJohns
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Michael StJohns
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Edward Lewis
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Mark Andrews
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Michael StJohns
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Stephane Bortzmeyer
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Edward Lewis