IETF Logo Mail Archive

Re: [dnsext] flip-flopping secure and unsecure DNAME/CNAME

Michael StJohns <mstjohns@comcast.net> Mon, 13 October 2008 11:49 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EF01528C0CE; Mon, 13 Oct 2008 04:49:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.233
X-Spam-Level:
X-Spam-Status: No, score=-1.233 tagged_above=-999 required=5 tests=[AWL=-0.796, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_NET=0.611, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ioLIHj2wq3jm; Mon, 13 Oct 2008 04:49:02 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 8A5DF28B56A; Mon, 13 Oct 2008 04:49:02 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KpLkt-000HQ3-Is for namedroppers-data@psg.com; Mon, 13 Oct 2008 11:38:31 +0000
Received: from [76.96.30.56] (helo=QMTA06.emeryville.ca.mail.comcast.net) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from <mstjohns@comcast.net>) id 1KpLki-000HP8-5t for namedroppers@ops.ietf.org; Mon, 13 Oct 2008 11:38:27 +0000
Received: from OMTA07.emeryville.ca.mail.comcast.net ([76.96.30.59]) by QMTA06.emeryville.ca.mail.comcast.net with comcast id SBAX1a0041GXsucA6BeK0w; Mon, 13 Oct 2008 11:38:19 +0000
Received: from MIKES-LAPTOM.comcast.net ([69.140.151.110]) by OMTA07.emeryville.ca.mail.comcast.net with comcast id SBeG1a0042P9w058TBeG8h; Mon, 13 Oct 2008 11:38:18 +0000
X-Authority-Analysis: v=1.0 c=1 a=dmE0DmLRt_UA:10 a=-5nm-dUE1uIA:10 a=hqaSkvWfAAAA:8 a=OzSqGtDSAAAA:8 a=wqbdNty1zbVcSD4603AA:9 a=gLl_VnppeIIuTdCRfu0A:7 a=QCny88gLYKFV97fMi5OhdfwdHVgA:4 a=Ly75NXeMEyIA:10 a=B-GU5LaGV7AA:10 a=8peU3wBK19oA:10 a=h9s5Ru71U4oA:10
X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9
Date: Mon, 13 Oct 2008 07:38:16 -0400
To: Ben Laurie <ben@links.org>, Edward Lewis <Ed.Lewis@neustar.biz>
From: Michael StJohns <mstjohns@comcast.net>
Subject: Re: [dnsext] flip-flopping secure and unsecure DNAME/CNAME
Cc: namedroppers@ops.ietf.org
In-Reply-To: <48F2DE42.1060209@links.org>
References: <Your message of "Mon, 22 Sep 2008 15:12:44 -0400." <E1KhqqB-000CE1-QD@psg.com> <200809230016.m8N0GS9E069236@drugs.dv.isc.org> <E1Khwdp-000J3V-QJ@psg.com> <a06240804c4ffc42abc16@[10.122.105.108]> <E1KicTm-000ANO-PO@psg.com> <a06240800c50fd3decd5b@[192.168.1.101]> <48F2DE42.1060209@links.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
Message-Id: <E1KpLkt-000HQ3-Is@psg.com>

At 01:36 AM 10/13/2008, Ben Laurie wrote:
>Edward Lewis wrote:
>>> ps - anyone want to take a whack at documenting how various applications
>>> should handle various DNSSEC outcomes?  The ones I can think of off
>>> the top
>>> of my head that should be done are: SMTP (both submitter to MTA and MTA
>>> to MTA), HTTP (what the browser does *before* the user gets involved -
>>> pretty sure just exposing the DNSSEC resolution state isn't the best
>>> answer), SSH,  peer-to-peer.
>> 
>> DNSSEC was built ("repeat chorus") to stem cache poisoning, i.e.,
>> protect the admission of DNS data to the cache.  It wasn't meant to
>> protect the applications making use of the data.  If an application
>> wants to act like a cache with a verifier, fine.  Then it asks for
>> everything with CD, gets as much raw data, and does it's own check. If
>> it can't reach the source (because of firewalls, forwarders, etc.,),
>> well it's up a creek anyway.
>> 
>> To an application - either their is an answer in DNS or not.  The grey
>> area is too hard to make use of, a general solution isn't useful.  It's
>> like with lame delegation testing in the reverse map. There are a lot of
>> screw ups there, a lot follow certain pathologies that, even common,
>> make up a small percentage of the total problems. It isn't worth trying
>> to diagnose for the few predictable misconfigurations.
>
>Surely the point is that DNSSEC changes the possible answers from:
>
>1. RR exists and here it is.
>2. RR does not exist.
>3. Server not reachable (or otherwise broken).
>
>to
>
>1. RR exists and here it is.
>2. RR does not exist.
>3. RR exists but is broken in some way.
>4. Server not reachable (or otherwise broken).

I don't think its this simple... really.

Basic DNS has the 3 answers in your first group - although I'd categorize the last one as "I can't make any determination about whether or not the answer exists for any of a number of reasons" - what Marc describes as "indeterminate".

DNSSEC  add 4 (actually maybe even 5) security states that are somewhat orthogonal to the DNS states:

1. Unknown - I've got no superior trust anchor so I can't make any definite statement about whether or not the answer is secure.
2.  Secure - I've gotten a chain of signatures covering which allow me to determine the answer is securely valid.
3.  Unsecure - I've gotten a chain of signature plus certain other data which tells me in a secure manner that I have no security information about the final answer.
4.  Bogus - I've gotten all the information I've asked for from the system, but I was unable to prove the security - bad signatures, missing keys, etc.
5.  Insecure transition from secure - I've got valid signatures as far as a CNAME or DNAME, but the CNAME or DNAME point into an area of the tree with Unknown trust.

Those three DNS states matrix (somewhat) with the 5 security states to actually give you 15 distinct intersections - but a number of those substates collapse into each other.  (E.g., secure/exist, secure/non-exist, bogus/exist, bogus/non-exist, any/indeterminate, unsecure/any, unknown/any).  You might also consider that DNSSEC extends the original 3 dns resolution states to 4 by adding a "data determinate/dnssec indeterminate" - but those may collapse mostly into the bogus entries.

I'm not trying to be difficult here - but considering each of these intersections and figuring out what to do for each application seems to be a reasonable approach.

Taking specifically email MTA-MTA interactions.  It seems to me that you'd treat (secure | unsecure | indeterminate)/exist as states where you'd allow the MTA to connect and deliver, that you'd treat bogus/any as a reportable security error condition and not deliver (- but would you retry?), that you'd treat any/indeterminate as a retry error condition (e.g. temporary failure), and that you'd treat secure/non-exist as a permanent mail delivery failure.  What would you do with unknown/non-exist - would you treat as a permanent failure or retry after a long or short interval?

Going back to the DNAME/CNAME stuff - DNSSEC provides a mechanism to indicate to a resolver securely that a chain of trust is being turned off  (is ending securely?) (secure delegation to an unsecure zone).  CNAME and DNAME do not have any way of indicating the expected security state of the zone to which they point.  It seems to me that an application might actually care about this when trying to figure out what to do.  Let's pretend for a moment that DNAME has a way of indicating its target status as one of either - must be secure, or don't care.  If the must be secure bit is set and the target can't be validated (either as secure or as delegated to unsecure), then the answer for the whole chain is bogus.  If the bit isn't set, then security resolution for the target restarts with the target - e.g. if the target is under a trust anchor then it must validate or the chain is bogus.  Obviously, this bit doesn't exist - should it?

And finishing up with MTA-MTA - if I use the current model and have a lookup chain to a DNAME that validates, but that the target of the DNAME isn't under a trust anchor - should I deliver the mail?  If so, why?  If not, why?

What do I do if the MX look up is secure, but the A lookup is unsecure or unknown? Vice versa?

What markings if any should go on an email (header notation) to indicate a forwarding routing was based on data with an "unsecure" or "unknown" trust state?  or if the MX was secure and the A wasn't or vice versa?

Should a downstream receiver do anything special for messages marked as above?  Would this ever be a reasonable filtering criteria?



>The question is: what should applications do for state 3? My answer
>would be to treat it like state 4, I think, but there's room for debate.
>
>Cheers,
>
>Ben.
>
>-- 
>http://www.apache-ssl.org/ben.html           http://www.links.org/
>
>"There is no limit to what a man can do or how far he can go if he
>doesn't mind who gets the credit." - Robert Woodruff



--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.23.0 | Report a Bug | By Email