Re: Signature at parent (draft-ietf-dnsop-parent-sig-00.txt)
ted@tednet.nl (Ted Lindgreen) Mon, 02 April 2001 16:49 UTC
Received: from psg.com (exim@[147.28.0.62]) by ietf.org (8.9.1a/8.9.1a) with SMTP id MAA20037 for <dnsext-archive@lists.ietf.org>; Mon, 2 Apr 2001 12:49:05 -0400 (EDT)
Received: from lserv by psg.com with local (Exim 3.16 #1) id 14k78q-000GDc-00 for namedroppers-data@psg.com; Mon, 02 Apr 2001 09:25:20 -0700
Received: from 64-214-53-107.dhcp.arin.gblx.net ([64.214.53.107] helo=roam.psg.com ident=root) by psg.com with esmtp (Exim 3.16 #1) id 14k78q-000GDV-00 for namedroppers@ops.ietf.org; Mon, 02 Apr 2001 09:25:20 -0700
Received: from randy by roam.psg.com with local (Exim 3.20 #1) id 14k78p-0003wq-00 for namedroppers@ops.ietf.org; Mon, 02 Apr 2001 09:25:19 -0700
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-Id: <200104021303.f32D3ac81962@open.nlnetlabs.nl>
From: ted@tednet.nl
Date: Mon, 02 Apr 2001 15:03:36 +0200
In-Reply-To: "Edward Lewis's message as of Apr 2, 8:17"
Reply-To: Ted.Lindgreen@tednet.nl
To: Edward Lewis <lewis@tislabs.com>, Brian Wellington <Brian.Wellington@nominum.com>
Subject: Re: Signature at parent (draft-ietf-dnsop-parent-sig-00.txt)
Cc: team@nlnetlabs.nl, namedroppers@ops.ietf.org
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
Content-Transfer-Encoding: 7bit
[Quoting Edward Lewis, on Apr 2, 8:17, in "Re: Signature at par ..."] > Now, the issue is where the signature goes. This is a related question - > recall that there were children who didn't grab the new signatures (because > they weren't aware of them). So, does the delegator just cut the middleman > and publish the signatures that it generated, or does the child need to be > notified by (push) or need to poll the (pull) parent. NLnet is proposing > cutting out the middleman... Yes, you can say it like that. > Yet another question...this proposal helps keep the parent-child > relationship going, but is it secure? Of course that's the main point! Perhaps it is instructive to look at it from the point of view "what can go wrong" instead of the usual "how to do it right". Let us discuss: - What can go wong, and how easy is that? - What is the damage if it goes wrong? - Is it noticed quickly, and will it be picked up? - Can it be fixed quickly, and if so who is involved and what and how long does it take? - If it can not be fixed quickly, what to do in the mean time? - Can someone be blamed, made liable (or better said: can someone be encouraged to not make the same mistake in future again)? But, first thing to review is Ed's question above: is it secure? To discuss that, we first have to know where the vulnarabilities are. As far as I see, there is one and only one real security issue at the delegation point: A valid parental SIG over a KEY RR, from which the private part is (also) known to someone else than the legitimate administrator of the child zone. (Note: see NOTE below) How can it happen? 1. The private key at the child has been compromised. 2. The parent has been fooled and thus insuffiently checked whether the KEY RR is really from the child. The first one is child-problem, where it needs help from its parent. It's discussed further on in this mail. The second one is a delegation-administration-problem and is discussed first: When the initial KEY RR is sent to the parent, this is always a difficult point. At TLDs even more complicated by the existence of the 4 orgs involved: Registry, Registrant, Holder, and ZoneAdministrator. Some kind of out-of-band procedure must be used, and it will most likely involve written and signed statements and contracts with (non-)liability clauses. Let us not discuss this here further, because again it is insensitive to the issue at hand. It becomes interesting when a parent resigns. First question is: "when" is the parent re-signing? We (NLnet Labs) think: as often as practically possible, because when (not if ;-) something bad happens, the child is vulnarable for as long as the parental SIG is valid. ===> Therefore, we re-sign our test-TLD currently daily, and we do not sign in advance. Next question is: "what" is the parent re-signing? When the parent keeps the childs-KEY in hand (either in the zonefile or a database) it is probably OK as long as the child does not scream "My KEY is compromised". Also can this KEY then be used to verify a new KEY at a keyrollover. On the other hand, if the child must resubmit its KEY RR to get re-signed every time this is an invitation for a spoofing attack every time. Bad idea we think. ===> For security sake, the parent (TLD) better holds on to the KEY RRs from its children. Third question: does it matter where the parental SIG resides? At first one might think: yes, if the child can re-check that the right KEY is signed before putting the SIG in its zone, it is save. But.... if the bad guy has setup a fake zone, and has fooled the parent to sign his (fake) KEY, the bad guy will have little problems to put this (valid) SIG in his fake zone. ===> So, from a security point of view the answer is: NO. Now, over to discussing what happens when a parental SIG over a child KEY expires. This, in contrast to above, is completely different when the SIG resides @parent of @child. 1. Parental SIG @ parent. What might have happened? - For this to happen, the (parents) zoneadministrator must have "forgotten" to re-sign the zone in time. As we think this is not a administrators-job, but a crontab-job, it's an unlikely event. - But if it happens anyway, chances are that if one is expired more SIGs are expired, likely all of them in the zone. What's the damage? - The parent and the whole tree below drop of the Internet for secure aware resolvers. Who will notice and make some noise? - A number of people will start screaming, and because of the damage, the zoneadministrator will probably give some attention to the problem. How to fix it? - He/she types "make" in the zone directory (at least, that's how we set it up at NLnet Labs) to refresh all SIGs and sigHUP named. Who is to blame, and how to prevent it in future? - The parents zoneadministrator, and he/she better puts in a working crontab job to re-signs the zone regularly. 2. Parental SIG @ child. There are now a lot more possibilities of things that could have gone wrong: - The child has not asked for a new SIG in time. - The net was down when the child asked. - The parent did not sign or did not provide the new SIG. - The net was down when the parent did. - The child could not put the new SIG in its zone for any other reason. What's the damage? - Depends on what happened, but probably just one of a few children drop of the Internet. Who will notice and make some noise? - The affected children and or its customers will notice. - A few helpdesks may be passed through to get to the attention of the parents zoneadministrator for a new SIG. - If the parent is a large TLD, chances are that when it is one or a few children, he/she is not too interested, but when it's many, he/she is overwhelmed. How to fix it? - Depending on how it is set it up (stored the KEY at parent?), the TLDs zoneadministrator must re-establish the authenticity of the childs zoneadministrator before signing the KEY. - The new SIG must get from parent to child. - Child must put it in and sigHUP named. Who is to blame, and how to prevent it in future? - Difficult, probably every one will point to another, - As it is difficut to pinpoint the cause, it is also difficult to prevent it from happening again. Let us look now at another bad event: - A child gets its key compromised. - Let's pick a large TLD, with - most children not very sensitive to security, but some (still hundreds of thousands) are, - and a few (say a hundredthousand) secure subtrees (next to the millions of end-zones). Let's go through the questions: What might have happened? - The TLDs key got compromised. What's the damage? - The TLDs and all zones thereunder are vulnarable. Who will notice and make some noise? - Hopefully someone finds out before misuse has really started... How to fix it? This now depends on what the TLD chooses to do, and where its SIGs over the childs KEY RRs reside. 2 x 2 posibilities: 1A. TLD becomes unsecure immediately, SIG @ parent 1B. TLD rolls over its KEY immediately, SIG @ parent 2A. TLD becomes unsecure immediately, SIG @ child 2B. TLD rolls over its KEY immediately, SIG @ child So, again, how to fix it? 1A. TLD becomes unsecure immediately, SIG @ parent. - TLD goes to root with a request to become unsecure immediately. - Root's zone administrator needs to establish authenticity of request and requester out-of-band. - Root's zone administrator puts in a null-KEY for TLD into rootzone, re-signs, and sigHUPs. - Where the old KEY and old SIGs are cached (or spoofed into the cache!!!) they remain valid intil the SIGs expire. Nothing we can do about that. - Once the old SIG expires, the TLD and all zones below are now verifyably unsecure, and therefore: - secure transactions will know that they cannot trust DNS info. - do not drop of the Internet - TLD starts investigating what went wrong, fix that and gets more or less into the state of "becoming first-time secure": once it has signed its own zone with a new KEY and got the new KEY also signed at the root everything is back to normal. 1B. TLD rolls over its KEY immediately, SIG @ parent. - TLD goes to root with an immergency KEY rollover request. - Root's zone administrator needs to establish authenticity of request and requester out-of-band. - Root's zone administrator puts in the new TLD-KEY into rootzone, re-signs, and sigHUPs. - The TLD puts the new KEY in its zone and re-signs. - Where the old KEY and old SIGs are cached (or spoofed into the cache!!!) they remain valid intil the SIGs expire. Nothing we can do about that. - As soon as the old SIG expires, everything is back to normal. 2A. TLD becomes unsecure immediately, SIG @ child - TLD goes to root with a request to become unsecure immediately. - Root's zone administrator needs to establish authenticity of request and requester out-of-band. - Root's zone administrator puts in a null-KEY for TLD into rootzone, re-signs, and sigHUPs. - Where the old KEY and old SIGs are cached (or spoofed into the cache!!!) they remain valid intil the SIGs expire. Nothing we can do about that. - Once the old SIG expires, the TLD and all zones below are now verifyably unsecure (see above). - TLD starts investigating what went wrong, fix that. - TLD can not get into "becoming first-time secure", because it has SIGs from the compromised KEY out there at all its children, they MUST be replaced before the TLD can become secure again with a new KEY. This may take some time for a large TLD. 2B. TLD rolls over its KEY immediately, SIG @ child. We tried several scenarios, but we have not found an acceptable way. The possible choices are: 1. Allow secure children to be exposed. 2. Allow secure children to drop from the Internet. 3. Use scenario 2A to become unsecured for a reasonably long time to clean up, and then become secure again. We have worked out several more scenarios (I admit, they are all "horror scenarios", but nontheless likely to happen sooner or later), but I think this e-mail got too long already :-) Regards, -- Ted. NOTE: Someone said: what if the parent puts in a wrong or mistyped childs KEY in its zone, isn't that a security risk? This is IMHO not a security issue, it is "just" bad zoneadministration and similar to mistyped or wrong NS or glue RRs at the parent zone. Also, it does not expose the child, the parent "just" disables the child, unless, of course, the "mistyped" KEY happens to be the KEY from mr. Bad Guy, but then we are back to the security issue already mentioned. to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body.
- Re: Signature at parent (draft-ietf-dnsop-parent-… Ted Lindgreen
- Re: Signature at parent (draft-ietf-dnsop-parent-… Olaf Kolkman
- Re: Signature at parent (draft-ietf-dnsop-parent-… Roy Arends
- Re: Signature at parent (draft-ietf-dnsop-parent-… Miek Gieben
- Re: Signature at parent (draft-ietf-dnsop-parent-… Edward Lewis
- Re: Signature at parent (draft-ietf-dnsop-parent-… Edward Lewis
- Re: Signature at parent (draft-ietf-dnsop-parent-… Edward Lewis
- Re: Signature at parent (draft-ietf-dnsop-parent-… John Gilmore
- Re: Signature at parent (draft-ietf-dnsop-parent-… Olaf Kolkman
- Re: Signature at parent (draft-ietf-dnsop-parent-… Brian Wellington
- Re: Signature at parent (draft-ietf-dnsop-parent-… Ted Lindgreen
- Re: DNS vs. non-DNS Data (was Re: Signature at pa… Kevin Darcy
- Re: Signature at parent (draft-ietf-dnsop-parent-… Ted Lindgreen
- Re: DNS vs. non-DNS Data (was Re: Signature at pa… Eric A. Hall
- Re: Signature at parent (draft-ietf-dnsop-parent-… Dan Massey
- DNS vs. non-DNS Data (was Re: Signature at parent… Kevin Darcy
- Re: Signature at parent (draft-ietf-dnsop-parent-… Randy Bush
- Re: Signature at parent (draft-ietf-dnsop-parent-… Ted Lindgreen
- Re: Signature at parent (draft-ietf-dnsop-parent-… Peter Koch
- Re: DNS vs. non-DNS Data (was Re: Signature at pa… Eric A. Hall
- Re: Signature at parent (draft-ietf-dnsop-parent-… Brian Wellington
- Re: Signature at parent (draft-ietf-dnsop-parent-… Edward Lewis
- Re: Signature at parent (draft-ietf-dnsop-parent-… Edward Lewis