IETF Logo Mail Archive

Re: [dnsext] Historical root keys: The Large Router Vendor Speaks

Ted Lemon <Ted.Lemon@nominum.com> Fri, 28 January 2011 18:18 UTC

Return-Path: <Ted.Lemon@nominum.com>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5BB463A6939 for <dnsext@core3.amsl.com>; Fri, 28 Jan 2011 10:18:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.594
X-Spam-Level:
X-Spam-Status: No, score=-106.594 tagged_above=-999 required=5 tests=[AWL=0.005, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NlXOXtL5mswK for <dnsext@core3.amsl.com>; Fri, 28 Jan 2011 10:18:53 -0800 (PST)
Received: from exprod7og119.obsmtp.com (exprod7og119.obsmtp.com [64.18.2.16]) by core3.amsl.com (Postfix) with ESMTP id 4F75C3A692E for <dnsext@ietf.org>; Fri, 28 Jan 2011 10:18:53 -0800 (PST)
Received: from source ([64.89.228.229]) (using TLSv1) by exprod7ob119.postini.com ([64.18.6.12]) with SMTP ID DSNKTUMJR5gbxAC7+QpgImfiuEflatUCtl5Z@postini.com; Fri, 28 Jan 2011 10:22:00 PST
Received: from archivist.nominum.com (archivist.nominum.com [64.89.228.108]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.nominum.com", Issuer "Go Daddy Secure Certification Authority" (verified OK)) by shell-too.nominum.com (Postfix) with ESMTP id 224DF1B82F5 for <dnsext@ietf.org>; Fri, 28 Jan 2011 10:21:56 -0800 (PST)
Received: from webmail.nominum.com (webmail.nominum.com [64.89.228.50]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (Client CN "webmail.nominum.com", Issuer "Go Daddy Secure Certification Authority" (verified OK)) by archivist.nominum.com (Postfix) with ESMTP id E5FCC19005D; Fri, 28 Jan 2011 10:21:55 -0800 (PST)
Received: from vpna-148.vpn.nominum.com (64.89.227.148) by exchange-01.win.nominum.com (64.89.228.50) with Microsoft SMTP Server (TLS) id 8.2.176.0; Fri, 28 Jan 2011 10:21:55 -0800
MIME-Version: 1.0 (Apple Message framework v1082)
Content-Type: text/plain; charset="us-ascii"
From: Ted Lemon <Ted.Lemon@nominum.com>
In-Reply-To: <4D430265.8020100@cisco.com>
Date: Fri, 28 Jan 2011 13:21:50 -0500
Content-Transfer-Encoding: quoted-printable
Message-ID: <CC2F983A-2F05-46D9-8901-326105577864@nominum.com>
References: <4D41D3E2.6060107@cisco.com> <3125F45F-7594-498F-AFA3-D2D738A228F5@hopcount.ca> <4D42ED13.5030000@cisco.com> <562C7583-B719-482F-B201-EFB54138BAF1@icsi.berkeley.edu> <E4865E48-383B-4591-AF27-34571C4AA367@nominum.com> <4D430265.8020100@cisco.com>
To: John Bashinski <jbash@cisco.com>
X-Mailer: Apple Mail (2.1082)
Cc: Nicholas Weaver <nweaver@ICSI.Berkeley.EDU>, dnsext List <dnsext@ietf.org>, george.barwood@plueyonder.co.uk
Subject: Re: [dnsext] Historical root keys: The Large Router Vendor Speaks
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Jan 2011 18:18:54 -0000

> 3. Learn the root key by "limited faith". This is another siginificant
>   improvement; it means that somebody has to keep a DoS or something
>   running continuously from the moment you're installed up through
>   the moment they want to feed you bad data. Which could be
>   months. If they slip up at any time, you learn a good key and they
>   lose the ability to hurt you. And they're very likely to be
>   detected.

I think the reason I disagree with you on this is that your threat model is narrower than mine.   I agree that for this threat model, and the others you describe, "limited faith" is an improvement.   But what I'm concerned about are situations where the network is "owned," as Nicholas likes to put it.   In these situations, a compromise that allows the attacker to present a consistent DNS using an old compromised root is a lot harder to detect than one that requires the attacker to know the specific key for your device that must be compromised.

I am not arguing that consistency checks are a bad idea.   If you can catch your attacker in a lie, that's good.   If your attacker can't reliably lie to you, that's also good.

But the particular leap of faith involved in tracing back history using an unauthenticated history list is useless in the face of a key compromise, because once you have that key, you can create a fake history that looks just as legitimate as the real history would; the fact that it validates does not mean that the later key is legitimate.

> There are tradeoffs there, and they're not just cost tradeoffs.  A
> system for managing a whole bunch of keys is necessarily more complex
> than a system for managing just one. It handles higher volumes of
> data. It updates things more frequently (which means updates can't be
> scrutinized as hard). It has more parts that have to be kept online or
> near-line. Those all hurt the security.

This isn't strictly true.   DNSSEC is an example of a system that allows for the management of a large set of keys in a secure manner, with the sensitive secrets maintained offline, and yet with full validation possible online.

I don't mean to say that there would be no cost associated with a system like the one I'm talking about, but I think the per-unit cost would be reasonable for useful values of N.

I won't get into the question of auto-update; suffice it to say that no consensus exists that auto-update, done well, is *less* secure than manual-only updates.

v2.23.0 | Report a Bug | By Email