[dnsext] Robustness & Extensibility -- was: Re: Clarifying the mandatory algorithm rules
Alfred Hönes <ah@TR-Sys.de> Thu, 18 November 2010 15:51 UTC
Return-Path: <A.Hoenes@TR-Sys.de>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 842CA3A6879 for <dnsext@core3.amsl.com>; Thu, 18 Nov 2010 07:51:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -98.176
X-Spam-Level:
X-Spam-Status: No, score=-98.176 tagged_above=-999 required=5 tests=[AWL=0.573, BAYES_00=-2.599, CHARSET_FARAWAY_HEADER=3.2, HELO_EQ_DE=0.35, MIME_8BIT_HEADER=0.3, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gE8GUAHuMq+8 for <dnsext@core3.amsl.com>; Thu, 18 Nov 2010 07:51:33 -0800 (PST)
Received: from TR-Sys.de (gateway.tr-sys.de [213.178.172.147]) by core3.amsl.com (Postfix) with ESMTP id 546983A67FA for <dnsext@ietf.org>; Thu, 18 Nov 2010 07:51:32 -0800 (PST)
Received: from ZEUS.TR-Sys.de by w. with ESMTP ($Revision: 1.37.109.26 $/16.3.2) id AA247645523; Thu, 18 Nov 2010 16:52:03 +0100
Received: (from ah@localhost) by z.TR-Sys.de (8.9.3 (PHNE_25183)/8.7.3) id QAA15905; Thu, 18 Nov 2010 16:52:02 +0100 (MEZ)
From: Alfred Hönes <ah@TR-Sys.de>
Message-Id: <201011181552.QAA15905@TR-Sys.de>
To: jelte@isc.org
Date: Thu, 18 Nov 2010 16:52:01 +0100
X-Mailer: ELM [$Revision: 1.17.214.3 $]
Mime-Version: 1.0
Content-Type: text/plain; charset="hp-roman8"
Content-Transfer-Encoding: 7bit
X-Mailman-Approved-At: Thu, 18 Nov 2010 07:54:05 -0800
Cc: dnsext@ietf.org
Subject: [dnsext] Robustness & Extensibility -- was: Re: Clarifying the mandatory algorithm rules
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Nov 2010 15:51:34 -0000
At Thu, 18 Nov 2010 15:33:11 +0100 , Jelte Jansen wrote:
> [...]
>
> Or, more generally, why say that you MUST do a, then say that you
> SHOULD/MAY NOT check whether A was done?
>
> [...]
Isn't that simply a basic corollary of Jon Postel's robustness
principle?
We frequently say:
[the originator] MUST set xxxxx to yyyyyy.
and:
[the recipient] MUST ignore xxxxx.
IMO, this is a basic principle that allows a smooth path forward
for the introduction of new protocol elements.
In the case discussed here, introduction of a new crypto-algorithm
into a DNSSEC-signed DNS zone, a similar application of the robustness
principle seems appropriate.
Unless the recipient (= validator) is *required* (by policy, or
lack of support of the previously used crypto-algorithm) to validate
signatures based on the new algorithm, any other working validation
path should suffice.
It is up to the zone maintainer/signer to decide when they deem the
old algorithm insecure enough to regard its usage as a downgrade
attack: they just have to retire the corresponding keys and signatures.
At that time, they cut off the tail of validators that do not support
the new crypto.
Until that is done, these will be able validate, and it makes no
sense to expect other validators to regard that validation path as
insufficient -- there's no point in regarding the old way as
insecure for some validators and secure for other validators.
Cf. the principles in X.509 / PKIX: Absent specific local policy,
*any* validatable certification path from an available trust anchor
to a given certificate under consideration is acceptable.
(RFC 5280 explicitely tells you to try the next possible cert path
whenever validation of a candidate cert path fails, for any reason.)
Here, "validatable" includes built-in support of the signature
algorithm and underlying hash algorithm, local policy admitting the
acceptance of these algorithms for signature validation, and the
mathematical verification of the signatures found.
Therefore, I fully support Samuel Weiler's PoV that DNSSEC validating
resolvers should only care about syntactical correctness of RRs
and the specific rules codified for such resolvers in the specs.
Otherwise, we would likely tend to more and more close windows for
a smooth migration to protocol extensions (including migration to
new crypto) and make DNSSEC administration and management subject
to even more restrictions (that essentially would only serve to make
that management more fragile and error-prone and thereby make DNSSEC
itself looking more error-prone from the PoV of DNS users.
Making independent things happen at the same time is particularly
difficult in a highly distributed environment like the DNS, and so
allowing small steps on the signer/maintainer side of a zone and have
only particular "milestones" trigger change of mandatory behavior
in validating resolvers seems to be a valid and valuable strategy.
Kind regards,
Alfred.
- [dnsext] Robustness & Extensibility -- was: Re: C… Alfred Hönes