IETF Logo Mail Archive

Re: [dnsext] Clarifying the mandatory algorithm rules

Ondřej Surý <ondrej.sury@nic.cz> Fri, 19 November 2010 10:57 UTC

Return-Path: <ondrej.sury@nic.cz>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3D0393A68C2 for <dnsext@core3.amsl.com>; Fri, 19 Nov 2010 02:57:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.7
X-Spam-Level:
X-Spam-Status: No, score=-1.7 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_23=0.6, MIME_8BIT_HEADER=0.3, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S3gBJXEkxIeW for <dnsext@core3.amsl.com>; Fri, 19 Nov 2010 02:57:57 -0800 (PST)
Received: from mail.nic.cz (mail.nic.cz [IPv6:2001:1488:800:400::400]) by core3.amsl.com (Postfix) with ESMTP id 989143A681E for <dnsext@ietf.org>; Fri, 19 Nov 2010 02:57:56 -0800 (PST)
Received: from [IPv6:2001:67c:64:42:221:6aff:fe5b:b80] (unknown [IPv6:2001:67c:64:42:221:6aff:fe5b:b80]) by mail.nic.cz (Postfix) with ESMTPSA id F2242734290; Fri, 19 Nov 2010 11:58:42 +0100 (CET)
Message-ID: <4CE65862.4070508@nic.cz>
Date: Fri, 19 Nov 2010 11:58:42 +0100
From: Ondřej Surý <ondrej.sury@nic.cz>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.12) Gecko/20101027 Lightning/1.0b2 Thunderbird/3.1.6
MIME-Version: 1.0
To: "W.C.A. Wijngaards" <wouter@NLnetLabs.nl>
References: <alpine.BSF.2.00.1011180553250.83352@fledge.watson.org> <4CE50C01.4010104@nic.cz> <alpine.BSF.2.00.1011180630550.83352@fledge.watson.org> <4CE5898C.7050801@nic.cz> <4CE64785.7090401@nlnetlabs.nl>
In-Reply-To: <4CE64785.7090401@nlnetlabs.nl>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Cc: dnsext@ietf.org
Subject: Re: [dnsext] Clarifying the mandatory algorithm rules
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Nov 2010 10:57:58 -0000

On 19.11.2010 10:46, W.C.A. Wijngaards wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi,
>
> On 11/18/2010 09:16 PM, Ondřej Surý wrote:
>> The idea is that just adding a new key with algorithm B (the strong)
>> without chaining it to the parent zone doesn't add any new security,
>> since the chain of trust is secured by the (the weak) algorithm A.
>
> Today, the RFC has rules for DS-DNSKEY and rule for DNSKEY-DATA.  You
> want to create new rules for DS-DATA.

Just to clarify - I agree that what Unbound does is in alignment with 
what RFC says.

>> So, yes the RFCs need a clarification and yes the unbound is
>> unnecessarily strict since such strict implementation doesn't add any
>> additional security (because you don't have a chain of trust leading to
>> a key).  Wouter, object now or never :).
>
> You called?  Yes, unbound is strict, it enforces the exact zone signing
> requirements from the RFC.  But, I am not objecting to you strongly.  I
> want to caution making changes to RFC4035, there must be backwards
> compatibility.
 >
> But the above makes the algorithm-set determined by the parent.
> Now, the algorithm set is determined by the child (when you get there).
> I appreciate the concern that if you want to protect a downgrade, then
> you must signal this at the parent.

Yes.

> Mark Andrews wrote:
>> Additionally the MUST is a directive to *zone operators*.  A zone
>> operator can comply with that MUST but validation will still fail
>> with unbound as unbound requires that a zone be signed with DNSKEYs
>> which are NOT in the zone prior to adding the DNSKEY to the zone
>> due to caching.  On this alone it is clear that unbound is in the
>> wrong.
>
> Let me try to understand this and then respond.  You talk about having
> to prepublish signatures before the keys are published.
>
> This is necessary with the current rules today for algorithm-support
> reasons.  It does not go away if unbound has less strict checking.  The
> affected servers could be bind, unbound or other implementations.
>
> Your change to the rules makes it possible to add the key, and then
> signatures slowly, with a new algorithm, (as long as the DS is not added
> yet).  I appreciate that niceness.
>
> You are correct that you must also take the trust-anchors into account
> to do it properly (and I do not do that today).

I suggest we all think about that and put the result into a -bis document.

Ondrej
-- 
  Ondřej Surý
  vedoucí výzkumu/Head of R&D department
  -------------------------------------------
  CZ.NIC, z.s.p.o.    --    Laboratoře CZ.NIC
  Americka 23, 120 00 Praha 2, Czech Republic
  mailto:ondrej.sury@nic.cz    http://nic.cz/
  tel:+420.222745110       fax:+420.222745112
  -------------------------------------------

v2.23.0 | Report a Bug | By Email