IETF Logo Mail Archive

Re: [dnsext] Authenticated denial of existence...

Matthijs Mekking <matthijs@nlnetlabs.nl> Thu, 21 November 2013 07:33 UTC

Return-Path: <matthijs@nlnetlabs.nl>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8AD461AE0B2 for <dnsext@ietfa.amsl.com>; Wed, 20 Nov 2013 23:33:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.431
X-Spam-Level:
X-Spam-Status: No, score=-100.431 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_NL=0.55, HOST_EQ_NL=1.545, RP_MATCHES_RCVD=-0.525, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QudHfEYI59ef for <dnsext@ietfa.amsl.com>; Wed, 20 Nov 2013 23:33:02 -0800 (PST)
Received: from open.nlnetlabs.nl (open.nlnetlabs.nl [IPv6:2001:7b8:206:1::1]) by ietfa.amsl.com (Postfix) with ESMTP id 502921AE08B for <dnsext@ietf.org>; Wed, 20 Nov 2013 23:33:02 -0800 (PST)
Received: from [IPv6:2001:981:19be:1:851e:b7f0:265c:4402] ([IPv6:2001:981:19be:1:851e:b7f0:265c:4402]) (authenticated bits=0) by open.nlnetlabs.nl (8.14.7/8.14.4) with ESMTP id rAL7VPBa016702 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NOT); Thu, 21 Nov 2013 08:31:26 +0100 (CET) (envelope-from matthijs@nlnetlabs.nl)
Authentication-Results: open.nlnetlabs.nl; dmarc=none header.from=nlnetlabs.nl
DKIM-Filter: OpenDKIM Filter v2.8.3 open.nlnetlabs.nl rAL7VPBa016702
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nlnetlabs.nl; s=default; t=1385019087; bh=mYZLqPI8UA9UlWZu3QJYCJ0Vec6tgdtkdRlWEeJNoUg=; h=Date:From:To:Subject:References:In-Reply-To; b=dThJQ3qDFlvjJAvoFU/Kj4MqqQ36PbYrJ5nnhnE6zw5/qSB7MXNs8STzxHYVZx2NL Uc7wPt2VCwwmw/IE1IH9tNl/iOxUwvwzwcT9aTFTJGcFvCkEVGMzb5FDbPMlvgPogp gWzOyZiYTtSzeifhluLmUM44aNQrysRsxzoFAYy4=
Message-ID: <528DB6CB.1040404@nlnetlabs.nl>
Date: Thu, 21 Nov 2013 08:31:23 +0100
From: Matthijs Mekking <matthijs@nlnetlabs.nl>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.1.0
MIME-Version: 1.0
To: Dave Lawrence <tale@dd.org>, dnsext@ietf.org
References: <CFD6B510-D70E-4308-BF3E-B2E7C2ADCBEB@nominum.com> <alpine.LSU.2.00.1311201202570.11548@hermes-2.csi.cam.ac.uk> <21132.63250.716415.755401@gro.dd.org>
In-Reply-To: <21132.63250.716415.755401@gro.dd.org>
X-Enigmail-Version: 1.5.2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.4.3 (open.nlnetlabs.nl [IPv6:2001:7b8:206:1::53]); Thu, 21 Nov 2013 08:31:27 +0100 (CET)
Subject: Re: [dnsext] Authenticated denial of existence...
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext/>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Nov 2013 07:33:04 -0000

Hi,

On 11/20/2013 06:53 PM, Dave Lawrence wrote:
> Tony Finch writes:
>>> https://datatracker.ietf.org/doc/draft-gieben-auth-denial-of-existence-dns/
>>
>> A really nice and helpful document.
> 
> Agreed.  Really well put-together.  I do like the previously mentioned
> ideas of including a bit about RFC 4470 and a few short words on
> alternatives to managing the nsec3 hash space (like Kaminsky's).
> Appendix is fine to not disrupt the flow, and it probably doesn't
> really need more than a paragraph or so for each.

Thanks. Miek and I are going to cover the topic.

> Section 3[.0] should probably elaborate on this:
> 
>    When you are querying a name server for a record that actually
>    exists, a man-in-the-middle may replay that generic denial record
>    and it would be impossible to tell whether the response was genuine
>    or spoofed.
> 
> especially when later on 3.2 says this:
> 
>    Therefore, the RRSIG's RDATA include a validity period (not visible
>    in the zone above), so that an attacker cannot replay this NXDOMAIN
>    response for "c.example.org" forever.
> 
> which could easily leave the reader wondering, "so why doesn't having
> a validity period on a generic denial record adequately address this?"
> 
> I realize the answer is obvious to us, but it isn't obvious in the
> document, which is meant to be accessible by people outside the
> security sphere.
> 
> Maybe this subtle would work?  I'm not entirely sure how much it does
> help, but does start to point in the right direction.
> 
>    When you are querying a name server for any record that actually
>    exists, a man-in-the-middle could replay that generic denial record
>    that is not limited in its scope and it would be impossible to tell
>    whether the response was genuine or spoofed.

I agree. Thank you for providing text.

Best regards,
  Matthijs


> _______________________________________________
> dnsext mailing list
> dnsext@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsext
>

v2.39.1 | Report a Bug | By Email | System Status