Re: [dnsext] Name equivalence: No protocol change solution
fujiwara@jprs.co.jp Mon, 13 September 2010 11:30 UTC
Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B3ECC3A6969; Mon, 13 Sep 2010 04:30:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -97.067
X-Spam-Level:
X-Spam-Status: No, score=-97.067 tagged_above=-999 required=5 tests=[AWL=-2.577, BAYES_50=0.001, HELO_EQ_JP=1.244, HOST_EQ_JP=1.265, J_CHICKENPOX_36=0.6, J_CHICKENPOX_39=0.6, J_CHICKENPOX_53=0.6, J_CHICKENPOX_54=0.6, J_CHICKENPOX_55=0.6, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id COMeImKYGpFy; Mon, 13 Sep 2010 04:30:04 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 367063A6976; Mon, 13 Sep 2010 04:30:01 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.72 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1Ov78P-000D7K-5Q for namedroppers-data0@psg.com; Mon, 13 Sep 2010 11:23:41 +0000
Received: from send12.jprs.co.jp ([2001:df0:8:6::72]) by psg.com with esmtps (TLSv1:DES-CBC3-SHA:168) (Exim 4.72 (FreeBSD)) (envelope-from <fujiwara@jprs.co.jp>) id 1Ov78K-000D6o-Ny for namedroppers@ops.ietf.org; Mon, 13 Sep 2010 11:23:37 +0000
Received: from sendsms12.jprs.co.jp (sendsms12.jprs.co.jp [202.11.17.114]) by send12.jprs.co.jp (8.13.8+Sun/8.13.8) with ESMTP id o8DBNYQ1029569 for <namedroppers@ops.ietf.org>; Mon, 13 Sep 2010 20:23:34 +0900 (JST)
Received: from sendsms12.jprs.co.jp (unknown [127.0.0.1]) by sendsms12.jprs.co.jp (Symantec Mail Security) with ESMTP id B6BE5338E for <namedroppers@ops.ietf.org>; Mon, 13 Sep 2010 20:23:34 +0900 (JST)
X-AuditID: ca0b1172-0000000900000914-db-4c8e09b409a8
Date: Mon, 13 Sep 2010 20:23:32 +0900
Message-Id: <20100913.202332.39163438.fujiwara@jprs.co.jp>
To: namedroppers@ops.ietf.org
Subject: Re: [dnsext] Name equivalence: No protocol change solution
From: fujiwara@jprs.co.jp
In-Reply-To: <20100910.003741.276219111671353143.fujiwara@wide.ad.jp>
References: <20100910.003741.276219111671353143.fujiwara@wide.ad.jp>
X-Mailer: Mew version 6.2 on Emacs 22.1 / Mule 5.0 (SAKAKI)
Mime-Version: 1.0
Content-Type: Text/Plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Brightmail-Tracker: AAAAAA==
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
List-Unsubscribe: To unsubscribe send a message to namedroppers-request@ops.ietf.org with
List-Unsubscribe: the word 'unsubscribe' in a single line as the message text body.
List-Archive: <http://ops.ietf.org/lists/namedroppers/>
My idea's advantages are: no protocol changes no resolver/validator changes no authoritative server changes except servers which hosts SNAME synthesis. My idea's disadvantage is that a TLD which want to synthesize variants need to develop new DNS server software and it uses online signing. If someone interests my idea, let's write internet draft with me. I missed examples of my program. # TLD= sname.dnslab.jp # Registared domain name is "secure.$TLD" # Variants are "variant1.$TLD", "variant2.$TLD", "variant3.$TLD" # Authoritative DNS Server is "snamens.dnslab.jp" [203.178.129.38] 1. Querying variant name for authoritative DNS server: % dig @203.178.129.38 variant1.sname.dnslab.jp A returns ;; ANSWER SECTION: variant1.sname.dnslab.jp. 900 IN CNAME secure.sname.dnslab.jp. % dig @203.178.129.38 variant1.sname.dnslab.jp A +dnssec returns ;; ANSWER SECTION: variant1.sname.dnslab.jp. 900 IN CNAME secure.sname.dnslab.jp. variant1.sname.dnslab.jp. 900 IN RRSIG CNAME 8 4 900 20101013105101 20100913105101 63840 sname.dnslab.jp. Heh+YDhaE44mXsspBeB73SX1YpI7SYZGO+3fuKQB2UGeRWEHOHR1xbPK xAyP5c13IgfGj0sPfpc9j/XmNNOHhfAS1wxPDBjz7+lywpa69h/8BJwd 5/ZzUw+X33TUgImKupb4t7Sq2NPgrX3vZs+9/4bjqKeEGFHvxH4jBtNM Gtw= ;; AUTHORITY SECTION: variant1.sname.dnslab.jp. 900 IN NSEC \000.variant1.sname.dnslab.jp. CNAME variant1.sname.dnslab.jp. 900 IN RRSIG NSEC 8 4 900 20101013105101 20100913105101 63840 sname.dnslab.jp. ftgpYus+o9c0vSuBy4TM/UKe+fPXmhvhVZ8SO/KKmBr0x6GRnqK2WqZ2 BUKUCZTa/1d6D6ZsarRvJd5XZ13z9gcUNWc+7FCgQy09mGB5kD66i3YV BbGsjSgajVPxd0yBQSauxv+ECJzlCkJvpE5Uq7CUtnnWcf0r0XlqC8Qx 2Jo= % dig @203.178.129.38 www.variant1.sname.dnslab.jp A returns ;; ANSWER SECTION: www.variant1.sname.dnslab.jp. 900 IN CNAME www.secure.sname.dnslab.jp. % dig @203.178.129.38 www.variant1.sname.dnslab.jp A +dnssec returns ;; ANSWER SECTION: www.variant1.sname.dnslab.jp. 900 IN CNAME www.secure.sname.dnslab.jp. www.variant1.sname.dnslab.jp. 900 IN RRSIG CNAME 8 5 900 20101013105148 20100913105148 63840 sname.dnslab.jp. Up3A7TbL38tlf+8Dxmwr8KAWN7ZbO54hw1sxFZuUak6hQ7mJKx3VfgVo //nigNSdhsIlvXtmVd6U26uN8JQei8PSmR3S/NM4fE1m6mFzjlDI4PCl pPmn6KvxmAdP5iNdzA8jk8VcNmZj75MZ/IGvf+HsRCFY9nogwjX/xlI8 18k= ;; AUTHORITY SECTION: www.variant1.sname.dnslab.jp. 900 IN NSEC \000.www.variant1.sname.dnslab.jp. CNAME www.variant1.sname.dnslab.jp. 900 IN RRSIG NSEC 8 5 900 20101013105148 20100913105148 63840 sname.dnslab.jp. PkKv5lbH2yWaS3Xt7LOpoRhlEDgVYyH87+TCx9wjmK3dX1j2xNJ5qBaN 4rfnB4SY8Sv8KzvzCa24ukuG3Au1h5NZG03k2OQG8gp6LFRaIm2Rr6WZ zt97xuGJfXuttyRMtfkz0JXFTS6E+KCF4DvXYo4nR5KTWaXA8i8yHJSK Cuw= 2. Querying for normal delegation % dig @203.178.129.38 www.secure.sname.dnslab.jp ;; AUTHORITY SECTION: secure.sname.dnslab.jp. 900 IN NS ns.secure.sname.dnslab.jp. secure.sname.dnslab.jp. 900 IN DS 26197 8 2 5F0878B02D7B59064F99C7697BBCD2B198B1ACDE648A48A98AAC8FBF F66B72CA ;; ADDITIONAL SECTION: ns.secure.sname.dnslab.jp. 900 IN A 61.192.162.73 # !! It returns DS without DO bit !! % dig @203.178.129.38 www.secure.sname.dnslab.jp +dnssec ;; AUTHORITY SECTION: secure.sname.dnslab.jp. 900 IN NS ns.secure.sname.dnslab.jp. secure.sname.dnslab.jp. 900 IN DS 26197 8 2 5F0878B02D7B59064F99C7697BBCD2B198B1ACDE648A48A98AAC8FBF F66B72CA secure.sname.dnslab.jp. 900 IN NSEC secure\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000.sname.dnslab.jp. NS DS NSEC secure.sname.dnslab.jp. 900 IN RRSIG DS 8 4 900 20101013110643 20100913110643 63840 sname.dnslab.jp. DdW3OJXK0bYk/wBgVX752PZDKWR/AqZSAXrU4ljWZpShO8cRnm6bDXIA uUkovkq2mZIttM8UGwRH97kxhxPIK+D2LhF4g44+gjYv2/3RkaH+1p3V grwDa6HfXb+bUW+Bn+rW1jUTNSoaSaisnMRqU1dCtgk1XhASbRO/yeGL Yvs= secure.sname.dnslab.jp. 900 IN RRSIG NSEC 8 4 900 20101013110643 20100913110643 63840 sname.dnslab.jp. ILawgTRWxqBFF5UIaTqQ4e/PtYltEjBBUbfHPY1NLsmH9yJgSv9SCzda UyKLGnLp3z7A0lHNy9svhDLUbKPVLutxR6kCVgysbiXghnUY8qyi6t5P 4NHscv7opXS7K5MszPj8jWRGpD5jpSRRWljkxqx29QeClAiwSdzQmB/Q iCc= ;; ADDITIONAL SECTION: ns.secure.sname.dnslab.jp. 900 IN A 61.192.162.73 # !! It returns needless NSEC, sorry !! 3. APEX queries % dig @203.178.129.38 sname.dnslab.jp NS +dnssec % dig @203.178.129.38 sname.dnslab.jp SOA +dnssec % dig @203.178.129.38 sname.dnslab.jp DNSKEY +dnssec There are many unclear answers, but the answers are validatable. 4. DNSSEC validation using ISC DLV % dig @validator www.variant1.sname.dnslab.jp A +dnssec returns AD=1 answer. ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;www.variant1.sname.dnslab.jp. IN A ;; ANSWER SECTION: www.variant1.sname.dnslab.jp. 900 IN CNAME www.secure.sname.dnslab.jp. www.variant1.sname.dnslab.jp. 900 IN RRSIG CNAME 8 5 900 20101013110958 20100913110958 63840 sname.dnslab.jp. gRoc9jFDyr//qBm+/0/UvP1E2X9BFNam3b1dFo8jGnBP8TIbxC1peGyX kBDUHovB8VNK1Laow8U0mYYUm+uFpWUJYmHBmBK364uPCeTK4HoU2mIT FeEAsBBW0TJqKEwmM3yYUb/VsWPAGydqPij0B8Yg3ih54me5Z6ItRif0 Xnw= www.secure.sname.dnslab.jp. 3600 IN A 192.2.0.1 www.secure.sname.dnslab.jp. 3600 IN RRSIG A 8 5 3600 20101013062440 20100913062440 58683 secure.sname.dnslab.jp. iPmlOb14WOoPNGzX4msgY/fsBidAzs78c1yEHfFBXBljwdsZR3oGpYIP 6kfuXjhpbjSk9rtC9Qcv9VbTcCz+Ma++mW3lbqWE2r7TMR9ItEtWqyxB bMA43pyVg+3fHdHY4p6SlAVeCbeoTASzWYzIcS2uAeNP0aYffBHI6QL1 +y5Zq/TSYhdKoDcbFtJI/eaU4NEXGCyJn8KqDFMgjnLr/Nn1jWUKM7jJ 0Fk9AEGtZn3BfD4lziCBmtPRR3eiJIrB1YOGlFuiLlpuEIXabIcSkMjL FUw0zL+1N1zNTsjCTPuiRN+SIh6KPhGoacXD0Wnrzx0CIYGXx2oIJcsd b3wzyw== You can test: % dig @validator ns.variant1.sname.dnslab.jp A +dnssec ... But my program has many problems: non-existing name results SERVFAIL... variant1's DNSKEY results SERVFAIL... ... I will fix them later. -- Kazunori Fujiwara, JPRS <fujiwara@jprs.co.jp> > From: Kazunori Fujiwara <fujiwara@wide.ad.jp> > The problems of BNAME and DNAME+CNAME come from co-existence of both > CNAME and BNAME/DNAME RR in an owner name. > > If we introduce signaling for BNAME/DNAME+CNAME, new alias algorithm > numbers for DNSSEC are required to support DNSSEC with BNAME/DNAME+CNAME. > > Then, I propose another solution for name equivalence. > Consider new DNS server which synthesize CNAME RR without BNAME/DNAME. > > I introduce new pseudo RR "SNAME" which format is same as DNAME in an > input zone file. TARGET may be in same zone. > SNAME is pseudo, it does not appear in DNS protocol. > > OWNERNAME IN SNAME TARGET > TARGET IN NS ... > IN DS ... > > New DNS Server answers are: > > QNAME | Answer > -----------------+---------------- > OWNERNAME | OWNERNAME IN CNAME TARGET > SUB.OWNERNAME | SUB.OWNERNAME IN CNAME SUB.TARGET > SUB.TARGET | TARGET IN NS + TARGET IN DS > TARGET | TARGET IN NS + TARGET IN DS > ... > > We can sign synthesized CNAME RR using RFC 4470. > It does not need new algorithm numbers. > > I wrote DNS server prototype which support NS+DS+SNAME+DNSSEC. > Only gTLD style zone is supported. > > my DNS server code is: http://member.wide.ad.jp/~fujiwara/SNAME.pl > Sorry, no manual. > It requires perl and Net::DNS::SEC. > > Programming takes a few hours (8 hours?) for me from v6rev.pl. > > If you want production quality, you should write your programs in C or C++. > > I run it in my companies server. > > TLD: sname.dnslab.jp > TARGET: secure.sname.dnslab.jp > Variants: variant[123].sname.dnslab.jp > > You can query: (for example) > secure.sname.dnslab.jp A/DS/NSEC > www.variant1.sname.dnslab.jp A > ns.variant2.sname.dnslab.jp A > variant3.sname.dnslab.jp A/NS > > dnslab.jp is registered in ISC DLV. > sname.dnslab.jp and secure.sname.dnslab.jp are signed and have chain of trust. > You can test DNSSEC via ISC DLV. > > But current version may not support proof of non-existence. > # I will fix. > > Please test my implementation. > It does not change DNS protocol. > > If implimentations solve requirements, we should implement !! > > Configuration is: > ------------------------------------------ > server_address: 203.178.129.38 > server_port: 53 > pid_file: /var/run/SNAME.pid > debug: 0 > reconfig_interval: 3600 > keyfile_dir: SNAME.key > ttl: 900 > nsname: ns.sname.dnslab.jp > forward_domainname: sname.dnslab.jp > zone_file: SNAME.zone > enable_dnssec: 1 > querylog: 1 > ------------------------------------------ > > Zone data file is: > ------------------------------------------ > # > secure.sname.dnslab.jp. NS ns.secure.sname.dnslab.jp. > secure.sname.dnslab.jp. DS 26197 8 2 5F0878B02D7B59064F99C7697BBCD2B198B1ACDE648A48A98AAC8FBFF66B72CA > ns.secure.sname.dnslab.jp. A 61.192.162.73 > # > variant1.sname.dnslab.jp. SNAME secure.sname.dnslab.jp. > variant2.sname.dnslab.jp. SNAME secure.sname.dnslab.jp. > variant3.sname.dnslab.jp. SNAME secure.sname.dnslab.jp. > ------------------------------------------ > > -- > Kazunori Fujiwara, JPRS >
- [dnsext] Name equivalence: No protocol change sol… Kazunori Fujiwara
- Re: [dnsext] Name equivalence: No protocol change… Alex Bligh
- Re: [dnsext] Name equivalence: No protocol change… fujiwara
- Re: [dnsext] Name equivalence: No protocol change… fujiwara