Re: [dnsext] Name equivalence: No protocol change solution
fujiwara@jprs.co.jp Mon, 13 September 2010 11:30 UTC
Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B3ECC3A6969; Mon, 13 Sep 2010 04:30:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -97.067
X-Spam-Level:
X-Spam-Status: No, score=-97.067 tagged_above=-999 required=5 tests=[AWL=-2.577, BAYES_50=0.001, HELO_EQ_JP=1.244, HOST_EQ_JP=1.265, J_CHICKENPOX_36=0.6, J_CHICKENPOX_39=0.6, J_CHICKENPOX_53=0.6, J_CHICKENPOX_54=0.6, J_CHICKENPOX_55=0.6, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id COMeImKYGpFy; Mon, 13 Sep 2010 04:30:04 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 367063A6976; Mon, 13 Sep 2010 04:30:01 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.72 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1Ov78P-000D7K-5Q for namedroppers-data0@psg.com; Mon, 13 Sep 2010 11:23:41 +0000
Received: from send12.jprs.co.jp ([2001:df0:8:6::72]) by psg.com with esmtps (TLSv1:DES-CBC3-SHA:168) (Exim 4.72 (FreeBSD)) (envelope-from <fujiwara@jprs.co.jp>) id 1Ov78K-000D6o-Ny for namedroppers@ops.ietf.org; Mon, 13 Sep 2010 11:23:37 +0000
Received: from sendsms12.jprs.co.jp (sendsms12.jprs.co.jp [202.11.17.114]) by send12.jprs.co.jp (8.13.8+Sun/8.13.8) with ESMTP id o8DBNYQ1029569 for <namedroppers@ops.ietf.org>; Mon, 13 Sep 2010 20:23:34 +0900 (JST)
Received: from sendsms12.jprs.co.jp (unknown [127.0.0.1]) by sendsms12.jprs.co.jp (Symantec Mail Security) with ESMTP id B6BE5338E for <namedroppers@ops.ietf.org>; Mon, 13 Sep 2010 20:23:34 +0900 (JST)
X-AuditID: ca0b1172-0000000900000914-db-4c8e09b409a8
Date: Mon, 13 Sep 2010 20:23:32 +0900
Message-Id: <20100913.202332.39163438.fujiwara@jprs.co.jp>
To: namedroppers@ops.ietf.org
Subject: Re: [dnsext] Name equivalence: No protocol change solution
From: fujiwara@jprs.co.jp
In-Reply-To: <20100910.003741.276219111671353143.fujiwara@wide.ad.jp>
References: <20100910.003741.276219111671353143.fujiwara@wide.ad.jp>
X-Mailer: Mew version 6.2 on Emacs 22.1 / Mule 5.0 (SAKAKI)
Mime-Version: 1.0
Content-Type: Text/Plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Brightmail-Tracker: AAAAAA==
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
List-Unsubscribe: To unsubscribe send a message to namedroppers-request@ops.ietf.org with
List-Unsubscribe: the word 'unsubscribe' in a single line as the message text body.
List-Archive: <http://ops.ietf.org/lists/namedroppers/>
My idea's advantages are:
no protocol changes
no resolver/validator changes
no authoritative server changes
except servers which hosts SNAME synthesis.
My idea's disadvantage is that a TLD which want to synthesize variants
need to develop new DNS server software and it uses online signing.
If someone interests my idea, let's write internet draft with me.
I missed examples of my program.
# TLD= sname.dnslab.jp
# Registared domain name is "secure.$TLD"
# Variants are "variant1.$TLD", "variant2.$TLD", "variant3.$TLD"
# Authoritative DNS Server is "snamens.dnslab.jp" [203.178.129.38]
1. Querying variant name for authoritative DNS server:
% dig @203.178.129.38 variant1.sname.dnslab.jp A
returns
;; ANSWER SECTION:
variant1.sname.dnslab.jp. 900 IN CNAME secure.sname.dnslab.jp.
% dig @203.178.129.38 variant1.sname.dnslab.jp A +dnssec
returns
;; ANSWER SECTION:
variant1.sname.dnslab.jp. 900 IN CNAME secure.sname.dnslab.jp.
variant1.sname.dnslab.jp. 900 IN RRSIG CNAME 8 4 900 20101013105101 20100913105101 63840 sname.dnslab.jp. Heh+YDhaE44mXsspBeB73SX1YpI7SYZGO+3fuKQB2UGeRWEHOHR1xbPK xAyP5c13IgfGj0sPfpc9j/XmNNOHhfAS1wxPDBjz7+lywpa69h/8BJwd 5/ZzUw+X33TUgImKupb4t7Sq2NPgrX3vZs+9/4bjqKeEGFHvxH4jBtNM Gtw=
;; AUTHORITY SECTION:
variant1.sname.dnslab.jp. 900 IN NSEC \000.variant1.sname.dnslab.jp. CNAME
variant1.sname.dnslab.jp. 900 IN RRSIG NSEC 8 4 900 20101013105101 20100913105101 63840 sname.dnslab.jp. ftgpYus+o9c0vSuBy4TM/UKe+fPXmhvhVZ8SO/KKmBr0x6GRnqK2WqZ2 BUKUCZTa/1d6D6ZsarRvJd5XZ13z9gcUNWc+7FCgQy09mGB5kD66i3YV BbGsjSgajVPxd0yBQSauxv+ECJzlCkJvpE5Uq7CUtnnWcf0r0XlqC8Qx 2Jo=
% dig @203.178.129.38 www.variant1.sname.dnslab.jp A
returns
;; ANSWER SECTION:
www.variant1.sname.dnslab.jp. 900 IN CNAME www.secure.sname.dnslab.jp.
% dig @203.178.129.38 www.variant1.sname.dnslab.jp A +dnssec
returns
;; ANSWER SECTION:
www.variant1.sname.dnslab.jp. 900 IN CNAME www.secure.sname.dnslab.jp.
www.variant1.sname.dnslab.jp. 900 IN RRSIG CNAME 8 5 900 20101013105148 20100913105148 63840 sname.dnslab.jp. Up3A7TbL38tlf+8Dxmwr8KAWN7ZbO54hw1sxFZuUak6hQ7mJKx3VfgVo //nigNSdhsIlvXtmVd6U26uN8JQei8PSmR3S/NM4fE1m6mFzjlDI4PCl pPmn6KvxmAdP5iNdzA8jk8VcNmZj75MZ/IGvf+HsRCFY9nogwjX/xlI8 18k=
;; AUTHORITY SECTION:
www.variant1.sname.dnslab.jp. 900 IN NSEC \000.www.variant1.sname.dnslab.jp. CNAME
www.variant1.sname.dnslab.jp. 900 IN RRSIG NSEC 8 5 900 20101013105148 20100913105148 63840 sname.dnslab.jp. PkKv5lbH2yWaS3Xt7LOpoRhlEDgVYyH87+TCx9wjmK3dX1j2xNJ5qBaN 4rfnB4SY8Sv8KzvzCa24ukuG3Au1h5NZG03k2OQG8gp6LFRaIm2Rr6WZ zt97xuGJfXuttyRMtfkz0JXFTS6E+KCF4DvXYo4nR5KTWaXA8i8yHJSK Cuw=
2. Querying for normal delegation
% dig @203.178.129.38 www.secure.sname.dnslab.jp
;; AUTHORITY SECTION:
secure.sname.dnslab.jp. 900 IN NS ns.secure.sname.dnslab.jp.
secure.sname.dnslab.jp. 900 IN DS 26197 8 2 5F0878B02D7B59064F99C7697BBCD2B198B1ACDE648A48A98AAC8FBF F66B72CA
;; ADDITIONAL SECTION:
ns.secure.sname.dnslab.jp. 900 IN A 61.192.162.73
# !! It returns DS without DO bit !!
% dig @203.178.129.38 www.secure.sname.dnslab.jp +dnssec
;; AUTHORITY SECTION:
secure.sname.dnslab.jp. 900 IN NS ns.secure.sname.dnslab.jp.
secure.sname.dnslab.jp. 900 IN DS 26197 8 2 5F0878B02D7B59064F99C7697BBCD2B198B1ACDE648A48A98AAC8FBF F66B72CA
secure.sname.dnslab.jp. 900 IN NSEC secure\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000.sname.dnslab.jp. NS DS NSEC
secure.sname.dnslab.jp. 900 IN RRSIG DS 8 4 900 20101013110643 20100913110643 63840 sname.dnslab.jp. DdW3OJXK0bYk/wBgVX752PZDKWR/AqZSAXrU4ljWZpShO8cRnm6bDXIA uUkovkq2mZIttM8UGwRH97kxhxPIK+D2LhF4g44+gjYv2/3RkaH+1p3V grwDa6HfXb+bUW+Bn+rW1jUTNSoaSaisnMRqU1dCtgk1XhASbRO/yeGL Yvs=
secure.sname.dnslab.jp. 900 IN RRSIG NSEC 8 4 900 20101013110643 20100913110643 63840 sname.dnslab.jp. ILawgTRWxqBFF5UIaTqQ4e/PtYltEjBBUbfHPY1NLsmH9yJgSv9SCzda UyKLGnLp3z7A0lHNy9svhDLUbKPVLutxR6kCVgysbiXghnUY8qyi6t5P 4NHscv7opXS7K5MszPj8jWRGpD5jpSRRWljkxqx29QeClAiwSdzQmB/Q iCc=
;; ADDITIONAL SECTION:
ns.secure.sname.dnslab.jp. 900 IN A 61.192.162.73
# !! It returns needless NSEC, sorry !!
3. APEX queries
% dig @203.178.129.38 sname.dnslab.jp NS +dnssec
% dig @203.178.129.38 sname.dnslab.jp SOA +dnssec
% dig @203.178.129.38 sname.dnslab.jp DNSKEY +dnssec
There are many unclear answers, but the answers are validatable.
4. DNSSEC validation using ISC DLV
% dig @validator www.variant1.sname.dnslab.jp A +dnssec
returns AD=1 answer.
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.variant1.sname.dnslab.jp. IN A
;; ANSWER SECTION:
www.variant1.sname.dnslab.jp. 900 IN CNAME www.secure.sname.dnslab.jp.
www.variant1.sname.dnslab.jp. 900 IN RRSIG CNAME 8 5 900 20101013110958 20100913110958 63840 sname.dnslab.jp. gRoc9jFDyr//qBm+/0/UvP1E2X9BFNam3b1dFo8jGnBP8TIbxC1peGyX kBDUHovB8VNK1Laow8U0mYYUm+uFpWUJYmHBmBK364uPCeTK4HoU2mIT FeEAsBBW0TJqKEwmM3yYUb/VsWPAGydqPij0B8Yg3ih54me5Z6ItRif0 Xnw=
www.secure.sname.dnslab.jp. 3600 IN A 192.2.0.1
www.secure.sname.dnslab.jp. 3600 IN RRSIG A 8 5 3600 20101013062440 20100913062440 58683 secure.sname.dnslab.jp. iPmlOb14WOoPNGzX4msgY/fsBidAzs78c1yEHfFBXBljwdsZR3oGpYIP 6kfuXjhpbjSk9rtC9Qcv9VbTcCz+Ma++mW3lbqWE2r7TMR9ItEtWqyxB bMA43pyVg+3fHdHY4p6SlAVeCbeoTASzWYzIcS2uAeNP0aYffBHI6QL1 +y5Zq/TSYhdKoDcbFtJI/eaU4NEXGCyJn8KqDFMgjnLr/Nn1jWUKM7jJ 0Fk9AEGtZn3BfD4lziCBmtPRR3eiJIrB1YOGlFuiLlpuEIXabIcSkMjL FUw0zL+1N1zNTsjCTPuiRN+SIh6KPhGoacXD0Wnrzx0CIYGXx2oIJcsd b3wzyw==
You can test:
% dig @validator ns.variant1.sname.dnslab.jp A +dnssec
...
But my program has many problems:
non-existing name results SERVFAIL...
variant1's DNSKEY results SERVFAIL...
...
I will fix them later.
--
Kazunori Fujiwara, JPRS <fujiwara@jprs.co.jp>
> From: Kazunori Fujiwara <fujiwara@wide.ad.jp>
> The problems of BNAME and DNAME+CNAME come from co-existence of both
> CNAME and BNAME/DNAME RR in an owner name.
>
> If we introduce signaling for BNAME/DNAME+CNAME, new alias algorithm
> numbers for DNSSEC are required to support DNSSEC with BNAME/DNAME+CNAME.
>
> Then, I propose another solution for name equivalence.
> Consider new DNS server which synthesize CNAME RR without BNAME/DNAME.
>
> I introduce new pseudo RR "SNAME" which format is same as DNAME in an
> input zone file. TARGET may be in same zone.
> SNAME is pseudo, it does not appear in DNS protocol.
>
> OWNERNAME IN SNAME TARGET
> TARGET IN NS ...
> IN DS ...
>
> New DNS Server answers are:
>
> QNAME | Answer
> -----------------+----------------
> OWNERNAME | OWNERNAME IN CNAME TARGET
> SUB.OWNERNAME | SUB.OWNERNAME IN CNAME SUB.TARGET
> SUB.TARGET | TARGET IN NS + TARGET IN DS
> TARGET | TARGET IN NS + TARGET IN DS
> ...
>
> We can sign synthesized CNAME RR using RFC 4470.
> It does not need new algorithm numbers.
>
> I wrote DNS server prototype which support NS+DS+SNAME+DNSSEC.
> Only gTLD style zone is supported.
>
> my DNS server code is: http://member.wide.ad.jp/~fujiwara/SNAME.pl
> Sorry, no manual.
> It requires perl and Net::DNS::SEC.
>
> Programming takes a few hours (8 hours?) for me from v6rev.pl.
>
> If you want production quality, you should write your programs in C or C++.
>
> I run it in my companies server.
>
> TLD: sname.dnslab.jp
> TARGET: secure.sname.dnslab.jp
> Variants: variant[123].sname.dnslab.jp
>
> You can query: (for example)
> secure.sname.dnslab.jp A/DS/NSEC
> www.variant1.sname.dnslab.jp A
> ns.variant2.sname.dnslab.jp A
> variant3.sname.dnslab.jp A/NS
>
> dnslab.jp is registered in ISC DLV.
> sname.dnslab.jp and secure.sname.dnslab.jp are signed and have chain of trust.
> You can test DNSSEC via ISC DLV.
>
> But current version may not support proof of non-existence.
> # I will fix.
>
> Please test my implementation.
> It does not change DNS protocol.
>
> If implimentations solve requirements, we should implement !!
>
> Configuration is:
> ------------------------------------------
> server_address: 203.178.129.38
> server_port: 53
> pid_file: /var/run/SNAME.pid
> debug: 0
> reconfig_interval: 3600
> keyfile_dir: SNAME.key
> ttl: 900
> nsname: ns.sname.dnslab.jp
> forward_domainname: sname.dnslab.jp
> zone_file: SNAME.zone
> enable_dnssec: 1
> querylog: 1
> ------------------------------------------
>
> Zone data file is:
> ------------------------------------------
> #
> secure.sname.dnslab.jp. NS ns.secure.sname.dnslab.jp.
> secure.sname.dnslab.jp. DS 26197 8 2 5F0878B02D7B59064F99C7697BBCD2B198B1ACDE648A48A98AAC8FBFF66B72CA
> ns.secure.sname.dnslab.jp. A 61.192.162.73
> #
> variant1.sname.dnslab.jp. SNAME secure.sname.dnslab.jp.
> variant2.sname.dnslab.jp. SNAME secure.sname.dnslab.jp.
> variant3.sname.dnslab.jp. SNAME secure.sname.dnslab.jp.
> ------------------------------------------
>
> --
> Kazunori Fujiwara, JPRS
>
- [dnsext] Name equivalence: No protocol change sol… Kazunori Fujiwara
- Re: [dnsext] Name equivalence: No protocol change… Alex Bligh
- Re: [dnsext] Name equivalence: No protocol change… fujiwara
- Re: [dnsext] Name equivalence: No protocol change… fujiwara