IETF Logo Mail Archive

Re: [dnsext] Possible DNSSECbis clarifications

Mark Andrews <marka@isc.org> Mon, 28 March 2011 16:20 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 461913A6A66 for <dnsext@core3.amsl.com>; Mon, 28 Mar 2011 09:20:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EgrN576r2Da4 for <dnsext@core3.amsl.com>; Mon, 28 Mar 2011 09:19:58 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) by core3.amsl.com (Postfix) with ESMTP id 29E273A6A61 for <dnsext@ietf.org>; Mon, 28 Mar 2011 09:19:58 -0700 (PDT)
Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "bikeshed.isc.org", Issuer "ISC CA" (verified OK)) by mx.pao1.isc.org (Postfix) with ESMTPS id 2789DC9423; Mon, 28 Mar 2011 16:21:33 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (dhcp-2606.meeting.ietf.org [130.129.38.6]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by bikeshed.isc.org (Postfix) with ESMTPSA id 7D63C216C22; Mon, 28 Mar 2011 16:21:32 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (Postfix) with ESMTP id 59CF9DA0471; Tue, 29 Mar 2011 03:21:20 +1100 (EST)
To: Marc Lampo <marc.lampo@eurid.eu>
From: Mark Andrews <marka@isc.org>
References: <4D9042DA.30002@ogud.com> <00a701cbed28$64d1b1d0$2e751570$@lampo@eurid.eu> <EBB9E54E-15F1-46B0-81CB-4B2C7B47D598@hopcount.ca> <018401cbed48$0b8a6ac0$229f4040$@lampo@eurid.eu> <22FD4CD1-4EFB-412A-A307-485DEBE815CE@hopcount.ca> <01a901cbed53$e744b7e0$b5ce27a0$@lampo@eurid.eu> <BFB96297-9A30-4C9B-86D9-788AAB0D7E61@hopcount.ca> <01b701cbed61$61cd3480$25679d80$@lampo@eurid.eu>
In-reply-to: Your message of "Mon, 28 Mar 2011 17:55:36 +0200." <01b701cbed61$61cd3480$25679d80$@lampo@eurid.eu>
Date: Tue, 29 Mar 2011 03:21:20 +1100
Message-Id: <20110328162120.59CF9DA0471@drugs.dv.isc.org>
Cc: 'Olafur Gudmundsson' <ogud@ogud.com>, dnsext@ietf.org
Subject: Re: [dnsext] Possible DNSSECbis clarifications
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Mar 2011 16:20:08 -0000

In message <01b701cbed61$61cd3480$25679d80$@lampo@eurid.eu>, "Marc Lampo" write
s:
> A "theorical" attack would be a "man-in-the-middle" change the trailing
> SOA, thus causing the secondary server to throw away each zone transfer it
> attempts (if it "believes" the second SOA is correct, in the absence of a
> valid RRSIG for it - that trailing SOA).
> 
> If a secondary name server is prevented from downloaded update of the true
> zone data, this is a security issue, I would say.

And we have solutions a solution to this.  It's called TSIG and has
been deployed for years with both signed and unsigned zones.

> It may not be that easy to set up this kind of attack, but then again,
> perhaps in some time somebody might show it can be done.
> My feeling is that, with DNSSEC, both SOA's in a zone transfer should be
> signed in a proper way (that they can  be validated) even if the SOA's
> differ.

DNSSEC as currently deployed cannot do this as RRSIG's are not
signed.  Early DNSSEC specs had the concept of a zone SIG.  This
covered the signatures.

> Which leaves us with another "hole" :
> Suppose potential attacker does indeed change trailing SOA, and fails to
> produce a validatable RRSIG, then what should the recipient do with the
> zone it downloaded ?  Since it can no longer verify if the content of the
> zone did not change, at the master, since the start of the zone transfer.
> 
> Marc

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email