Re: Evaluating DNSSEC transition mechanisms
Roy Arends <roy@dnss.ec> Thu, 10 June 2004 16:27 UTC
Received: from psg.com (mailnull@psg.com [147.28.0.62]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA16982 for <dnsext-archive@lists.ietf.org>; Thu, 10 Jun 2004 12:27:00 -0400 (EDT)
Received: from lserv by psg.com with local (Exim 4.34 (FreeBSD)) id 1BYSM3-000Od5-Na for namedroppers-data@psg.com; Thu, 10 Jun 2004 16:24:39 +0000
Received: from [213.154.224.1] (helo=open.nlnetlabs.nl) by psg.com with esmtp (Exim 4.34 (FreeBSD)) id 1BYSM1-000OcW-VV for namedroppers@ops.ietf.org; Thu, 10 Jun 2004 16:24:38 +0000
Received: from elektron.atoom.net (f52166.upc-f.chello.nl [80.56.52.166]) by open.nlnetlabs.nl (8.12.11/8.12.11) with ESMTP id i5AGOV8W071083 for <namedroppers@ops.ietf.org>; Thu, 10 Jun 2004 18:24:32 +0200 (CEST) (envelope-from roy@dnss.ec)
Received: from elektron.atoom.net (localhost [127.0.0.1]) by elektron.atoom.net (8.12.11/8.12.11/Debian-3) with ESMTP id i5AGORXn020955 for <namedroppers@ops.ietf.org>; Thu, 10 Jun 2004 18:24:27 +0200
Received: from localhost (roy@localhost) by elektron.atoom.net (8.12.11/8.12.11/Debian-3) with ESMTP id i5AGOP5F020952 for <namedroppers@ops.ietf.org>; Thu, 10 Jun 2004 18:24:26 +0200
X-Authentication-Warning: elektron.atoom.net: roy owned process doing -bs
Date: Thu, 10 Jun 2004 18:24:25 +0200
From: Roy Arends <roy@dnss.ec>
X-X-Sender: roy@elektron.atoom.net
To: IETF DNSEXT WG <namedroppers@ops.ietf.org>
Subject: Re: Evaluating DNSSEC transition mechanisms
In-Reply-To: <a06020431bcee2fb29e74@[192.136.136.83]>
Message-ID: <Pine.LNX.4.58.0406101746070.2889@elektron.atoom.net>
References: <20040603161757.2c386dd7.olaf@ripe.net> <Pine.OSX.4.60.0406100932520.5571@criollo.schlyter.se> <a06020431bcee2fb29e74@[192.136.136.83]>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
X-Virus-Scanned: by amavisd-new
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on psg.com
X-Spam-Status: No, hits=-4.3 required=5.0 tests=AWL,BAYES_00,OPT_IN, RCVD_IN_SORBS autolearn=no version=2.63
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
Just to be clear, we don't propose these mechanisms, they're just there. What we _do_ recommend (propose) is partial TCR++. More comments inline. On Thu, 10 Jun 2004, Edward Lewis wrote: > ## Evaluating DNSSEC Transition Mechanisms > ## draft-ietf-dnsext-dnssec-trans-00.txt > > ## 2.1 Mechanisms Updating DNSSEC-bis > ## > ## 2.1.1 Dynamic NSEC Synthesis > ## > ## This proposal assumes that NSEC RRs and the authenticating RRSIG will > ## be generated dynamically to just cover the (non existent) query name. > ## The owner name is (the) one preceding the name queried for, the Next > ## Owner Name Field has the value of the Query Name Field + 1 (first > ## successor in canonical ordering). A separate key (the normal ZSK or a > ## separate ZSK per authoritative server) would be used for RRSIGs on > ## NSEC RRs. This is a defense against enumeration, though it has the > ## presumption of online signing. > > To protect off-line signed data from exposure of the on-line private key, > you have to require that the key signing non-auth denial data ALWAYS be > different from the other zone data. If you don't, all data is vulnerable > because of the on-line key, making the distinction worthless. (This idea > was tried a long time ago, see the "signatory" field in the KEY RR flags > in RFC 2065, section 3.3.) Okay, -01 will include this text. > ## 2.1.1.2 Limitations > > I've been told that performing public key crypto on the fly is still > prohibitively costly. It would be good if someone who knows more about > this added some hard data to that. Okay. Someone send text pls. > ## 2.1.2.2 Limitations > > One limitation is that in the dns-choices draft, subtyping is strongly > discouraged. There are reasons documented there. Also, there is a strong > push to limit subtyping for applications - why encourage it for DNSSEC? > The latter isn't a first-order issue, the limitations documented in Patrick > and Rob's draft are. There are no encouragements here !!! see my first comment above. > ## 2.1.3 Type Bit Map NSEC Indicator > ## 2.1.4 New Apex Type > ## 2.1.4.2 Limitations > > Requires special processing - to be included in responses as needed. > > ## 2.1.4.4 Cons > > This proposal has died before, in 1999. (SEC RR) Will include. > ## 2.1.6 NSEC Optional via DNSSKEY Flag > ## > ## A new DNSKEY may be defined to declare NSEC optional per zone. > > You can't have "optional" authenticated denial. It's either on or off. > Perhaps the intent is that it is optional to use - and this has to be > specified in-line with the verification process (DS or DNSKEY record). > > How (much) does this differ from the opt-in proposal? This is not opt-in........ > ## 2.2 Mechanisms not Updating DNSSEC-bis > ## > ## 2.2.1 Partial Type-code and Signal Rollover > > That sounds like an update to DNSSECbis. (Replacing it...) No, not at all. Different versions. Unless ofcourse you'd see IPv6 as a replacement op IPv4. Both can coexist, no ? > ## 2.2.1.2 Limitations > > Does not take into account the interaction between newer era servers and > older era clients, assuming the newer era servers can't down-version their > responses. Does too ! :-) dnssec-ter falls back to dns, not to dnssec-bis in case newer era servers babble with older era clients. > ## 2.2.2 A Complete Type-code and Signal Rollover > > This assumes that newer era servers are capable of talking both old-era and > new-era (multiple for all eras) DNSSEC. I.e., that any server that is > supposed to speak only new NSEC is willing to speak old NSEC too. See my previous comment. > My assumption is that the motivation to use a new NSEC is that the old NSEC > is abhorrent to the administrator. If that's true, then the old-era zone > must appear unsecured (as opposed to giving away the information). You got it mister ! And I learned a new word ! > ## 2.2.2.1 Coexistence and Migration > ## > ## Both spaces can co-exist. They can be made completely orthogonal. > > But are a burden on operations, or at least a potential burden. How to I tell > my parent to gimme a DS but not a DS2? You don't. Parent has either for a delegation. old-era-resolver will ignore DS2 and mark the delegation usigned due to absence of DS. new > ## 3. Recommendation > ## > ## The authors recommend that the working group commits to and starts > ## work on a partial TCR, allowing graceful transition towards a future > ## version of NSEC. Meanwhile, to accommodate the need for an > ## immediately, temporary, solution against zone-traversal, we recommend > ## On-Demand NSEC synthesis. > > Is on-demand NSEC synthesis (specifically signing it's RRSIG) achievable? Yes. It would be trivial. > Would (not) a DOS attack be trivial? Yes, a cypto DOS attack would be a little more trivial then just plain query storms, sure. > Now time for some rambling... Oh, goody ;-) > I do think that zone enumeration is a problem, but not a privacy problem. > This is based on "attacks" that use expected and dictionary-like attacks on > domains to hit them with email and/or other directed traffic. So I think > we do need to think about the issue. > > I'm increasingly skeptical that there is a good solution to the migration > problem though. Besides recent reactions to the issue, having re-read the > SEC RR stuff, I realize I've had this concern since the late 90's. One > big reason for the SEC RR was to version NXT. > > The only possibility for migration into the future seems to me to follow > the accepted idea of key roll over (super-cession) in which data is offered > up in both old and new styles for some time. The dual-mode time is needed > because of the slow adoption rate of data through caches and code through > enterprises. > > But, with authenticated denial we have two strikes against us. The reason > for going forward is that the old style is unacceptable. And you can't > make authenticated denial records optional - that makes it too easy to > attack them. > > I think. > > I think that if there is to be a defense against zone enumeration, then > the NSEC as defined is DOA and is not worth adopting. Can we drop it now > and later add the feature? Well, no, thanks to the DS RR. We need to > have authenticated denial to tie the tree (islands of security) together. > > I doubt that a TCR will help. The only reason is worked this time is that > no one is using the old DNSSEC. Anyone signing zones according to 2535 is > not ever going to coexist with current-era code. Resolvers won't understand > the difference in the trusted keys, and nothing has an understanding of the > DS record. > > I really wish that we could do on the fly signing of responses for "no data" > and "name error." To do that thought we need a NSK (negative signing key) to > go along with ZSK and KSK. > > I just don't see how we can define old-era resolvers (DNSSECbis) to ever > handle any new (unforeseen) versions of NSEC assuming that the new code > won't back down to the old-era. How do the old-era resolvers authenticate > new-era records? (How should they know to panic? How should they know which > way to panic?) Are you suggesting we don't yet publish -bis. Hold the code. Rewrite NSEC ? My current thinking is that partial TCR is still the best long-term solution. If folk can't wait for that, use on-demand-nsec-signing. ymmv. Roy -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/namedroppers/>
- Evaluating DNSSEC transition mechanisms Jakob Schlyter
- Re: Evaluating DNSSEC transition mechanisms Roy Arends
- Re: Evaluating DNSSEC transition mechanisms Roy Arends
- Re: Evaluating DNSSEC transition mechanisms Edward Lewis
- Re: Online signing Roy Arends
- Re: Evaluating DNSSEC transition mechanisms Edward Lewis
- Re: Evaluating DNSSEC transition mechanisms Derek Atkins
- Online signing (was: Evaluating DNSSEC transition… Roy Badami
- Re: Online signing (was: Evaluating DNSSEC transi… Roy Arends
- Re: Online signing Alex Bligh
- Re: Online signing Paul Vixie
- Re: Evaluating DNSSEC transition mechanisms Paul Vixie
- Re: Evaluating DNSSEC transition mechanisms Ben Laurie
- Re: Evaluating DNSSEC transition mechanisms Jakob Schlyter
- Re: Online signing Francis Dupont
- Re: Online signing Ben Laurie