IETF Logo Mail Archive

Re: Interpreting DNSSEC was Re: [dnsext] flip-flopping secure and unsecure DNAME/CNAME

Wouter Wijngaards <wouter@NLnetLabs.nl> Thu, 23 October 2008 07:40 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9110F3A6B54; Thu, 23 Oct 2008 00:40:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.126
X-Spam-Level:
X-Spam-Status: No, score=-102.126 tagged_above=-999 required=5 tests=[AWL=-0.474, BAYES_00=-2.599, NO_RELAYS=-0.001, SARE_UNSUB22=0.948, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WdH+FNvvoPwL; Thu, 23 Oct 2008 00:40:22 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 77DF23A684F; Thu, 23 Oct 2008 00:40:21 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1Ksuf6-000Kym-AE for namedroppers-data@psg.com; Thu, 23 Oct 2008 07:31:16 +0000
Received: from [2001:7b8:206:1::1] (helo=open.nlnetlabs.nl) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <wouter@nlnetlabs.nl>) id 1Ksues-000KwN-GZ for namedroppers@ops.ietf.org; Thu, 23 Oct 2008 07:31:08 +0000
Received: from gary.nlnetlabs.nl (gary.nlnetlabs.nl [IPv6:2001:7b8:206:1:216:76ff:feb8:1853]) (authenticated bits=0) by open.nlnetlabs.nl (8.14.3/8.14.3) with ESMTP id m9N7Uc2w030695 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 23 Oct 2008 09:30:39 +0200 (CEST) (envelope-from wouter@nlnetlabs.nl)
Message-ID: <4900281E.50307@nlnetlabs.nl>
Date: Thu, 23 Oct 2008 09:30:38 +0200
From: Wouter Wijngaards <wouter@NLnetLabs.nl>
User-Agent: Thunderbird 2.0.0.16 (X11/20080723)
MIME-Version: 1.0
To: Michael StJohns <mstjohns@comcast.net>
CC: Mark Andrews <Mark_Andrews@isc.org>, namedroppers@ops.ietf.org
Subject: Re: Interpreting DNSSEC was Re: [dnsext] flip-flopping secure and unsecure DNAME/CNAME
References: <Your message of "Wed, 22 Oct 2008 20:54:26 EDT." <E1KsoTF-000GYV-PY@psg.com> <200810230343.m9N3hO08055012@drugs.dv.isc.org> <E1KsrmF-0005nC-3I@psg.com>
In-Reply-To: <E1KsrmF-0005nC-3I@psg.com>
X-Enigmail-Version: 0.95.7
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.0 (open.nlnetlabs.nl [IPv6:2001:7b8:206:1::1]); Thu, 23 Oct 2008 09:30:40 +0200 (CEST)
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Michael,

You can propose some new mechanism here, but do not overload the DS
semantics more. Get a new type code, like DLV did.

That said, lets sling some mud :-)

Michael StJohns wrote:
> At 11:43 PM 10/22/2008, Mark Andrews wrote:
>>> DNAME is the pretty much the equivalent of a delegation - only sideways.    W
>>> hy not treat it like any other delegation?  In other words, in addition to th
>>> e records currently permitted at a DNAME node, add DS to the list.  This woul
>>> d require slightly overloading the meaning of DS, but in a way that doesn't b
>>> reak the model too much.
>>>

So you want the owner of the DNAME to indicate if he is referring to a
secured zone or not (using a hash of a key).  And the validator can then
check if the destination is really secure.  This needs only one bit:
target of redirection is supposed to be secure yes/no.

The chain of trust runs parralel to the delegation hierarchy, and I
think sideways chains of trust need not enter the picture here.  Not for
your DNAME concerns.

Although the above is what I think you want.  I think the current DNAME
situation is fine.  The resolver can see if the target of a DNAME
redirection is secure or not based on trust anchors, and is going to set
the security result of the entire DNAME-chain to the lowest security
encountered anyway.

>>> This gets away from the problem where a resolver has one trust anchor, but do
>>> esn't have a trust anchor for the target zone at the cost of requiring some a
>>> dministration of the DS at the DNAME.

Yeeks how to keep that DS up to date.  Better one bit: target secure, it
does not suffer from key rollover.

>>> Continuing the logic from above, if you get a unsecure DNAME delegation (i.e.
>>> DNAME without DS), you *stop* doing DNSSEC validation.  It doesn't matter if
>>> you have trust anchors for any further targets - the validation answer is UN
>>> SECURE.  This is required for consistency - different resolvers have differen
>>> t sets of trust anchors.  It's not all that coherent to get BOGUS from one, U
>>> NSECURE from another and UNKNOWN from a third if you can avoid it.  Chaining 
>>> security back to the original trust anchor and evaluating security in terms o
>>> f data that chains back ONLY to that trust anchor seems to be the most consis
>>> tent approach.
>>        There are only three possible outputs from a validating resolver.
>>
>>        The *all* of the answer and authority sections are SECURE (ad=1).
>>
>>        All of the answer and authority sections passed validation (got
>>        SECURE or INSECURE) and some part was INSECURE (ad=0).
>>
>>        Validation failed for some part and you get SERVFAIL.
>>
>>        There is no UNKNOWN output.  Records without a trust anchor are
>>        INSECURE.

I agree with Mark here.

> We're just going to have to agree to disagree.  I can distinguish between data where I have no information about its trust state (it might be signed, but I have NO trust anchor so I have no way of determining whether it is secure unsecure or bogus) and data where I have information about its trust state (because I have a trust anchor and I was able to run a validator and return one of secure, unsecure or bogus on the provided data).   That difference may or may not be important to an end-application validator - but I'm not willing to exclude it from consideration at this point.  So mentally from now on just substitute UNSECURE wherever I say UNKNOWN and I'll consider the protest given proforma.... :-) 

No.

You see when a validator encounters a securely-insecure delegation, I
mean a proof that a DS is absent.  Then it knows that the remainder is
not signed with a chain of trust from the trust anchor that it has been
following.  However, the result is simply insecure, and not somehow
magically more secure that a result obtained without a trust anchor at
all.  What is the extra security afforded by a securely insecure
delegation?  The result is as prone to modification as a result obtained
for a domain without trust anchor.

Of course, the two domain set ups have a different operational
configuration.  So although you can give them different names (which can
be useful for other things, such as operator debugging), they have the
same level of security.

>>> Let the mud slinging begin... :-)

Cheers,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkkAKB4ACgkQkDLqNwOhpPin2gCgtHuA1I2S/+Gok9TQ3BNnN7Pw
Z+MAn2YAD/HLWriLwP0y2+q55FScRfW8
=nwDQ
-----END PGP SIGNATURE-----

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.23.0 | Report a Bug | By Email