Re: Interpreting DNSSEC was Re: [dnsext] flip-flopping secure and unsecure DNAME/CNAME
Wouter Wijngaards <wouter@NLnetLabs.nl> Thu, 23 October 2008 07:40 UTC
Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9110F3A6B54; Thu, 23 Oct 2008 00:40:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.126
X-Spam-Level:
X-Spam-Status: No, score=-102.126 tagged_above=-999 required=5 tests=[AWL=-0.474, BAYES_00=-2.599, NO_RELAYS=-0.001, SARE_UNSUB22=0.948, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WdH+FNvvoPwL; Thu, 23 Oct 2008 00:40:22 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 77DF23A684F; Thu, 23 Oct 2008 00:40:21 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1Ksuf6-000Kym-AE for namedroppers-data@psg.com; Thu, 23 Oct 2008 07:31:16 +0000
Received: from [2001:7b8:206:1::1] (helo=open.nlnetlabs.nl) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <wouter@nlnetlabs.nl>) id 1Ksues-000KwN-GZ for namedroppers@ops.ietf.org; Thu, 23 Oct 2008 07:31:08 +0000
Received: from gary.nlnetlabs.nl (gary.nlnetlabs.nl [IPv6:2001:7b8:206:1:216:76ff:feb8:1853]) (authenticated bits=0) by open.nlnetlabs.nl (8.14.3/8.14.3) with ESMTP id m9N7Uc2w030695 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 23 Oct 2008 09:30:39 +0200 (CEST) (envelope-from wouter@nlnetlabs.nl)
Message-ID: <4900281E.50307@nlnetlabs.nl>
Date: Thu, 23 Oct 2008 09:30:38 +0200
From: Wouter Wijngaards <wouter@NLnetLabs.nl>
User-Agent: Thunderbird 2.0.0.16 (X11/20080723)
MIME-Version: 1.0
To: Michael StJohns <mstjohns@comcast.net>
CC: Mark Andrews <Mark_Andrews@isc.org>, namedroppers@ops.ietf.org
Subject: Re: Interpreting DNSSEC was Re: [dnsext] flip-flopping secure and unsecure DNAME/CNAME
References: <Your message of "Wed, 22 Oct 2008 20:54:26 EDT." <E1KsoTF-000GYV-PY@psg.com> <200810230343.m9N3hO08055012@drugs.dv.isc.org> <E1KsrmF-0005nC-3I@psg.com>
In-Reply-To: <E1KsrmF-0005nC-3I@psg.com>
X-Enigmail-Version: 0.95.7
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.0 (open.nlnetlabs.nl [IPv6:2001:7b8:206:1::1]); Thu, 23 Oct 2008 09:30:40 +0200 (CEST)
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Michael, You can propose some new mechanism here, but do not overload the DS semantics more. Get a new type code, like DLV did. That said, lets sling some mud :-) Michael StJohns wrote: > At 11:43 PM 10/22/2008, Mark Andrews wrote: >>> DNAME is the pretty much the equivalent of a delegation - only sideways. W >>> hy not treat it like any other delegation? In other words, in addition to th >>> e records currently permitted at a DNAME node, add DS to the list. This woul >>> d require slightly overloading the meaning of DS, but in a way that doesn't b >>> reak the model too much. >>> So you want the owner of the DNAME to indicate if he is referring to a secured zone or not (using a hash of a key). And the validator can then check if the destination is really secure. This needs only one bit: target of redirection is supposed to be secure yes/no. The chain of trust runs parralel to the delegation hierarchy, and I think sideways chains of trust need not enter the picture here. Not for your DNAME concerns. Although the above is what I think you want. I think the current DNAME situation is fine. The resolver can see if the target of a DNAME redirection is secure or not based on trust anchors, and is going to set the security result of the entire DNAME-chain to the lowest security encountered anyway. >>> This gets away from the problem where a resolver has one trust anchor, but do >>> esn't have a trust anchor for the target zone at the cost of requiring some a >>> dministration of the DS at the DNAME. Yeeks how to keep that DS up to date. Better one bit: target secure, it does not suffer from key rollover. >>> Continuing the logic from above, if you get a unsecure DNAME delegation (i.e. >>> DNAME without DS), you *stop* doing DNSSEC validation. It doesn't matter if >>> you have trust anchors for any further targets - the validation answer is UN >>> SECURE. This is required for consistency - different resolvers have differen >>> t sets of trust anchors. It's not all that coherent to get BOGUS from one, U >>> NSECURE from another and UNKNOWN from a third if you can avoid it. Chaining >>> security back to the original trust anchor and evaluating security in terms o >>> f data that chains back ONLY to that trust anchor seems to be the most consis >>> tent approach. >> There are only three possible outputs from a validating resolver. >> >> The *all* of the answer and authority sections are SECURE (ad=1). >> >> All of the answer and authority sections passed validation (got >> SECURE or INSECURE) and some part was INSECURE (ad=0). >> >> Validation failed for some part and you get SERVFAIL. >> >> There is no UNKNOWN output. Records without a trust anchor are >> INSECURE. I agree with Mark here. > We're just going to have to agree to disagree. I can distinguish between data where I have no information about its trust state (it might be signed, but I have NO trust anchor so I have no way of determining whether it is secure unsecure or bogus) and data where I have information about its trust state (because I have a trust anchor and I was able to run a validator and return one of secure, unsecure or bogus on the provided data). That difference may or may not be important to an end-application validator - but I'm not willing to exclude it from consideration at this point. So mentally from now on just substitute UNSECURE wherever I say UNKNOWN and I'll consider the protest given proforma.... :-) No. You see when a validator encounters a securely-insecure delegation, I mean a proof that a DS is absent. Then it knows that the remainder is not signed with a chain of trust from the trust anchor that it has been following. However, the result is simply insecure, and not somehow magically more secure that a result obtained without a trust anchor at all. What is the extra security afforded by a securely insecure delegation? The result is as prone to modification as a result obtained for a domain without trust anchor. Of course, the two domain set ups have a different operational configuration. So although you can give them different names (which can be useful for other things, such as operator debugging), they have the same level of security. >>> Let the mud slinging begin... :-) Cheers, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkkAKB4ACgkQkDLqNwOhpPin2gCgtHuA1I2S/+Gok9TQ3BNnN7Pw Z+MAn2YAD/HLWriLwP0y2+q55FScRfW8 =nwDQ -----END PGP SIGNATURE----- -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/namedroppers/>
- [dnsext] Reminder: two WGLC closing in one week Andrew Sullivan
- Re: [dnsext] Reminder: two WGLC closing in one we… Scott Rose
- Re: [dnsext] Reminder: two WGLC closing in one we… Michael StJohns
- Re: [dnsext] Reminder: two WGLC closing in one we… Mark Andrews
- Re: [dnsext] Reminder: two WGLC closing in one we… Edward Lewis
- Re: [dnsext] Reminder: two WGLC closing in one we… Michael StJohns
- Re: [dnsext] Reminder: two WGLC closing in one we… Mark Andrews
- Re: [dnsext] Reminder: two WGLC closing in one we… Michael StJohns
- Re: [dnsext] Reminder: two WGLC closing in one we… Mark Andrews
- Re: [dnsext] Reminder: two WGLC closing in one we… Michael StJohns
- Re: [dnsext] Reminder: two WGLC closing in one we… Mark Andrews
- Re: [dnsext] Reminder: two WGLC closing in one we… Michael StJohns
- Re: [dnsext] Reminder: two WGLC closing in one we… Mark Andrews
- DNAME (and CNAME) vs DNSSEC (Was: [dnsext] Remind… Andrew Sullivan
- Re: [dnsext] Reminder: two WGLC closing in one we… Michael StJohns
- Re: [dnsext] Reminder: two WGLC closing in one we… Mark Andrews
- [dnsext] Re: DNAME (and CNAME) vs DNSSEC Wes Hardaker
- Re: DNAME (and CNAME) vs DNSSEC (Was: [dnsext] Re… Edward Lewis
- [dnsext] recommeded contents for Re: DNAME (and C… Edward Lewis
- [dnsext] flip-flopping secure and unsecure DNAME/… Edward Lewis
- Re: [dnsext] recommeded contents for Re: DNAME (a… Scott Rose
- [dnsext] Re: DNAME (and CNAME) vs DNSSEC Wes Hardaker
- Re: [dnsext] flip-flopping secure and unsecure DN… Michael StJohns
- Re: [dnsext] flip-flopping secure and unsecure DN… Mark Andrews
- Re: [dnsext] Reminder: two WGLC closing in one we… John Dickinson
- Re: [dnsext] Reminder: two WGLC closing in one we… Florian Weimer
- Re: [dnsext] Reminder: two WGLC closing in one we… Mark Andrews
- Re: [dnsext] Reminder: two WGLC closing in one we… Florian Weimer
- Re: [dnsext] Reminder: two WGLC closing in one we… Olafur Gudmundsson
- Re: [dnsext] flip-flopping secure and unsecure DN… Edward Lewis
- the DO bit Re: [dnsext] Reminder: two WGLC closin… Edward Lewis
- Re: the DO bit Re: [dnsext] Reminder: two WGLC cl… bmanning
- Re: the DO bit Re: [dnsext] Reminder: two WGLC cl… David Conrad
- Re: [dnsext] flip-flopping secure and unsecure DN… Ben Laurie
- Re: [dnsext] flip-flopping secure and unsecure DN… Michael StJohns
- Re: [dnsext] flip-flopping secure and unsecure DN… Wouter Wijngaards
- Re: [dnsext] flip-flopping secure and unsecure DN… Ben Laurie
- Re: [dnsext] flip-flopping secure and unsecure DN… Alex Bligh
- Re: [dnsext] flip-flopping secure and unsecure DN… Ben Laurie
- CNAME/DNAME - Re: [dnsext] flip-flopping secure a… Edward Lewis
- Re: [dnsext] flip-flopping secure and unsecure DN… Shane Kerr
- Re: [dnsext] flip-flopping secure and unsecure DN… Alex Bligh
- Interpreting DNSSEC was Re: [dnsext] flip-floppin… Edward Lewis
- Re: [dnsext] flip-flopping secure and unsecure DN… Nicholas Weaver
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Alex Bligh
- Re: [dnsext] flip-flopping secure and unsecure DN… Michael StJohns
- Re: [dnsext] flip-flopping secure and unsecure DN… Michael StJohns
- Re: CNAME/DNAME - Re: [dnsext] flip-flopping secu… Michael StJohns
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Michael StJohns
- Re: [dnsext] flip-flopping secure and unsecure DN… Michael StJohns
- Re: CNAME/DNAME - Re: [dnsext] flip-flopping secu… Edward Lewis
- Re: CNAME/DNAME - Re: [dnsext] flip-flopping secu… Michael StJohns
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Edward Lewis
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Ben Laurie
- Re: CNAME/DNAME - Re: [dnsext] flip-flopping secu… Edward Lewis
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Edward Lewis
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Ben Laurie
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Edward Lewis
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Nicholas Weaver
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Michael StJohns
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Mark Andrews
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Michael StJohns
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Wouter Wijngaards
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Edward Lewis
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Ben Laurie
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Michael StJohns
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Edward Lewis
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Michael StJohns
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Michael StJohns
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Edward Lewis
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Mark Andrews
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Michael StJohns
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Stephane Bortzmeyer
- Re: Interpreting DNSSEC was Re: [dnsext] flip-flo… Edward Lewis