IETF Logo Mail Archive

Re: [dnsext] Clarifying the mandatory algorithm rules

Mark Andrews <marka@isc.org> Sat, 20 November 2010 01:34 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F2EED28C0FD for <dnsext@core3.amsl.com>; Fri, 19 Nov 2010 17:34:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.599
X-Spam-Level:
X-Spam-Status: No, score=-1.599 tagged_above=-999 required=5 tests=[AWL=1.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GCOZ-GV-A8QO for <dnsext@core3.amsl.com>; Fri, 19 Nov 2010 17:34:45 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) by core3.amsl.com (Postfix) with ESMTP id 3A16B3A6938 for <dnsext@ietf.org>; Fri, 19 Nov 2010 17:34:45 -0800 (PST)
Received: from farside.isc.org (farside.isc.org [IPv6:2001:4f8:3:bb::5]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "farside.isc.org", Issuer "ISC CA" (verified OK)) by mx.pao1.isc.org (Postfix) with ESMTPS id 6A8F8C9422; Sat, 20 Nov 2010 01:35:23 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (drugs.dv.isc.org [IPv6:2001:470:1f00:820:ea06:88ff:fef3:4f9c]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by farside.isc.org (Postfix) with ESMTP id D4753E6056; Sat, 20 Nov 2010 01:35:22 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (Postfix) with ESMTP id 32D116FAF6B; Sat, 20 Nov 2010 12:35:19 +1100 (EST)
To: "W.C.A. Wijngaards" <wouter@NLnetLabs.nl>
From: Mark Andrews <marka@isc.org>
References: <alpine.BSF.2.00.1011180553250.83352@fledge.watson.org> <4CE50C01.4010104@nic.cz> <alpine.BSF.2.00.1011180630550.83352@fledge.watson.org> <4CE5898C.7050801@nic.cz><4CE64785.7090401@nlnetlabs.nl> <20101119141852.DC56A6F90C8@drugs.dv.isc.org><4CE69FBF.3070706@nlnetlabs.nl>
In-reply-to: Your message of "Fri, 19 Nov 2010 17:03:11 BST." <4CE69FBF.3070706@nlnetlabs.nl>
Date: Sat, 20 Nov 2010 12:35:19 +1100
Message-Id: <20101120013519.32D116FAF6B@drugs.dv.isc.org>
Cc: dnsext@ietf.org
Subject: Re: [dnsext] Clarifying the mandatory algorithm rules
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 20 Nov 2010 01:34:49 -0000

In message <4CE69FBF.3070706@nlnetlabs.nl>, "W.C.A. Wijngaards" writes:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi Mark,
> 
> On 11/19/2010 03:18 PM, Mark Andrews wrote:
> > Except the validator is not supposed to enforce it.  The point of
> > the rule, for the signer, was to ensure that there would be *a*
> > signature to validate with.
> 
> Right, that is the confusion.
> 
> >> Let me try to understand this and then respond.  You talk about having
> >> to prepublish signatures before the keys are published.
> >>
> >> This is necessary with the current rules today for algorithm-support
> >> reasons.  It does not go away if unbound has less strict checking.  The
> >> affected servers could be bind, unbound or other implementations.
> > 
> > No it isn't necessary.
> >
> > I start out with algorithm A in DS and DNSKEY.  The DNSKEY has a
> > TTL of 600.  I have a TXT record with a TTL of 600 which is fetch
> > 300 seconds after the DNSKEY record is fetched.  I add a DNSKEY
> > with algorithm B and re-sign the entire zone with A+B meeting the
> > MUST.  301 second later a downstream validating client asks for the
> > TXT record.  The client get a DNSKEY RRset with A+B and a TXT with
> > A signatures.  This will validate as secure by a validator that
> > supports A only.  This will validate as insecure by a validator
> > that supports B only as there is no secure path from the parent to
> > the child.  It will validate as secure by a validator that supports
> > A+B.
> 
> Let me explain why I thought it was necessary.  The RFC links the
> algorithms in the DS to the algorithms in the DNSKEY.

You can only list DS's that cover algorithms in the DNSKEY RRset.
If you don't support one of the algorithms in the DS then the zone
is insecure for that validator.  You don't add the DSs for a algorithm
until max zone TTL has expired from the initial publication of that
algorithm in a DNSKEY RRset.

> And the RFC links the algorithms in the DNSKEY to the algorithms over
> the data.

In a particular version of the zone.

> Therefore, I did not think it was allowed to link the algorithms in the
> DS to the algorithms over the data.

We're not yet.  To do incremental introduction of RRSIGs we need
to make that clearer.

> And that you had to check if algorithms (and thus their signatures)
> were missing.

Except there is nothing in RFC 4035 saying to perform this check.
The signer is told to generate them, the validator is not told to
check for them.  Yes this asymetic,  strict sender - liberal receiver
but it allow DNSSEC to work with caches learning data at different
times.  It's also is consistent with any signature validates.

> If you pick the algorithms from the DNSKEY to see if signatures over
> data are missing, then in the above example, a validator that supports
> A+B has to mark the answer bogus.

Which isn't part of the protocol.

I also note that you don't disagree with A only as being secure and
B only as being insecure.  If you are checking algorithm presence
then all should be treated as bogus.

> (I happily note as an aside, you can take the subset of algorithms that
> is also published in the DS set and do strict-checks with that; this has
> safe communication from the parent and more lenient algorithm rollover).
> 
> > Only when you start enforcing that the TXT and DNSKEY records have
> > to have matching algorithms in the validator does this break despite
> > the signer meeting the MUST.
> 
> Another source for this is RFC4641 algorithm rollover (with prepublish
> of signatures before key).  I am a bit hazy why the 4641 (and -bis)
> documents specify algorithm rollovers with signature introduction, if
> this was not necessary; the editors and reviewers had similar confusion?
> I certainly looked at them to make sure they worked when I wrote the
> algorithm code.

RFC4641 doesn't describe algorithm rolls it describes key rollovers within
a algorithm.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email