IETF Logo Mail Archive

Re: [dnsext] Clarifying the mandatory algorithm rules

Mark Andrews <marka@isc.org> Fri, 19 November 2010 14:18 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A33BB3A6783 for <dnsext@core3.amsl.com>; Fri, 19 Nov 2010 06:18:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.349
X-Spam-Level:
X-Spam-Status: No, score=-1.349 tagged_above=-999 required=5 tests=[AWL=1.250, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fo6alJ+q8BY3 for <dnsext@core3.amsl.com>; Fri, 19 Nov 2010 06:18:27 -0800 (PST)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [IPv6:2001:500:60::65]) by core3.amsl.com (Postfix) with ESMTP id C2ED63A67D7 for <dnsext@ietf.org>; Fri, 19 Nov 2010 06:18:26 -0800 (PST)
Received: from farside.isc.org (farside.isc.org [IPv6:2001:4f8:3:bb::5]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "farside.isc.org", Issuer "ISC CA" (verified OK)) by mx.ams1.isc.org (Postfix) with ESMTPS id A72445F9863; Fri, 19 Nov 2010 14:18:57 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (drugs.dv.isc.org [IPv6:2001:470:1f00:820:ea06:88ff:fef3:4f9c]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by farside.isc.org (Postfix) with ESMTP id D6EE7E6030; Fri, 19 Nov 2010 14:18:55 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (Postfix) with ESMTP id DC56A6F90C8; Sat, 20 Nov 2010 01:18:52 +1100 (EST)
To: "W.C.A. Wijngaards" <wouter@NLnetLabs.nl>
From: Mark Andrews <marka@isc.org>
References: <alpine.BSF.2.00.1011180553250.83352@fledge.watson.org> <4CE50C01.4010104@nic.cz> <alpine.BSF.2.00.1011180630550.83352@fledge.watson.org> <4CE5898C.7050801@nic.cz><4CE64785.7090401@nlnetlabs.nl>
In-reply-to: Your message of "Fri, 19 Nov 2010 10:46:45 BST." <4CE64785.7090401@nlnetlabs.nl>
Date: Sat, 20 Nov 2010 01:18:52 +1100
Message-Id: <20101119141852.DC56A6F90C8@drugs.dv.isc.org>
Cc: Samuel Weiler <weiler@watson.org>, dnsext@ietf.org
Subject: Re: [dnsext] Clarifying the mandatory algorithm rules
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Nov 2010 14:18:28 -0000

In message <4CE64785.7090401@nlnetlabs.nl>, "W.C.A. Wijngaards" writes:
> Hi,
> 
> On 11/18/2010 09:16 PM, Ondřej Surý wrote:
> > The idea is that just adding a new key with algorithm B (the strong)
> > without chaining it to the parent zone doesn't add any new security,
> > since the chain of trust is secured by the (the weak) algorithm A.
> 
> Today, the RFC has rules for DS-DNSKEY and rule for DNSKEY-DATA.  You
> want to create new rules for DS-DATA.

I want to make it possible to do incremental signing of new algorithms
which requires the rules to be relaxed but we can leave discussion of
that until we resolve the issue about whether the validator should be
checking or not.
 
> > So, yes the RFCs need a clarification and yes the unbound is
> > unnecessarily strict since such strict implementation doesn't add any
> > additional security (because you don't have a chain of trust leading to
> > a key).  Wouter, object now or never :).
> 
> You called?  Yes, unbound is strict, it enforces the exact zone signing
> requirements from the RFC.  But, I am not objecting to you strongly.  I
> want to caution making changes to RFC4035, there must be backwards
> compatibility.

Except the validator is not supposed to enforce it.  The point of
the rule, for the signer, was to ensure that there would be *a*
signature to validate with.

The downgrade attack it was supposed to protect against is downgrade
to insecure not downgrade between algorithms.

> But the above makes the algorithm-set determined by the parent.
> Now, the algorithm set is determined by the child (when you get there).
> I appreciate the concern that if you want to protect a downgrade, then
> you must signal this at the parent.

A zone is deem secure or insecure based on the list of algorithms
in the DS RRset.

> (the security of that parent is that of a new zone; with different owners).
> 
> Mark Andrews wrote:
> > Additionally the MUST is a directive to *zone operators*.  A zone
> > operator can comply with that MUST but validation will still fail
> > with unbound as unbound requires that a zone be signed with DNSKEYs
> > which are NOT in the zone prior to adding the DNSKEY to the zone
> > due to caching.  On this alone it is clear that unbound is in the
> > wrong.
> 
> Let me try to understand this and then respond.  You talk about having
> to prepublish signatures before the keys are published.
> 
> This is necessary with the current rules today for algorithm-support
> reasons.  It does not go away if unbound has less strict checking.  The
> affected servers could be bind, unbound or other implementations.

No it isn't necessary.

I start out with algorithm A in DS and DNSKEY.  The DNSKEY has a
TTL of 600.  I have a TXT record with a TTL of 600 which is fetch
300 seconds after the DNSKEY record is fetched.  I add a DNSKEY
with algorithm B and re-sign the entire zone with A+B meeting the
MUST.  301 second later a downstream validating client asks for the
TXT record.  The client get a DNSKEY RRset with A+B and a TXT with
A signatures.  This will validate as secure by a validator that
supports A only.  This will validate as insecure by a validator
that supports B only as there is no secure path from the parent to
the child.  It will validate as secure by a validator that supports
A+B.

Only when you start enforcing that the TXT and DNSKEY records have
to have matching algorithms in the validator does this break despite
the signer meeting the MUST.

Similarly you can go from A+B to just A by removing the DS records
for A, waiting for the old DS RRset to expire then removing the A
DNSKEYs.

> Your change to the rules makes it possible to add the key, and then
> signatures slowly, with a new algorithm, (as long as the DS is not added
> yet).  I appreciate that niceness.

> You are correct that you must also take the trust-anchors into account
> to do it properly (and I do not do that today).
> 
> Best regards,
>    Wouter
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
> 
> iEYEARECAAYFAkzmR4UACgkQkDLqNwOhpPh6FACeLAsw/oeIyPpsA4YIL0Bn0jom
> YBoAnRm3491f7m5Y4ipbNc5bpYPNTb6U
> =e/Yn
> -----END PGP SIGNATURE-----
> _______________________________________________
> dnsext mailing list
> dnsext@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsext

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email