IETF Logo Mail Archive

Re: [dnsext] Authenticated denial of existence...

Dave Lawrence <tale@dd.org> Wed, 20 November 2013 17:53 UTC

Return-Path: <tale@dd.org>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 50FC91AE086 for <dnsext@ietfa.amsl.com>; Wed, 20 Nov 2013 09:53:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.426
X-Spam-Level:
X-Spam-Status: No, score=-2.426 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.525, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vkWGvz5ruuJs for <dnsext@ietfa.amsl.com>; Wed, 20 Nov 2013 09:53:31 -0800 (PST)
Received: from gro.dd.org (gro.dd.org [209.198.103.200]) by ietfa.amsl.com (Postfix) with ESMTP id 69B681AE0B3 for <dnsext@ietf.org>; Wed, 20 Nov 2013 09:53:30 -0800 (PST)
Received: by gro.dd.org (Postfix, from userid 102) id DE2283F432; Wed, 20 Nov 2013 12:53:22 -0500 (EST)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <21132.63250.716415.755401@gro.dd.org>
Date: Wed, 20 Nov 2013 12:53:22 -0500
From: Dave Lawrence <tale@dd.org>
To: dnsext@ietf.org
In-Reply-To: <alpine.LSU.2.00.1311201202570.11548@hermes-2.csi.cam.ac.uk>
References: <CFD6B510-D70E-4308-BF3E-B2E7C2ADCBEB@nominum.com> <alpine.LSU.2.00.1311201202570.11548@hermes-2.csi.cam.ac.uk>
Subject: Re: [dnsext] Authenticated denial of existence...
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext/>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Nov 2013 17:53:33 -0000

Tony Finch writes:
> > https://datatracker.ietf.org/doc/draft-gieben-auth-denial-of-existence-dns/
> 
> A really nice and helpful document.

Agreed.  Really well put-together.  I do like the previously mentioned
ideas of including a bit about RFC 4470 and a few short words on
alternatives to managing the nsec3 hash space (like Kaminsky's).
Appendix is fine to not disrupt the flow, and it probably doesn't
really need more than a paragraph or so for each.

Section 3[.0] should probably elaborate on this:

   When you are querying a name server for a record that actually
   exists, a man-in-the-middle may replay that generic denial record
   and it would be impossible to tell whether the response was genuine
   or spoofed.

especially when later on 3.2 says this:

   Therefore, the RRSIG's RDATA include a validity period (not visible
   in the zone above), so that an attacker cannot replay this NXDOMAIN
   response for "c.example.org" forever.

which could easily leave the reader wondering, "so why doesn't having
a validity period on a generic denial record adequately address this?"

I realize the answer is obvious to us, but it isn't obvious in the
document, which is meant to be accessible by people outside the
security sphere.

Maybe this subtle would work?  I'm not entirely sure how much it does
help, but does start to point in the right direction.

   When you are querying a name server for any record that actually
   exists, a man-in-the-middle could replay that generic denial record
   that is not limited in its scope and it would be impossible to tell
   whether the response was genuine or spoofed.

v2.39.1 | Report a Bug | By Email | System Status