Re: [dnsext] CDS RRTYPE review - Comments period end Mar 29th

Scott Schmit <> Wed, 09 March 2011 13:29 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 32B3A3A69A2 for <>; Wed, 9 Mar 2011 05:29:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -102.161
X-Spam-Status: No, score=-102.161 tagged_above=-999 required=5 tests=[AWL=0.438, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id K9oE+wkTeVwE for <>; Wed, 9 Mar 2011 05:29:05 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id E56083A696D for <>; Wed, 9 Mar 2011 05:29:04 -0800 (PST)
Received: from ([]) by with comcast id GzhQ1g0031uE5Es541WNo5; Wed, 09 Mar 2011 13:30:22 +0000
Received: from olympia.mars.sol ([]) by with comcast id H1WL1g01Q00PQ6U3c1WLig; Wed, 09 Mar 2011 13:30:21 +0000
Received: from olympia.mars.sol (localhost []) by olympia.mars.sol (8.14.4/8.14.3) with ESMTP id p29DUH0e006331 for <>; Wed, 9 Mar 2011 08:30:17 -0500
Received: (from draco@localhost) by olympia.mars.sol (8.14.4/8.14.4/Submit) id p29DUHPx006329 for; Wed, 9 Mar 2011 08:30:17 -0500
Date: Wed, 9 Mar 2011 08:30:17 -0500
From: Scott Schmit <>
Message-ID: <20110309133017.GA19809@odin.mars.sol>
References: <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [dnsext] CDS RRTYPE review - Comments period end Mar 29th
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 09 Mar 2011 13:29:06 -0000

On Tue, Mar 08, 2011 at 08:32:05PM +0000, Tony Finch wrote dnsext:
> On Tue, 8 Mar 2011, Roy Arends wrote:
> >
> >    D.    Motivation for the new RRTYPE application?
> >
> >          To allow a copy of the DS RRset [RFC4034] to be published
> >          in the child zone, which is used to update the parent DS RRset.
> >          It is expected that this will allow the rollover of a key signing
> >          key to be automated.
> Why not just use the child zone's SEP DNSKEY RRs for this purpose?

I'm inclined to agree with this, but even if it's decided that the
DNSKEY RRs aren't sufficient, why not just use DS on the client side? I
see that RFC 3658 forbids it, but I'm not sure I understand why.  We
don't have CNS in addition to NS, so why should DS be different? I can
understand that DS must be ignored by a client unless it's signed by the
parent, but if that check doesn't already exist, we're already in

So, maybe they didn't think of the use case this draft is trying to
address and forbade it to keep the software implementations simpler? But
that could have been accomplished simply by saying that a DS on the
child side is ignored for validation purposes (it now becomes pointless
(but harmless) to include it, except as a way to securely send DS
records from the child to the parent).

Even if this language tweak were to be applied after the fact, I don't
think there is an interoperability problem.  There are 4 cases:

1) the parent has no DS, nor does the child -- the pre-DNSSEC case

2) the parent has no DS, but the child does -- the DS must be regarded
as fake and ignored by resolvers already, or we have problems.  (Even
with the new draft, the parent MUST NOT attempt to use the DS in the
child to seed anything -- it needs to be supplied by a secure
mechanism, and a child DS signed by an untrusted DNSKEY isn't it)

3) the parent has a DS, but the child doesn't -- the current DNSSEC case

4) the parent has a DS, and so does the child -- this is the new thing
that this draft is trying to enable to support KSK rollover.

I would argue that case 4 should be harmless, unless I've overlooked
something: either nothing is looking for this and should ignore it, or
the DS should be regarded as fake by older software and ignored by
resolvers (if it's not, the software already has a security hole --
simply DOS a zone with an unsigned parent by sending fake DS records
purportedly from the child), or the DS should look valid (because it
fits a chain of signatures) and possibly extra DNSKEYs match & are
regarded as valid.  But since the chain of signatures is valid, it's
still secure.

If people started writing zone signers to rely on this mechanism to
introduce new keys, I could see there being interoperability issues
(some resolvers would treat the domain as secure, and others wouldn't),
but since this is new behavior, this draft can (and should) explain that
this cannot be relied upon (and DNSKEYs should be used instead for this
purpose).  Alternatively, to keep implementations simple, state that
child DS RRs MUST NOT be used as part of authenticating RR contents, but
they are allowed to exist and be queried for (and I could almost imagine
that the only code this would affect is zone checker tools). The only
place where that would be a problem is for people who want to use this
mechanism, so that's motivation to update the checkers anyway.

I can understand the motivation of introducing a new RRTYPE to avoid
needing to alter existing MUST NOTs, but CDS just seems unnecessary.

Maybe there's another reason to forbid DS on the child side that I've

Scott Schmit