Re: [dnsext] CDS RRTYPE review - Comments period end Mar 29th
Scott Schmit <i.grok@comcast.net> Wed, 09 March 2011 13:29 UTC
Return-Path: <i.grok@comcast.net>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 32B3A3A69A2 for <dnsext@core3.amsl.com>; Wed, 9 Mar 2011 05:29:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.161
X-Spam-Level:
X-Spam-Status: No, score=-102.161 tagged_above=-999 required=5 tests=[AWL=0.438, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K9oE+wkTeVwE for <dnsext@core3.amsl.com>; Wed, 9 Mar 2011 05:29:05 -0800 (PST)
Received: from qmta04.westchester.pa.mail.comcast.net (qmta04.westchester.pa.mail.comcast.net [76.96.62.40]) by core3.amsl.com (Postfix) with ESMTP id E56083A696D for <dnsext@ietf.org>; Wed, 9 Mar 2011 05:29:04 -0800 (PST)
Received: from omta16.westchester.pa.mail.comcast.net ([76.96.62.88]) by qmta04.westchester.pa.mail.comcast.net with comcast id GzhQ1g0031uE5Es541WNo5; Wed, 09 Mar 2011 13:30:22 +0000
Received: from olympia.mars.sol ([68.33.77.0]) by omta16.westchester.pa.mail.comcast.net with comcast id H1WL1g01Q00PQ6U3c1WLig; Wed, 09 Mar 2011 13:30:21 +0000
Received: from olympia.mars.sol (localhost [127.0.0.1]) by olympia.mars.sol (8.14.4/8.14.3) with ESMTP id p29DUH0e006331 for <dnsext@ietf.org>; Wed, 9 Mar 2011 08:30:17 -0500
Received: (from draco@localhost) by olympia.mars.sol (8.14.4/8.14.4/Submit) id p29DUHPx006329 for dnsext@ietf.org; Wed, 9 Mar 2011 08:30:17 -0500
Date: Wed, 09 Mar 2011 08:30:17 -0500
From: Scott Schmit <i.grok@comcast.net>
To: dnsext@ietf.org
Message-ID: <20110309133017.GA19809@odin.mars.sol>
Mail-Followup-To: dnsext@ietf.org
References: <C99C3502.72B1%roy@nominet.org.uk> <alpine.LSU.2.00.1103082030190.5244@hermes-1.csi.cam.ac.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <alpine.LSU.2.00.1103082030190.5244@hermes-1.csi.cam.ac.uk>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [dnsext] CDS RRTYPE review - Comments period end Mar 29th
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Mar 2011 13:29:06 -0000
On Tue, Mar 08, 2011 at 08:32:05PM +0000, Tony Finch wrote dnsext: > On Tue, 8 Mar 2011, Roy Arends wrote: > > > > D. Motivation for the new RRTYPE application? > > > > To allow a copy of the DS RRset [RFC4034] to be published > > in the child zone, which is used to update the parent DS RRset. > > It is expected that this will allow the rollover of a key signing > > key to be automated. > > Why not just use the child zone's SEP DNSKEY RRs for this purpose? I'm inclined to agree with this, but even if it's decided that the DNSKEY RRs aren't sufficient, why not just use DS on the client side? I see that RFC 3658 forbids it, but I'm not sure I understand why. We don't have CNS in addition to NS, so why should DS be different? I can understand that DS must be ignored by a client unless it's signed by the parent, but if that check doesn't already exist, we're already in trouble. So, maybe they didn't think of the use case this draft is trying to address and forbade it to keep the software implementations simpler? But that could have been accomplished simply by saying that a DS on the child side is ignored for validation purposes (it now becomes pointless (but harmless) to include it, except as a way to securely send DS records from the child to the parent). Even if this language tweak were to be applied after the fact, I don't think there is an interoperability problem. There are 4 cases: 1) the parent has no DS, nor does the child -- the pre-DNSSEC case 2) the parent has no DS, but the child does -- the DS must be regarded as fake and ignored by resolvers already, or we have problems. (Even with the new draft, the parent MUST NOT attempt to use the DS in the child to seed anything -- it needs to be supplied by a secure mechanism, and a child DS signed by an untrusted DNSKEY isn't it) 3) the parent has a DS, but the child doesn't -- the current DNSSEC case 4) the parent has a DS, and so does the child -- this is the new thing that this draft is trying to enable to support KSK rollover. I would argue that case 4 should be harmless, unless I've overlooked something: either nothing is looking for this and should ignore it, or the DS should be regarded as fake by older software and ignored by resolvers (if it's not, the software already has a security hole -- simply DOS a zone with an unsigned parent by sending fake DS records purportedly from the child), or the DS should look valid (because it fits a chain of signatures) and possibly extra DNSKEYs match & are regarded as valid. But since the chain of signatures is valid, it's still secure. If people started writing zone signers to rely on this mechanism to introduce new keys, I could see there being interoperability issues (some resolvers would treat the domain as secure, and others wouldn't), but since this is new behavior, this draft can (and should) explain that this cannot be relied upon (and DNSKEYs should be used instead for this purpose). Alternatively, to keep implementations simple, state that child DS RRs MUST NOT be used as part of authenticating RR contents, but they are allowed to exist and be queried for (and I could almost imagine that the only code this would affect is zone checker tools). The only place where that would be a problem is for people who want to use this mechanism, so that's motivation to update the checkers anyway. I can understand the motivation of introducing a new RRTYPE to avoid needing to alter existing MUST NOTs, but CDS just seems unnecessary. Maybe there's another reason to forbid DS on the child side that I've overlooked? -- Scott Schmit
- [dnsext] CDS RRTYPE review - Comments period end … Roy Arends
- Re: [dnsext] CDS RRTYPE review - Comments period … Tony Finch
- Re: [dnsext] CDS RRTYPE review - Comments period … George Barwood
- Re: [dnsext] CDS RRTYPE review - Comments period … Miek Gieben
- Re: [dnsext] CDS RRTYPE review - Comments period … Jelte Jansen
- Re: [dnsext] CDS RRTYPE review - Comments period … George Barwood
- Re: [dnsext] CDS RRTYPE review - Comments period … Miek Gieben
- Re: [dnsext] CDS RRTYPE review - Comments period … George Barwood
- Re: [dnsext] CDS RRTYPE review - Comments period … Scott Schmit
- Re: [dnsext] CDS RRTYPE review - Comments period … Andrew Sullivan
- Re: [dnsext] CDS RRTYPE review - Comments period … George Barwood
- Re: [dnsext] CDS RRTYPE review - Comments period … Olafur Gudmundsson
- Re: [dnsext] CDS RRTYPE review - Comments period … Phillip Hallam-Baker
- Re: [dnsext] CDS RRTYPE review - Comments period … Tony Finch
- Re: [dnsext] CDS RRTYPE review - Comments period … Tony Finch
- Re: [dnsext] CDS RRTYPE review - Comments period … Phillip Hallam-Baker
- Re: [dnsext] CDS RRTYPE review - Comments period … Matthew Pounsett
- Re: [dnsext] CDS RRTYPE review - Comments period … Olafur Gudmundsson
- Re: [dnsext] CDS RRTYPE review - Comments period … Miek Gieben
- Re: [dnsext] CDS RRTYPE review - Comments period … Paul Wouters
- Re: [dnsext] CDS RRTYPE review - Comments period … Mark Andrews
- Re: [dnsext] CDS RRTYPE review - Comments period … Mark Andrews
- Re: [dnsext] CDS RRTYPE review - Comments period … Stephan Lagerholm
- Re: [dnsext] CDS RRTYPE review - Comments period … Mark Andrews
- Re: [dnsext] CDS RRTYPE review - Comments period … George Barwood
- Re: [dnsext] CDS RRTYPE review - Comments period … Samuel Weiler
- Re: [dnsext] CDS RRTYPE review - Comments period … Stephan Lagerholm
- Re: [dnsext] CDS RRTYPE review - Comments period … Olafur Gudmundsson
- Re: [dnsext] CDS RRTYPE review - Comments period … Mark Andrews
- Re: [dnsext] CDS RRTYPE review - Comments period … Stephan Lagerholm
- Re: [dnsext] CDS RRTYPE review - Comments period … Stephan Lagerholm
- Re: [dnsext] CDS RRTYPE review - Comments period … Mark Andrews
- Re: [dnsext] CDS RRTYPE review - Comments period … Roy Arends