IETF Logo Mail Archive

Re: [dnsext] Clarifying the mandatory algorithm rules

Mark Andrews <marka@isc.org> Fri, 19 November 2010 00:41 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C2A253A68E5 for <dnsext@core3.amsl.com>; Thu, 18 Nov 2010 16:41:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.099
X-Spam-Level:
X-Spam-Status: No, score=-0.099 tagged_above=-999 required=5 tests=[AWL=-2.500, BAYES_00=-2.599, GB_SUMOF=5]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KfmsgIUAv1MJ for <dnsext@core3.amsl.com>; Thu, 18 Nov 2010 16:41:06 -0800 (PST)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [IPv6:2001:500:60::65]) by core3.amsl.com (Postfix) with ESMTP id AE74C3A68C5 for <dnsext@ietf.org>; Thu, 18 Nov 2010 16:41:05 -0800 (PST)
Received: from farside.isc.org (farside.isc.org [IPv6:2001:4f8:3:bb::5]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "farside.isc.org", Issuer "ISC CA" (verified OK)) by mx.ams1.isc.org (Postfix) with ESMTPS id B17D55F983B for <dnsext@ietf.org>; Fri, 19 Nov 2010 00:41:39 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (drugs.dv.isc.org [IPv6:2001:470:1f00:820:ea06:88ff:fef3:4f9c]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by farside.isc.org (Postfix) with ESMTP id 94334E605D for <dnsext@ietf.org>; Fri, 19 Nov 2010 00:41:37 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (Postfix) with ESMTP id 993F26EB749 for <dnsext@ietf.org>; Fri, 19 Nov 2010 11:41:34 +1100 (EST)
To: dnsext@ietf.org
From: Mark Andrews <marka@isc.org>
References: <alpine.BSF.2.00.1011180553250.83352@fledge.watson.org> <4CE53927.9090203@isc.org> <4CE58E90.6030607@nic.cz> <AANLkTin2H7UkP7FVfz3GN74CKtqn2OKo7MmcKMGOkvNY@mail.gmail.com><4CE59B3D.5020109@nic.cz>
In-reply-to: Your message of "Thu, 18 Nov 2010 22:31:41 BST." <4CE59B3D.5020109@nic.cz>
Date: Fri, 19 Nov 2010 11:41:34 +1100
Message-Id: <20101119004134.993F26EB749@drugs.dv.isc.org>
Subject: Re: [dnsext] Clarifying the mandatory algorithm rules
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Nov 2010 00:41:06 -0000

The intent of this section was to prevent downgrade to insecure due
to a attacker dropping RRSIGS.  DNSSEC has always been "if *any*
signature validates then the RRset validates".  There is no concept
of a "more secure algorithm" in DNSSEC.  There may be outside of
DNSSEC but not inside.

If the archives were online you could see that this was the intent
of this paragraph.

When a operator of a zone publishes DS (or trust-anchors) for a
zone with a algorithm that is a claim that the entire zone is signed
with that algorithm.  That claim will continue to hold for the life
of the DS records or until the operator can be assured that the
trust anchors have been removed for the algorithm, whichever is
longer.

Additionally the MUST is a directive to *zone operators*.  A zone
operator can comply with that MUST but validation will still fail
with unbound as unbound requires that a zone be signed with DNSKEYs
which are NOT in the zone prior to adding the DNSKEY to the zone
due to caching.  On this alone it is clear that unbound is in the
wrong.

If you want to do downgrade protection between algorithms one can
but only for the algorithms listed in the DS / trust-anchors.  They
are the only algorithms that the zone operator has made any claims
of existance for.

I think the paragraph in question should be relaxed to make to MUST
only apply to algorithms listed in the DS / published trust anchors.
This will allow for gradual introduction of RRSIG for new algorithms.
The current wording prevents this and is a real pain for large
zones.

It will also resolve this issue as now it is the sum of the algorithms
listed in DS (trust-anchors) + DNSKEY.

Mark

P.S. we need a better way to publish trust anchors in-band with
lifetimes etc. so that one can be assured that trust anchors expire
like DS and zones expire but that should be a different discussion.
RFC 5011 really isn't good enough.

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email