IETF Logo Mail Archive

Re: some comments on draft-ietf-dnsext-forgery-resilience-01.txt

bert hubert <bert.hubert@netherlabs.nl> Wed, 15 August 2007 07:02 UTC

Return-path: <owner-namedroppers@ops.ietf.org>
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1ILCu2-0003DX-Pg; Wed, 15 Aug 2007 03:02:50 -0400
Received: from psg.com ([147.28.0.62]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1ILCu1-0003yM-VK; Wed, 15 Aug 2007 03:02:50 -0400
Received: from majordom by psg.com with local (Exim 4.67 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1ILCkk-000Gr9-7w for namedroppers-data@psg.com; Wed, 15 Aug 2007 06:53:14 +0000
X-Spam-Checker-Version: SpamAssassin 3.2.1 (2007-05-02) on psg.com
X-Spam-Level:
X-Spam-Status: No, score=-1.4 required=5.0 tests=AWL,BAYES_00, HELO_DYNAMIC_DHCP,RDNS_NONE autolearn=no version=3.2.1
Received: from [82.93.240.211] (helo=adsl-xs4all.ds9a.nl) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.67 (FreeBSD)) (envelope-from <ahu@outpost.ds9a.nl>) id 1ILCkh-000Gqo-68 for namedroppers@ops.ietf.org; Wed, 15 Aug 2007 06:53:12 +0000
Received: from outpost.ds9a.nl ([213.244.168.210] ident=postfix) by adsl-xs4all.ds9a.nl with esmtp (Exim 4.63) (envelope-from <ahu@outpost.ds9a.nl>) id 1ILCkb-0001Ze-UO for namedroppers@ops.ietf.org; Wed, 15 Aug 2007 08:53:05 +0200
Received: by outpost.ds9a.nl (Postfix, from userid 1000) id 10F794B8F6; Wed, 15 Aug 2007 08:52:47 +0200 (CEST)
Date: Wed, 15 Aug 2007 08:52:46 +0200
From: bert hubert <bert.hubert@netherlabs.nl>
To: Edward Lewis <Ed.Lewis@neustar.biz>
Cc: namedroppers@ops.ietf.org
Subject: Re: some comments on draft-ietf-dnsext-forgery-resilience-01.txt
Message-ID: <20070815065242.GB21499@outpost.ds9a.nl>
References: <E1IIPpu-0003yG-Ss@stiedprstage1.ietf.org> <20070807195914.GA27765@outpost.ds9a.nl> <a06240805c2e77c269953@[10.31.32.216]>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <a06240805c2e77c269953@[10.31.32.216]>
User-Agent: Mutt/1.5.9i
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-id: DNSEXT discussion <namedroppers.ops.ietf.org>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 0fa76816851382eb71b0a882ccdc29ac

On Tue, Aug 14, 2007 at 12:09:24PM -0400, Edward Lewis wrote:

> #   5.  It is the first answer to match the previous four conditions.
> #
> #   Note that the fifth condition can strictly speaking be derived from
> #   the first.  It is included for clarity reasons only.
> 
> In the reading it seems that the text is from RFC 1034/5.3.3 (which 
> refers only to earlier lines apparently).  I went back and forth 
> trying to find the source of this until I realized it is probably an 
> interpretation and not the source.

We do quote a bit from section 5.3.3 of RFC 1035, and this bit is indented.
The other lines, 1. through 5., are our own invention.

I've updated the xml a bit to clarify where the quote from RFC 1035 ends:

-           Section 5.3.3 of <xref target="RFC1034"/> presaged the present problem:
+           The following sentence in section 5.3.3 of <xref
target="RFC1034"/> presaged the present problem:

> Given that most sniffer based attacks are based on being closer to 
> the querier than the proper responder, I would look for the last 
> answer to match.  Of course, that is only theoretically possible as 
> you will never know if any event is the last time it happens.  Like 
> Elvis sightings.

That would be a good suggestion except in real life :-)

> The Note also is confusing. I don't see how you derive #5 from #1.

Indeed. It originally stated you could derive the fifth condition from the
first, where first was intended to be plural, and denote 1-4. But even that
is not true. Removed the note.

> #4.5.  Have the answer arrive before the authentic answer
> #
> #   Once any packet has matched the previous four conditions, no further
> #   answers should be accepted.
> 
> This is a strategy I disagree with, kinda.  If TSIG or DNSSEC is 
> used, responses matching the first four conditions ought to be queued 
> up until the answer has passed TSIG or DNSSEC checking.  This allows 
> these techniques to not just detect errors but detect and deflect 
> until the right answer comes (within the timeout).

Well, I'd hate to sprinkle TSIG and DNSSEC exceptions all over the document.
I'd rather have that this document updates RFC 1035, and tries not to
engtangle itself with other developments.

> #before applying DNS credibility rules.
> 
> RFC 2181 has trustworthiness rules, the are TSIG and DNSSEC rules.  I 
> don't know of other "DNS credibility rule" sets.  You probably at 
> least need a reference there.

Well spotted - I copy pasted this section from elsewhere, and didn't fully
verify it.

> #   The document can not require the use of either multiple ports or
> #   addresses as that is an operational issue and should be addressed in
> #   a separate document in DNSOP.
> 
> Don't let IETF document bureaucracy get in the way of a good story!

Thanks - I agree fully. Unsure what to do about it though..

	Bert

-- 
http://www.PowerDNS.com      Open source, database driven DNS Software 
http://netherlabs.nl              Open and Closed source services

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.46.0 | Report a Bug | By Email | System Status