IETF Logo Mail Archive

Re: [dnsext] Clarifying the mandatory algorithm rules

Edward Lewis <Ed.Lewis@neustar.biz> Thu, 31 March 2011 19:17 UTC

Return-Path: <Ed.Lewis@neustar.biz>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0034C3A6B94 for <dnsext@core3.amsl.com>; Thu, 31 Mar 2011 12:17:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.551
X-Spam-Level:
X-Spam-Status: No, score=-102.551 tagged_above=-999 required=5 tests=[AWL=0.048, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gJmVI0kvjFbb for <dnsext@core3.amsl.com>; Thu, 31 Mar 2011 12:17:00 -0700 (PDT)
Received: from stora.ogud.com (stora.ogud.com [66.92.146.20]) by core3.amsl.com (Postfix) with ESMTP id DDCEB3A6873 for <dnsext@ietf.org>; Thu, 31 Mar 2011 12:16:59 -0700 (PDT)
Received: from Work-Laptop-2.local (gatt.md.ogud.com [10.20.30.6]) by stora.ogud.com (8.14.4/8.14.4) with ESMTP id p2VJIZBE089922; Thu, 31 Mar 2011 15:18:35 -0400 (EDT) (envelope-from Ed.Lewis@neustar.biz)
Received: from [10.31.200.112] by Work-Laptop-2.local (PGP Universal service); Thu, 31 Mar 2011 15:18:36 -0400
X-PGP-Universal: processed; by Work-Laptop-2.local on Thu, 31 Mar 2011 15:18:36 -0400
Mime-Version: 1.0
Message-Id: <a06240800c9ba6184d535@[10.31.200.112]>
In-Reply-To: <4D938CC3.1020103@nlnetlabs.nl>
References: <alpine.BSF.2.00.1011180553250.83352@fledge.watson.org> <4CE51293.5040605@nlnetlabs.nl> <a06240801c9101620d463@192.168.128.163> <22284.1290447209@nsa.vix.com> <4CF4D54B.5000407@nlnetlabs.nl> <20110310223438.978E9C0E902@drugs.dv.isc.org> <4D79DDFA.3010006@nlnetlabs.nl> <alpine.BSF.2.00.1103140901170.99213@fledge.watson.org> <20110314213319.A2799C8CA0B@drugs.dv.isc.org> <alpine.BSF.2.00.1103141750530.74870@fledge.watson.org> <a06240800c9a50cf4632a@10.31.200.110> <AANLkTimUUa5zkr+hZH4jR-euENg_n=9EwtRVBN-cxr9_@mail.gmail.com> <a06240802c9a7b6cb4cc3@192.168.1.105> <AANLkTin+hMZ-27VjkQq7_44zNguMiefhxbgGD+-XZxPP@mail.gmail.com> <a06240802c9a7e0807069@10.31.200.117> <AANLkTi=4co5mS3RYhK1BvUMOm54wgNAMeKtk3_Zm0ff1@mail.gmail.com> <a06240802c9a93d762e13@[10.31.200.112]> <a06240803c9a9417e1fe8@[10.31.200.112]> <4D938CC3.1020103@nlnetlabs.nl>
Date: Thu, 31 Mar 2011 15:03:32 -0400
To: Matthijs Mekking <matthijs@NLnetLabs.nl>
From: Edward Lewis <Ed.Lewis@neustar.biz>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-Scanned-By: MIMEDefang 2.68 on 10.20.30.4
Cc: Edward Lewis <Ed.Lewis@neustar.biz>, dnsext@ietf.org
Subject: Re: [dnsext] Clarifying the mandatory algorithm rules
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Mar 2011 19:17:02 -0000

Ironically, I was thinking about this issue when the mail came in yesterday.

At 22:04 +0200 3/30/11, Matthijs Mekking wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Ok, so let's try to come to a reasonable clarifying text:
>
>- -------------------------------------------------------------------------
>Section ?.? Clarifying the validators interpretation regarding multiple
>algorithms.
>
>RFC 4035, section 2.2 talks about Zone Signing. It mentions that
>
>  "There MUST be an RRSIG for each RRset using at least one DNSKEY of
>   each algorithm in the zone apex DNSKEY RRset".
>
>This is a requirement at the server side, not the client side. In other
>words, when a validating resolvers is in the process of validating a
>RRset, it SHOULD NOT expect a RRSIG of each algorithm that is in the
>zone apex DNSKEY RRset.
>- -------------------------------------------------------------------------

That's not right either, unfortunately, I want to avoid "SHOULD NOT 
expect" in the text.  How about trying this for the last part of the 
last sentence.

...it SHOULD expect to find an RRSIG of *any* algorithm that is in 
the zone apex DNSKEY RRset.  As a validator ought to be satisfied in 
building one chain of trust acceptable to local policy, a validator 
SHOULD NOT check that all signatures are received.  Doing so 
represents a distraction from the goal of returning an answer 
swiftly.  A validator MAY have a configuration option to perform a 
signature completeness test to support troubleshooting.

The *any* there is important, but not the *'s.  I added them to 
stress the "any."

>This only fixes the misinterpretation on the expectation a validator may
>have. It does not deal with algorithm downgrade protection at all (as
>some may believe does not exist in DNSSEC). If there is need for
>clarifying algorithm downgrade protection, or its non-existence, I
>suggest something in the line of:
>
>- -------------------------------------------------------------------------
>Section ?.? Algorithm downgrade protection.
>
>The validator could check that there are RRSIG records for each RRset
>using at least one DNSKEY of each algorithm in the DS RRset, published
>in the parent zone. This ***
>
>*** Choice here
>- - is however NOT RECOMMENDED. ['the one signature is enough approach']
>- - is OPTIONAL. ['leave the choice to the implementation' approach]
>- - is RECOMMENDED behavior. ['algorithm downgrade protection' apprpach]
>- -------------------------------------------------------------------------


NOT RECOMMENDED, I consider it unnecessary work towards the goal of 
finding what the client asked for.  That is, in a default setting. 
The principle that I am pinning this on is that one of the strengths 
of the DNS protocol is a fast response.

>
>Best regards,
>
>Matthijs
>
>
>
>On 03/18/2011 06:07 PM, Edward Lewis wrote:
>>  I should add...just because "there's supposed to be X" doesn't mean X
>>  has to be there.  If I'm looking for X and it's not there, we have a
>>  failure.  If I'm not looking for X and it is not there, "no harm, no
>>  foul."  (The latter is the same as not needing X and it's there anyway.)
>>
>>  At 12:59 -0400 3/18/11, Edward Lewis wrote:
>>>  At 9:36 -0700 3/18/11, Casey Deccio wrote:
>>>
>>>
>>>>  Okay, so the signer sets the expectation of the validator using the
>>>>  algorithms in the DS RRset.  Now, does this expectation hold for
>>>>  simply authenticating the DNSKEY RRset or for all zone data?
>>>
>>>  No, the specification sets expectations.  I don't mean to be a pain,
>>>  but the first words say this: "The reason for the specification is to
>>>  set the expectation."  I mean that in the strictest sense.  The
>>>  validator knows there's supposed to be X because the spec says so.
>>>
>>>>  For example:
>>>>
>>>>  - DS RRset has only algorithm 5
>>>>  - DNSKEY RRset signed by a DNSKEY matching the DS (alg 5)
>>>>  - DNSKEY RRset contains DNSKEYs with algs 5 and 3
>>>>  - DNSKEY with alg 3 signs A RRset.
>>>>
>>>>  Is there a valid chain to the A RRset, or is it a protocol failure?
>>>
>>>  Depends.  If the validator knows both 3 and 5, then it can build a
>>>  chain and it's cool.  If the validator only knows 5, then there's a
>>>  missing piece.  If the validator only knows 3, there's no chain to the
>>>  data.
>>>
>>>  In summary:
>>>  Validator knows 3 & 5 - validates
>>>  Validator knows only 3 - data is accepted as not-signed.
>>>  Validator knows only 5 - service failure as *expected* signature is
>>>  not found*
>>>  Validator doesn't to 3 & 5 - accepted as not-signed
>>>  Validator doesn't do DNSSEC - accepted as not-signed
>>>
>>>  *not found = not obtainable, can't get it, ...
>>>
>>>>  Following the principle of "if one chain works, it succeeds", I would
>>>>  say
>>>>  that it is valid.  But it's unclear whether this is part of the
>>>>  expectation
>>>>  of the signer for the validator, and even the paragraph quoted above
>>>>  seems
>>>>  to declare it a protocol failure--although I well understand your
>>>>  position
>>>>  on principle.  Whether it is valid or not, I believe it should be
>>>>  worded explicitly to avoid ambiguity and accurately convey principle.
>>>
>>>  It is always up to the validator to decide if it accepts the data.
>>>  Local policy and DNSSEC is about protecting the cache.  DNSSEC is NOT
>>>  designed to enforce proper operations, it is NOT to force the zone
>>>  admin into doing anything.  Remember, DNSSEC is optional to the
>>>  protocol, it's the validators that want to pull the data for protection.
>>>
>>>  --
>>>  -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
>>>
>>>  Edward Lewis
>>>  NeuStar                    You can leave a voice message at
>>>  +1-571-434-5468
>>>
>>>  Me to infant son: "Waah! Waah! Is that all you can say?  Waah?"
>>>  Son: "Waah!"
>>>  _______________________________________________
>>>  dnsext mailing list
>>>  dnsext@ietf.org
>>>  https://www.ietf.org/mailman/listinfo/dnsext
>>
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.4.10 (GNU/Linux)
>Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
>iQEcBAEBAgAGBQJNk4zDAAoJEA8yVCPsQCW502MH/0unZXAo8KqLpwDrXbBBaGps
>5rm7eA6rgipU1y99QOMZOggzu5XsI3VVZq8LiTIzKgBB69iufN392v/4afWiEgcW
>LGdETtYwQmaif+Rj7+3UhjbSFJj7h2yPUlDvFoT66YOr7HaV+Ow9niYSnTbxmZgV
>L/AWNjdpMsfmFoxk9OfJZlYnfgPA2gK4UyUG5YduwybeW1REcqyoQ3V73HnkhZod
>SZ5QDHp/mRj4JjlACwSPSg5cQO1hURfp4r43oad0mO2Y1p2cjknp/cF9kcgI2VQu
>bBSQ+0oEz55N/8yqzKznfY9tsUWwfsnBmjkMyA8mKD9BuzstScCvXs71K1Dz3SM=
>=vrOn
>-----END PGP SIGNATURE-----

-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis
NeuStar                    You can leave a voice message at +1-571-434-5468

Me to infant son: "Waah! Waah! Is that all you can say?  Waah?"
Son: "Waah!"

v2.23.0 | Report a Bug | By Email