Re: [dnsext] Clarifying the mandatory algorithm rules
Edward Lewis <Ed.Lewis@neustar.biz> Thu, 31 March 2011 19:17 UTC
Return-Path: <Ed.Lewis@neustar.biz>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0034C3A6B94 for <dnsext@core3.amsl.com>; Thu, 31 Mar 2011 12:17:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.551
X-Spam-Level:
X-Spam-Status: No, score=-102.551 tagged_above=-999 required=5 tests=[AWL=0.048, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gJmVI0kvjFbb for <dnsext@core3.amsl.com>; Thu, 31 Mar 2011 12:17:00 -0700 (PDT)
Received: from stora.ogud.com (stora.ogud.com [66.92.146.20]) by core3.amsl.com (Postfix) with ESMTP id DDCEB3A6873 for <dnsext@ietf.org>; Thu, 31 Mar 2011 12:16:59 -0700 (PDT)
Received: from Work-Laptop-2.local (gatt.md.ogud.com [10.20.30.6]) by stora.ogud.com (8.14.4/8.14.4) with ESMTP id p2VJIZBE089922; Thu, 31 Mar 2011 15:18:35 -0400 (EDT) (envelope-from Ed.Lewis@neustar.biz)
Received: from [10.31.200.112] by Work-Laptop-2.local (PGP Universal service); Thu, 31 Mar 2011 15:18:36 -0400
X-PGP-Universal: processed; by Work-Laptop-2.local on Thu, 31 Mar 2011 15:18:36 -0400
Mime-Version: 1.0
Message-Id: <a06240800c9ba6184d535@[10.31.200.112]>
In-Reply-To: <4D938CC3.1020103@nlnetlabs.nl>
References: <alpine.BSF.2.00.1011180553250.83352@fledge.watson.org> <4CE51293.5040605@nlnetlabs.nl> <a06240801c9101620d463@192.168.128.163> <22284.1290447209@nsa.vix.com> <4CF4D54B.5000407@nlnetlabs.nl> <20110310223438.978E9C0E902@drugs.dv.isc.org> <4D79DDFA.3010006@nlnetlabs.nl> <alpine.BSF.2.00.1103140901170.99213@fledge.watson.org> <20110314213319.A2799C8CA0B@drugs.dv.isc.org> <alpine.BSF.2.00.1103141750530.74870@fledge.watson.org> <a06240800c9a50cf4632a@10.31.200.110> <AANLkTimUUa5zkr+hZH4jR-euENg_n=9EwtRVBN-cxr9_@mail.gmail.com> <a06240802c9a7b6cb4cc3@192.168.1.105> <AANLkTin+hMZ-27VjkQq7_44zNguMiefhxbgGD+-XZxPP@mail.gmail.com> <a06240802c9a7e0807069@10.31.200.117> <AANLkTi=4co5mS3RYhK1BvUMOm54wgNAMeKtk3_Zm0ff1@mail.gmail.com> <a06240802c9a93d762e13@[10.31.200.112]> <a06240803c9a9417e1fe8@[10.31.200.112]> <4D938CC3.1020103@nlnetlabs.nl>
Date: Thu, 31 Mar 2011 15:03:32 -0400
To: Matthijs Mekking <matthijs@NLnetLabs.nl>
From: Edward Lewis <Ed.Lewis@neustar.biz>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-Scanned-By: MIMEDefang 2.68 on 10.20.30.4
Cc: Edward Lewis <Ed.Lewis@neustar.biz>, dnsext@ietf.org
Subject: Re: [dnsext] Clarifying the mandatory algorithm rules
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Mar 2011 19:17:02 -0000
Ironically, I was thinking about this issue when the mail came in yesterday. At 22:04 +0200 3/30/11, Matthijs Mekking wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >Ok, so let's try to come to a reasonable clarifying text: > >- ------------------------------------------------------------------------- >Section ?.? Clarifying the validators interpretation regarding multiple >algorithms. > >RFC 4035, section 2.2 talks about Zone Signing. It mentions that > > "There MUST be an RRSIG for each RRset using at least one DNSKEY of > each algorithm in the zone apex DNSKEY RRset". > >This is a requirement at the server side, not the client side. In other >words, when a validating resolvers is in the process of validating a >RRset, it SHOULD NOT expect a RRSIG of each algorithm that is in the >zone apex DNSKEY RRset. >- ------------------------------------------------------------------------- That's not right either, unfortunately, I want to avoid "SHOULD NOT expect" in the text. How about trying this for the last part of the last sentence. ...it SHOULD expect to find an RRSIG of *any* algorithm that is in the zone apex DNSKEY RRset. As a validator ought to be satisfied in building one chain of trust acceptable to local policy, a validator SHOULD NOT check that all signatures are received. Doing so represents a distraction from the goal of returning an answer swiftly. A validator MAY have a configuration option to perform a signature completeness test to support troubleshooting. The *any* there is important, but not the *'s. I added them to stress the "any." >This only fixes the misinterpretation on the expectation a validator may >have. It does not deal with algorithm downgrade protection at all (as >some may believe does not exist in DNSSEC). If there is need for >clarifying algorithm downgrade protection, or its non-existence, I >suggest something in the line of: > >- ------------------------------------------------------------------------- >Section ?.? Algorithm downgrade protection. > >The validator could check that there are RRSIG records for each RRset >using at least one DNSKEY of each algorithm in the DS RRset, published >in the parent zone. This *** > >*** Choice here >- - is however NOT RECOMMENDED. ['the one signature is enough approach'] >- - is OPTIONAL. ['leave the choice to the implementation' approach] >- - is RECOMMENDED behavior. ['algorithm downgrade protection' apprpach] >- ------------------------------------------------------------------------- NOT RECOMMENDED, I consider it unnecessary work towards the goal of finding what the client asked for. That is, in a default setting. The principle that I am pinning this on is that one of the strengths of the DNS protocol is a fast response. > >Best regards, > >Matthijs > > > >On 03/18/2011 06:07 PM, Edward Lewis wrote: >> I should add...just because "there's supposed to be X" doesn't mean X >> has to be there. If I'm looking for X and it's not there, we have a >> failure. If I'm not looking for X and it is not there, "no harm, no >> foul." (The latter is the same as not needing X and it's there anyway.) >> >> At 12:59 -0400 3/18/11, Edward Lewis wrote: >>> At 9:36 -0700 3/18/11, Casey Deccio wrote: >>> >>> >>>> Okay, so the signer sets the expectation of the validator using the >>>> algorithms in the DS RRset. Now, does this expectation hold for >>>> simply authenticating the DNSKEY RRset or for all zone data? >>> >>> No, the specification sets expectations. I don't mean to be a pain, >>> but the first words say this: "The reason for the specification is to >>> set the expectation." I mean that in the strictest sense. The >>> validator knows there's supposed to be X because the spec says so. >>> >>>> For example: >>>> >>>> - DS RRset has only algorithm 5 >>>> - DNSKEY RRset signed by a DNSKEY matching the DS (alg 5) >>>> - DNSKEY RRset contains DNSKEYs with algs 5 and 3 >>>> - DNSKEY with alg 3 signs A RRset. >>>> >>>> Is there a valid chain to the A RRset, or is it a protocol failure? >>> >>> Depends. If the validator knows both 3 and 5, then it can build a >>> chain and it's cool. If the validator only knows 5, then there's a >>> missing piece. If the validator only knows 3, there's no chain to the >>> data. >>> >>> In summary: >>> Validator knows 3 & 5 - validates >>> Validator knows only 3 - data is accepted as not-signed. >>> Validator knows only 5 - service failure as *expected* signature is >>> not found* >>> Validator doesn't to 3 & 5 - accepted as not-signed >>> Validator doesn't do DNSSEC - accepted as not-signed >>> >>> *not found = not obtainable, can't get it, ... >>> >>>> Following the principle of "if one chain works, it succeeds", I would >>>> say >>>> that it is valid. But it's unclear whether this is part of the >>>> expectation >>>> of the signer for the validator, and even the paragraph quoted above >>>> seems >>>> to declare it a protocol failure--although I well understand your >>>> position >>>> on principle. Whether it is valid or not, I believe it should be >>>> worded explicitly to avoid ambiguity and accurately convey principle. >>> >>> It is always up to the validator to decide if it accepts the data. >>> Local policy and DNSSEC is about protecting the cache. DNSSEC is NOT >>> designed to enforce proper operations, it is NOT to force the zone >>> admin into doing anything. Remember, DNSSEC is optional to the >>> protocol, it's the validators that want to pull the data for protection. >>> >>> -- >>> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- >>> >>> Edward Lewis >>> NeuStar You can leave a voice message at >>> +1-571-434-5468 >>> >>> Me to infant son: "Waah! Waah! Is that all you can say? Waah?" >>> Son: "Waah!" >>> _______________________________________________ >>> dnsext mailing list >>> dnsext@ietf.org >>> https://www.ietf.org/mailman/listinfo/dnsext >> >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.4.10 (GNU/Linux) >Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > >iQEcBAEBAgAGBQJNk4zDAAoJEA8yVCPsQCW502MH/0unZXAo8KqLpwDrXbBBaGps >5rm7eA6rgipU1y99QOMZOggzu5XsI3VVZq8LiTIzKgBB69iufN392v/4afWiEgcW >LGdETtYwQmaif+Rj7+3UhjbSFJj7h2yPUlDvFoT66YOr7HaV+Ow9niYSnTbxmZgV >L/AWNjdpMsfmFoxk9OfJZlYnfgPA2gK4UyUG5YduwybeW1REcqyoQ3V73HnkhZod >SZ5QDHp/mRj4JjlACwSPSg5cQO1hURfp4r43oad0mO2Y1p2cjknp/cF9kcgI2VQu >bBSQ+0oEz55N/8yqzKznfY9tsUWwfsnBmjkMyA8mKD9BuzstScCvXs71K1Dz3SM= >=vrOn >-----END PGP SIGNATURE----- -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NeuStar You can leave a voice message at +1-571-434-5468 Me to infant son: "Waah! Waah! Is that all you can say? Waah?" Son: "Waah!"
- Re: [dnsext] Clarifying the mandatory algorithm r… Jeffrey A. Williams
- Re: [dnsext] Clarifying the mandatory algorithm r… Jeffrey A. Williams
- Re: [dnsext] Clarifying the mandatory algorithm r… Jeffrey A. Williams
- [dnsext] Clarifying the mandatory algorithm rules Samuel Weiler
- Re: [dnsext] Clarifying the mandatory algorithm r… Ondřej Surý
- Re: [dnsext] Clarifying the mandatory algorithm r… Ondřej Surý
- Re: [dnsext] Clarifying the mandatory algorithm r… Samuel Weiler
- Re: [dnsext] Clarifying the mandatory algorithm r… W.C.A. Wijngaards
- Re: [dnsext] Clarifying the mandatory algorithm r… W.C.A. Wijngaards
- Re: [dnsext] Clarifying the mandatory algorithm r… Phillip Hallam-Baker
- Re: [dnsext] Clarifying the mandatory algorithm r… Florian Weimer
- Re: [dnsext] Clarifying the mandatory algorithm r… Jelte Jansen
- Re: [dnsext] Clarifying the mandatory algorithm r… Samuel Weiler
- Re: [dnsext] Clarifying the mandatory algorithm r… Brian Dickson
- Re: [dnsext] Clarifying the mandatory algorithm r… Samuel Weiler
- Re: [dnsext] Clarifying the mandatory algorithm r… Samuel Weiler
- Re: [dnsext] Clarifying the mandatory algorithm r… Ondřej Surý
- Re: [dnsext] Clarifying the mandatory algorithm r… Ondřej Surý
- Re: [dnsext] Clarifying the mandatory algorithm r… Ondřej Surý
- Re: [dnsext] Clarifying the mandatory algorithm r… Brian Dickson
- Re: [dnsext] Clarifying the mandatory algorithm r… Ondřej Surý
- Re: [dnsext] Clarifying the mandatory algorithm r… Mark Andrews
- Re: [dnsext] Clarifying the mandatory algorithm r… Brian Dickson
- Re: [dnsext] Clarifying the mandatory algorithm r… Mark Andrews
- Re: [dnsext] Clarifying the mandatory algorithm r… Ondřej Surý
- Re: [dnsext] Clarifying the mandatory algorithm r… George Barwood
- Re: [dnsext] Clarifying the mandatory algorithm r… Jelte Jansen
- Re: [dnsext] Clarifying the mandatory algorithm r… W.C.A. Wijngaards
- Re: [dnsext] Clarifying the mandatory algorithm r… Ondřej Surý
- Re: [dnsext] Clarifying the mandatory algorithm r… Mark Andrews
- Re: [dnsext] Clarifying the mandatory algorithm r… Mark Andrews
- Re: [dnsext] Clarifying the mandatory algorithm r… W.C.A. Wijngaards
- Re: [dnsext] Clarifying the mandatory algorithm r… Mark Andrews
- Re: [dnsext] Clarifying the mandatory algorithm r… Jelte Jansen
- Re: [dnsext] Clarifying the mandatory algorithm r… Doug Barton
- Re: [dnsext] Clarifying the mandatory algorithm r… Mark Andrews
- Re: [dnsext] Clarifying the mandatory algorithm r… Matthijs Mekking
- Re: [dnsext] Clarifying the mandatory algorithm r… Jelte Jansen
- Re: [dnsext] Clarifying the mandatory algorithm r… Mark Andrews
- Re: [dnsext] Clarifying the mandatory algorithm r… Edward Lewis
- Re: [dnsext] Clarifying the mandatory algorithm r… Edward Lewis
- Re: [dnsext] Clarifying the mandatory algorithm r… Ondřej Surý
- Re: [dnsext] Clarifying the mandatory algorithm r… Paul Vixie
- Re: [dnsext] Clarifying the mandatory algorithm r… W.C.A. Wijngaards
- Re: [dnsext] Clarifying the mandatory algorithm r… Matthijs Mekking
- Re: [dnsext] Clarifying the mandatory algorithm r… Edward Lewis
- Re: [dnsext] Clarifying the mandatory algorithm r… Phillip Hallam-Baker
- Re: [dnsext] Clarifying the mandatory algorithm r… Matthijs Mekking
- Re: [dnsext] Clarifying the mandatory algorithm r… Edward Lewis
- Re: [dnsext] Clarifying the mandatory algorithm r… Brian Dickson
- Re: [dnsext] Clarifying the mandatory algorithm r… Matthijs Mekking
- Re: [dnsext] Clarifying the mandatory algorithm r… Olafur Gudmundsson
- Re: [dnsext] Clarifying the mandatory algorithm r… Edward Lewis
- Re: [dnsext] Clarifying the mandatory algorithm r… Alfred Hönes
- Re: [dnsext] Clarifying the mandatory algorithm r… Edward Lewis
- Re: [dnsext] Clarifying the mandatory algorithm r… Mark Andrews
- Re: [dnsext] Clarifying the mandatory algorithm r… Samuel Weiler
- Re: [dnsext] Clarifying the mandatory algorithm r… Mark Andrews
- Re: [dnsext] Clarifying the mandatory algorithm r… Matthijs Mekking
- Re: [dnsext] Clarifying the mandatory algorithm r… Edward Lewis
- Re: [dnsext] Clarifying the mandatory algorithm r… Samuel Weiler
- Re: [dnsext] Clarifying the mandatory algorithm r… Edward Lewis
- Re: [dnsext] Clarifying the mandatory algorithm r… Brian Dickson
- Re: [dnsext] Clarifying the mandatory algorithm r… Edward Lewis
- Re: [dnsext] Clarifying the mandatory algorithm r… Mark Andrews
- Re: [dnsext] Clarifying the mandatory algorithm r… Samuel Weiler
- Re: [dnsext] Clarifying the mandatory algorithm r… Mark Andrews
- Re: [dnsext] Clarifying the mandatory algorithm r… Edward Lewis
- Re: [dnsext] Clarifying the mandatory algorithm r… Casey Deccio
- Re: [dnsext] Clarifying the mandatory algorithm r… Edward Lewis
- Re: [dnsext] Clarifying the mandatory algorithm r… Casey Deccio
- Re: [dnsext] Clarifying the mandatory algorithm r… Edward Lewis
- Re: [dnsext] Clarifying the mandatory algorithm r… Casey Deccio
- Re: [dnsext] Clarifying the mandatory algorithm r… Edward Lewis
- Re: [dnsext] Clarifying the mandatory algorithm r… Edward Lewis
- Re: [dnsext] Clarifying the mandatory algorithm r… Matthijs Mekking
- Re: [dnsext] Clarifying the mandatory algorithm r… Edward Lewis
- Re: [dnsext] Clarifying the mandatory algorithm r… Matthijs Mekking
- Re: [dnsext] Clarifying the mandatory algorithm r… Edward Lewis
- Re: [dnsext] Clarifying the mandatory algorithm r… Samuel Weiler
- [dnsext] MAR proposal #1: Algorithm downgrade pro… Samuel Weiler
- Re: [dnsext] MAR proposal #1: Algorithm downgrade… Samuel Weiler
- [dnsext] MAR proposal #2: Allowing pre-publishing… Samuel Weiler
- Re: [dnsext] MAR proposal #1: Algorithm downgrade… Edward Lewis
- Re: [dnsext] MAR proposal #2: Allowing pre-publis… Edward Lewis
- Re: [dnsext] MAR proposal #1: Algorithm downgrade… Mark Andrews
- Re: [dnsext] MAR proposal #1: Algorithm downgrade… Paul Hoffman
- Re: [dnsext] MAR proposal #2: Allowing pre-publis… Paul Hoffman
- Re: [dnsext] MAR proposal #1: Algorithm downgrade… Brian Dickson
- Re: [dnsext] MAR proposal #2: Allowing pre-publis… Marc Lampo
- Re: [dnsext] MAR proposal #2: Allowing pre-publis… Matthijs Mekking
- Re: [dnsext] MAR proposal #2: Allowing pre-publis… Joe Abley
- Re: [dnsext] Clarifying the mandatory algorithm r… weiler