IETF Logo Mail Archive

Re: [DNSOP] [Ext] Working Group Last Call for draft-ietf-dnsop-rfc8109bis

Shumon Huque <shuque@gmail.com> Fri, 06 October 2023 12:54 UTC

Return-Path: <shuque@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A7A7FC14F721 for <dnsop@ietfa.amsl.com>; Fri, 6 Oct 2023 05:54:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xHYm-SaTdrFA for <dnsop@ietfa.amsl.com>; Fri, 6 Oct 2023 05:54:12 -0700 (PDT)
Received: from mail-il1-x130.google.com (mail-il1-x130.google.com [IPv6:2607:f8b0:4864:20::130]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F3D6C180EC0 for <dnsop@ietf.org>; Fri, 6 Oct 2023 05:54:12 -0700 (PDT)
Received: by mail-il1-x130.google.com with SMTP id e9e14a558f8ab-352a1d77fa4so8940845ab.3 for <dnsop@ietf.org>; Fri, 06 Oct 2023 05:54:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1696596852; x=1697201652; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=uILYxANRBIcJQd8CVvxQIBArbr/+iS4AmhpWbkih1+A=; b=QqYDTK0xvuNh5u4AuQxz5Yxqocsz//VLLANdDk52BKevdjd5+i70HaoeCdPtBQTeZu Jog6axvjHOsNME3x9pXlc4uSWbenB/6CmntamSAx9m+TrUCbA913TE75bfgT3C5EdFbN UCMxIxR0w615sRb867KPF34KIhU/ugc3Z1RjEMZk4cCA3ngkWzvHUWs1vG8v+K2TqRZN TlMBbkxwFLmvToJfhWVLhzmBuk2F1vllMbQW04a6x7IQloD0HNuf2MoYYTOUASgq4j8U rTOH7JIvfreiqYA2o1elO+jskDui4KiDtO77YJLzPMgOKW0QCUb4ZnMDCKV7bDiU5fAu 5qvw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696596852; x=1697201652; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=uILYxANRBIcJQd8CVvxQIBArbr/+iS4AmhpWbkih1+A=; b=aB3Q8onFa1OMJIPsKLyXnPhFp+iOKKo6skDeqIYSqiAMisAq7lE9zp7uWPnU50Qp7h nu98Btzgqj7v1lQm6E7VADFf2sL4dteP51iE0Pxgtyclueu6d9leNstaxLDE5CI9kpuP Wv32uHGO9sSDnsS9RVPvkkV5dG5+ob8S5tCeUN9byuoXAu72thbvmWPhaU8jbhzam20F 7MA1g4IudEhAZZcMaaY8r5sWcYeDLz2tXvCtx7fskvLiYk0Kx0ZszPE+sm+2yin39TpI 0E7jbALrh+maLjMuK5hxJl4wwPXExIDuHH0xFn/udAYEXtWmezCq3hl61sT48NryD0KV qZdw==
X-Gm-Message-State: AOJu0YwVAg56jU52BzW7HuuqiEM74UsJ0VljGckrraasiCAumHKvQCC5 /U3T5zZDrQovdc+sREyUzVKo+2G4RjwqIBYaN8s=
X-Google-Smtp-Source: AGHT+IGul50+GSyQrWbOAKSuCDDvR+Lh50vEphmcHAdzFhUS6as2xMVohVuhmzPJFazyzBDSBCGE3zlGXIfq31P9X+M=
X-Received: by 2002:a05:6e02:1d15:b0:351:ab2:2626 with SMTP id i21-20020a056e021d1500b003510ab22626mr8765503ila.24.1696596851585; Fri, 06 Oct 2023 05:54:11 -0700 (PDT)
MIME-Version: 1.0
References: <CADyWQ+EwQrGVrBXzxnO2=UiXPYks+q0cjDN7YmWVCPwG=Ai0iA@mail.gmail.com> <46b9c5d8-821d-ea1e-61b4-da5754be020e@desec.io> <3b56f445-cc96-0db1-3b89-05f803c53820@NLnetLabs.nl> <ca9b3a06-9dc5-db2a-753e-68cb8a225235@desec.io> <CADyWQ+HdY0a8XZequboCqWh7-AaiOK7Wk_8aOTzZwp+T1tMaCQ@mail.gmail.com> <8AA90E43-3D69-4E6A-AF5B-688FB1554DA2@icann.org> <CA+nkc8BQAG2vcZjonz8iHzXd-bZ392bL4VPfKGjzFpZpdd5TUA@mail.gmail.com>
In-Reply-To: <CA+nkc8BQAG2vcZjonz8iHzXd-bZ392bL4VPfKGjzFpZpdd5TUA@mail.gmail.com>
From: Shumon Huque <shuque@gmail.com>
Date: Fri, 06 Oct 2023 08:53:59 -0400
Message-ID: <CAHPuVdVeUR9QOpZaUK7bU=-T7YCHVfCAGjdtppngnxDJQndeKA@mail.gmail.com>
To: Bob Harold <rharolde@umich.edu>
Cc: Paul Hoffman <paul.hoffman@icann.org>, DNSOP Working Group <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000aa76e906070bbcfc"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/-mHescdg1KsYYkErf72YxeZ-YQE>
Subject: Re: [DNSOP] [Ext] Working Group Last Call for draft-ietf-dnsop-rfc8109bis
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Oct 2023 12:54:14 -0000

On Fri, Oct 6, 2023 at 8:20 AM Bob Harold <rharolde@umich.edu> wrote:

>
> On Thu, Oct 5, 2023 at 6:16 PM Paul Hoffman <paul.hoffman@icann.org>
> wrote:
>
>> On Sep 14, 2023, at 18:46, Tim Wicinski <tjw.ietf@gmail.com> wrote:
>>
>> > We chairs heard back from the authors and we're pulling this working
>> group last call.
>>
>> We have turned in a -01 that addresses the initial comments in the WG
>> Last Call that the document had obvious labeled holes in it. One of those
>> holes had an old label on it, but the others needed filling, and we have
>> done that now. Whenever the chairs have another slot to start a WG Last
>> Call, we think this is now ready for it.
>>
>> --Paul Hoffman
>>
>
>
> https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-rfc8109bis-01
>
> 3.3. DNSSEC with Priming Queries
>
> The second paragraph confused me:
>
> "A machine-in-the-middle attack on the priming query could direct a
> resolver to a rogue root name server. Note, however, that a validating
> resolver will not accept responses from rogue root servers if they are
> different from the real responses because the resolver has a trust anchor
> for the root and the answers from the root are signed. Thus, if there is a
> machine-in-the-middle attack on the priming query, the results for a
> validating resolver could be a denial of service, or the attacker seeing
> queries while returning good answers, but not the resolver's accepting the
> bad responses."
>
> I took me a while to understand, but something like this is what I think
> it means, a little more clearly to me:
>
> A rogue server could return the proper NS RRset and signature, but fake A
> and AAAA records, since they are not signed, which would effectively block
> access to the root zone.  But when a request is made for other records in
> the root zone (like delegation NS records for a TLD, its normal role in DNS
> resolution), those records are DNSSEC signed and can be validated, so a
> rogue server can only block service, not give wrong answers that pass
> validation.
>
> Could something like that be included?
>

I don't think that's correct.

A priming query is for the NS RRset at the root zone. Root servers will
authoritatively answer that and return a signed root NS RRset, which can be
authenticated by resolvers. The glue records however are unsigned and could
be faked, so resolvers could still be directed to communicate with rogue
servers. But they could detect that attack after the fact, by examining the
subsequent responses from the rogue servers, and see if the parts in those
responses that should be signed are actually signed correctly.

Note that delegation NS records in a referral response are NOT signed (they
are not authoritative data). What is signed is either a DS record (set)
proving secure delegation to a signed TLD, or an NSEC record that proves
insecure delegation to an unsigned TLD.

I agree that the wording could be improved. I had trouble understanding
that paragraph too.

Shumon.

v2.23.0 | Report a Bug | By Email