[DNSOP] Re: [Technical Errata Reported] RFC6781 (6692)

Warren Kumari <warren@kumari.net> Tue, 09 July 2024 16:44 UTC

Return-Path: <warren@kumari.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 54D64C1D6219 for <dnsop@ietfa.amsl.com>; Tue, 9 Jul 2024 09:44:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JxSdkE1RV5pi for <dnsop@ietfa.amsl.com>; Tue, 9 Jul 2024 09:44:02 -0700 (PDT)
Received: from mail-ed1-x531.google.com (mail-ed1-x531.google.com [IPv6:2a00:1450:4864:20::531]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B97F1C1D5C7D for <dnsop@ietf.org>; Tue, 9 Jul 2024 09:43:57 -0700 (PDT)
Received: by mail-ed1-x531.google.com with SMTP id 4fb4d7f45d1cf-57d05e0017aso6480316a12.1 for <dnsop@ietf.org>; Tue, 09 Jul 2024 09:43:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari.net; s=google; t=1720543435; x=1721148235; darn=ietf.org; h=cc:to:subject:message-id:date:references:from:in-reply-to :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=GCL5wYRQgXxJbGI0I3E6qGH3xNTpsQ98boL01AqcrQ4=; b=g4t6y8BcomX9NKg5xmTaP53wsKarmqZDz37M8RbKAbiTt9Luhw1tgpmLlbTz8Dwk1F i7neUvvVy9c5LH7Vj01HL7bozGvxvOTUvHuFuXHtqB/58ZZdzoYf11+ulPCeg5KArYxJ Twqq5GLTvdtvQgQEcGJNbkZCDSgpRsfgBw8oqgWcU1wG1EVhEgPG46WJpW7i21Epk0Z1 HcR4Y7hwy+6rg5E8pkBRD2RSbHeKh+t+GokY5eLU7vPMsNiybVAD0bZcLnV06f7FcN+G 4ZalfWr2Vs7odvZ2JaKjiAX19bLCkzitAtWxVIsfYToviMhjKDENgwRdRLO/uS5O84AT j8MA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1720543435; x=1721148235; h=cc:to:subject:message-id:date:references:from:in-reply-to :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=GCL5wYRQgXxJbGI0I3E6qGH3xNTpsQ98boL01AqcrQ4=; b=KoSMwuqiwmNGF53RHmx6aWnQVq3h2Js8tIajlURdkvx1MUURXp3DZdAdjNNGVmHXCY 2HOJUR1+25hGhfBYeeuG63TPnPqlxUs6ysItM2RK3Kj4c2n6IhwCIUU+VCoKBSPX6fL7 nBESnVzob49i8UZOWndbkM451RNXJ5L5foEsncl25CdHlHIOyn8mlsMAcNVcmkusHVqB 0CneP0FjyEbARk+uLqos3weZHGn4f5KaXPR4ma5LCsAp4DGk1oBEK4flfSd/AgC3ggb/ YQkB4/i+UkxhB+zwa6F/y8f5h9MEOvS8tcAGm44Qwr+0kFYqwZk7Le9BdmeSIjN6k76+ hGDA==
X-Forwarded-Encrypted: i=1; AJvYcCWuVq/sFMmbijhSGih4RoLm33bwvxr+zadzG8dudfbOu0GOWoUX4GxUD7JtqKY2GttaeE6V0WOnzJQaRVML2g==
X-Gm-Message-State: AOJu0Yyk3XavHoCeXa++oCOvWSCvhQ4xsw+QIhMeijEN9D89KNvhfPui WXWZoC7l45iEcHNND2KjWsV9bb3fgtV7QXKnhPwWVi8BDMHohKwIUATYtWOOdXhOGA5NkAn4R7t qVYqcNY7cBV11XC1uB9yO5Q5+Kd5tnfnS8V6skg==
X-Google-Smtp-Source: AGHT+IG1w074GIypZjfWTA+jTF1UhmtCfXtCq/Yhu8jPGcJ3cn1/wqw3Le3BgDpMc9LwPwstB2ncfewxBT0Y4Ai8cpo=
X-Received: by 2002:a50:ab5a:0:b0:58c:ea9e:2194 with SMTP id 4fb4d7f45d1cf-594bb86a463mr1867006a12.32.1720543435271; Tue, 09 Jul 2024 09:43:55 -0700 (PDT)
Received: from 649336022844 named unknown by gmailapi.google.com with HTTPREST; Tue, 9 Jul 2024 12:43:54 -0400
Mime-Version: 1.0
X-Mailer: Superhuman Desktop (2024-07-08T19:05:41Z)
X-Superhuman-ID: lyen4hwq.7aaf1779-2f90-4ec0-ba42-de0b4621fbca
In-Reply-To: <c8c126da-9940-4db3-bdd5-ee8f5daa667e@desec.io>
From: Warren Kumari <warren@kumari.net>
X-Superhuman-Draft-ID: draft00f622edc7062a8d
References: <CAHw9_iJrP8_=z+wYPeUT7ErgquKz+4N2N78QfSzOX_d2mqas7w@mail.gmail.com> <c8c126da-9940-4db3-bdd5-ee8f5daa667e@desec.io>
Date: Tue, 09 Jul 2024 12:43:54 -0400
Message-ID: <CAHw9_iKOppR8NDZjJBaJoP1mnQi-utSxki+oYNXNCeTZM7SGuA@mail.gmail.com>
To: Peter Thomassen <peter@desec.io>
Content-Type: multipart/alternative; boundary="00000000000047ccbf061cd33cbd"
Message-ID-Hash: 3VSVICSOFRQK3EHT4XGJVMNA6OT2JR6W
X-Message-ID-Hash: 3VSVICSOFRQK3EHT4XGJVMNA6OT2JR6W
X-MailFrom: warren@kumari.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Matthijs Mekking <matthijs@pletterpet.nl>, Paul Wouters <paul@nohats.ca>, tjw.ietf@gmail.com, rwilton@cisco.com, dnsop@ietf.org, benno@nlnetlabs.nl, suzworldwide@gmail.com, RFC Errata System <rfc-editor@rfc-editor.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: [Technical Errata Reported] RFC6781 (6692)
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/-w3vSr_aY65BdjMQ-ZDeRRTWon8>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

Awesome, thank you!

I marked it as Verified and linked to this thread for tracking / additional
info.

W


On Mon, Jul 08, 2024 at 6:22 PM, Peter Thomassen <peter@desec.io> wrote:

> Hi Warren,
>
> tl;dr: The erratum is correct, and I think can be verified.
>
> The situation described in the second-to-last paragraph of RFC 6781
> Section 4.3.5.1 (and illustrated in Appendix D) amounts to
>
> - adding operator B as a multi-signing party according to RFC 8901 Model,
> - removing operator A.
>
> The delegation goes directly from NS_A to NS_B, whereas a permanent
> multi-signer setup would have both NS_A and NS_B in the delegation.
> Otherwise, the above is identical to a Model 2 multi-signer configuration.
>
> To evaluate the erratum, it thus helps to think about multi-signer
> transitions. It turns out these have been analyzed in detail. For example,
> see page 2 of the IETF 115 DNSOP presentation on Multi-Signer Key Exchange
> [1], which says:
>
> DNSKEY responses must contain all keys a validating resolver may need for
> validation [...]
> (RRSIG is always from the same provider [as the DNSKEY RRset])
>
> Perhaps an example helps. If you have two providers, a resolver might
> fetch the DNSKEY RRset from provider A and some other RRset (e.g., www IN
> A) from provider B. (In multi-signer, this happens routinely, and in RFC
> 6781 Section 4.3.5.1 it happens when the delegation switches between the
> two fetches.) -- Now, what's important is that, at each provider,
>
> 1.) the DNSKEY RRset has either provider's ZSK, so that one can validate
> the "www IN A" RRset with it, regardless of which providers the DNSKEY and
> A RRset were fetched from;
>
> 2.) the DNKSEY RRset itself needs to be validated, which works if it is
> signed with a key that is represented in the DS RRset. In the situation at
> hand, there DS records for *both* provider's KSK, so *either one* can be
> used to validate the DNSKEY RRset. It therefore suffices if each provider
> serves their own DNSKEY RRSIG.
>
> They only need import each other's ZSKs, but not exchange KSKs or RRSIGs.
>
> This is exactly the point of the erratum.
>
> Best,
> Peter
>
> [1]: https://datatracker.ietf.org/meeting/115/materials/
> slides-115-dnsop-multi-signer-key-exchange-mske-00.pdf
>
> On 6/27/24 16:46, Warren Kumari wrote:
>
> Hi there WG,
>
> I am trying to go through and clean up all open Operations Errata.
>
> I would really appreciate some input / advice from the WG on what I should
> do here — I've read and reread the thread and the document, and cannot
> figure out if this Errata is correct or not….
>
> I'm tempted to mark this as Hold for Document Update, but I'm not sure if
> that is best.
>
> Errata: https://www.rfc-editor.org/errata/eid6692 <https://www.rfc-editor.
> org/errata/eid6692> RFC: RFC6781 - "DNSSEC Operational Practices, Version
> 2" <https://datatracker.ietf.org/doc/rfc6781/>
>
> Types of Errata: https://www.rfc-editor.org/errata-definitions/ <https://
> www.rfc-editor.org/errata-definitions/>
>
> W
>
> On Fri, Sep 24, 2021 at 3:35 PM, Matthijs Mekking <matthijs@pletterpet.nl
> <mailto:matthijs@pletterpet.nl>> wrote:
>
> I am going to assume that the DNSKEY of this zone is not a trust anchor.
>
> So it is going to use the DS RRset, not a cached DNSKEY RRset, to
> authenticate the child zone's apex DNSKEY RRset (the one from the
> response). Then from RFC 4035:
>
> o The matching DNSKEY RR in the child zone has the Zone Flag bit set, the
> corresponding private key has signed the child zone's apex DNSKEY RRset,
> and the resulting RRSIG RR authenticates the child zone's apex DNSKEY
> RRset.
>
> I read this as the cached DNSKEY RRset does not come into play when
> validating the DNSKEY RRset from the response, and any implementation that
> does otherwise is not compliant.
>
> - Matthijs
>
> On 24-09-2021 15:01, Paul Wouters wrote:
>
> On Fri, 24 Sep 2021, Matthijs Mekking wrote:
>
> Second, I believe the corner case you mentioned is for Figure 15 (the one
> in Appendix D), and I don't understand the scenario you are describing.
> What do you mean with "the resolver getting the DNKSEY RRset for NS_B would
> not contain a valid key for the DNSKEY RRset of NS_B". I think the resolver
> would get a new DNSKEY RRset with a pre-fetch (or if the DNSKEY RRset was
> expired from cache) and that would be validated with the DNSKEY from the
> response.
>
> If it has a valid unexpired DNSKEY RRset, and a resolver fetches that
> DNSKEY RRset again, will it use the cached DNSKEY RRset or the DNSKEY RRset
> from the fetched record set to validate the signature against the cached DS
> RRset ? Or is this implementation specific?
>
> Paul
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org <mailto:DNSOP@ietf.org>
> https://www.ietf.org/mailman/listinfo/dnsop <https://www.ietf.org/mailman/
> listinfo/dnsop>
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org <mailto:DNSOP@ietf.org>
> https://www.ietf.org/mailman/listinfo/dnsop <https://www.ietf.org/mailman/
> listinfo/dnsop>
>
> _______________________________________________
> DNSOP mailing list -- dnsop@ietf.org
> To unsubscribe send an email to dnsop-leave@ietf.org
>
> --
> Like our community service? 💛
> Please consider donating at
>
> https://desec.io/
>
> deSEC e.V.
> Kyffhäuserstr. 5
> 10781 Berlin
> Germany
>
> Vorstandsvorsitz: Nils Wisiol
> Registergericht: AG Berlin (Charlottenburg) VR 37525
>