[DNSOP] Re: [Technical Errata Reported] RFC6781 (6692)
Warren Kumari <warren@kumari.net> Tue, 09 July 2024 16:44 UTC
Return-Path: <warren@kumari.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 54D64C1D6219 for <dnsop@ietfa.amsl.com>; Tue, 9 Jul 2024 09:44:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JxSdkE1RV5pi for <dnsop@ietfa.amsl.com>; Tue, 9 Jul 2024 09:44:02 -0700 (PDT)
Received: from mail-ed1-x531.google.com (mail-ed1-x531.google.com [IPv6:2a00:1450:4864:20::531]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B97F1C1D5C7D for <dnsop@ietf.org>; Tue, 9 Jul 2024 09:43:57 -0700 (PDT)
Received: by mail-ed1-x531.google.com with SMTP id 4fb4d7f45d1cf-57d05e0017aso6480316a12.1 for <dnsop@ietf.org>; Tue, 09 Jul 2024 09:43:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari.net; s=google; t=1720543435; x=1721148235; darn=ietf.org; h=cc:to:subject:message-id:date:references:from:in-reply-to :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=GCL5wYRQgXxJbGI0I3E6qGH3xNTpsQ98boL01AqcrQ4=; b=g4t6y8BcomX9NKg5xmTaP53wsKarmqZDz37M8RbKAbiTt9Luhw1tgpmLlbTz8Dwk1F i7neUvvVy9c5LH7Vj01HL7bozGvxvOTUvHuFuXHtqB/58ZZdzoYf11+ulPCeg5KArYxJ Twqq5GLTvdtvQgQEcGJNbkZCDSgpRsfgBw8oqgWcU1wG1EVhEgPG46WJpW7i21Epk0Z1 HcR4Y7hwy+6rg5E8pkBRD2RSbHeKh+t+GokY5eLU7vPMsNiybVAD0bZcLnV06f7FcN+G 4ZalfWr2Vs7odvZ2JaKjiAX19bLCkzitAtWxVIsfYToviMhjKDENgwRdRLO/uS5O84AT j8MA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1720543435; x=1721148235; h=cc:to:subject:message-id:date:references:from:in-reply-to :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=GCL5wYRQgXxJbGI0I3E6qGH3xNTpsQ98boL01AqcrQ4=; b=KoSMwuqiwmNGF53RHmx6aWnQVq3h2Js8tIajlURdkvx1MUURXp3DZdAdjNNGVmHXCY 2HOJUR1+25hGhfBYeeuG63TPnPqlxUs6ysItM2RK3Kj4c2n6IhwCIUU+VCoKBSPX6fL7 nBESnVzob49i8UZOWndbkM451RNXJ5L5foEsncl25CdHlHIOyn8mlsMAcNVcmkusHVqB 0CneP0FjyEbARk+uLqos3weZHGn4f5KaXPR4ma5LCsAp4DGk1oBEK4flfSd/AgC3ggb/ YQkB4/i+UkxhB+zwa6F/y8f5h9MEOvS8tcAGm44Qwr+0kFYqwZk7Le9BdmeSIjN6k76+ hGDA==
X-Forwarded-Encrypted: i=1; AJvYcCWuVq/sFMmbijhSGih4RoLm33bwvxr+zadzG8dudfbOu0GOWoUX4GxUD7JtqKY2GttaeE6V0WOnzJQaRVML2g==
X-Gm-Message-State: AOJu0Yyk3XavHoCeXa++oCOvWSCvhQ4xsw+QIhMeijEN9D89KNvhfPui WXWZoC7l45iEcHNND2KjWsV9bb3fgtV7QXKnhPwWVi8BDMHohKwIUATYtWOOdXhOGA5NkAn4R7t qVYqcNY7cBV11XC1uB9yO5Q5+Kd5tnfnS8V6skg==
X-Google-Smtp-Source: AGHT+IG1w074GIypZjfWTA+jTF1UhmtCfXtCq/Yhu8jPGcJ3cn1/wqw3Le3BgDpMc9LwPwstB2ncfewxBT0Y4Ai8cpo=
X-Received: by 2002:a50:ab5a:0:b0:58c:ea9e:2194 with SMTP id 4fb4d7f45d1cf-594bb86a463mr1867006a12.32.1720543435271; Tue, 09 Jul 2024 09:43:55 -0700 (PDT)
Received: from 649336022844 named unknown by gmailapi.google.com with HTTPREST; Tue, 9 Jul 2024 12:43:54 -0400
Mime-Version: 1.0
X-Mailer: Superhuman Desktop (2024-07-08T19:05:41Z)
X-Superhuman-ID: lyen4hwq.7aaf1779-2f90-4ec0-ba42-de0b4621fbca
In-Reply-To: <c8c126da-9940-4db3-bdd5-ee8f5daa667e@desec.io>
From: Warren Kumari <warren@kumari.net>
X-Superhuman-Draft-ID: draft00f622edc7062a8d
References: <CAHw9_iJrP8_=z+wYPeUT7ErgquKz+4N2N78QfSzOX_d2mqas7w@mail.gmail.com> <c8c126da-9940-4db3-bdd5-ee8f5daa667e@desec.io>
Date: Tue, 09 Jul 2024 12:43:54 -0400
Message-ID: <CAHw9_iKOppR8NDZjJBaJoP1mnQi-utSxki+oYNXNCeTZM7SGuA@mail.gmail.com>
To: Peter Thomassen <peter@desec.io>
Content-Type: multipart/alternative; boundary="00000000000047ccbf061cd33cbd"
Message-ID-Hash: 3VSVICSOFRQK3EHT4XGJVMNA6OT2JR6W
X-Message-ID-Hash: 3VSVICSOFRQK3EHT4XGJVMNA6OT2JR6W
X-MailFrom: warren@kumari.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Matthijs Mekking <matthijs@pletterpet.nl>, Paul Wouters <paul@nohats.ca>, tjw.ietf@gmail.com, rwilton@cisco.com, dnsop@ietf.org, benno@nlnetlabs.nl, suzworldwide@gmail.com, RFC Errata System <rfc-editor@rfc-editor.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: [Technical Errata Reported] RFC6781 (6692)
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/-w3vSr_aY65BdjMQ-ZDeRRTWon8>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>
Awesome, thank you! I marked it as Verified and linked to this thread for tracking / additional info. W On Mon, Jul 08, 2024 at 6:22 PM, Peter Thomassen <peter@desec.io> wrote: > Hi Warren, > > tl;dr: The erratum is correct, and I think can be verified. > > The situation described in the second-to-last paragraph of RFC 6781 > Section 4.3.5.1 (and illustrated in Appendix D) amounts to > > - adding operator B as a multi-signing party according to RFC 8901 Model, > - removing operator A. > > The delegation goes directly from NS_A to NS_B, whereas a permanent > multi-signer setup would have both NS_A and NS_B in the delegation. > Otherwise, the above is identical to a Model 2 multi-signer configuration. > > To evaluate the erratum, it thus helps to think about multi-signer > transitions. It turns out these have been analyzed in detail. For example, > see page 2 of the IETF 115 DNSOP presentation on Multi-Signer Key Exchange > [1], which says: > > DNSKEY responses must contain all keys a validating resolver may need for > validation [...] > (RRSIG is always from the same provider [as the DNSKEY RRset]) > > Perhaps an example helps. If you have two providers, a resolver might > fetch the DNSKEY RRset from provider A and some other RRset (e.g., www IN > A) from provider B. (In multi-signer, this happens routinely, and in RFC > 6781 Section 4.3.5.1 it happens when the delegation switches between the > two fetches.) -- Now, what's important is that, at each provider, > > 1.) the DNSKEY RRset has either provider's ZSK, so that one can validate > the "www IN A" RRset with it, regardless of which providers the DNSKEY and > A RRset were fetched from; > > 2.) the DNKSEY RRset itself needs to be validated, which works if it is > signed with a key that is represented in the DS RRset. In the situation at > hand, there DS records for *both* provider's KSK, so *either one* can be > used to validate the DNSKEY RRset. It therefore suffices if each provider > serves their own DNSKEY RRSIG. > > They only need import each other's ZSKs, but not exchange KSKs or RRSIGs. > > This is exactly the point of the erratum. > > Best, > Peter > > [1]: https://datatracker.ietf.org/meeting/115/materials/ > slides-115-dnsop-multi-signer-key-exchange-mske-00.pdf > > On 6/27/24 16:46, Warren Kumari wrote: > > Hi there WG, > > I am trying to go through and clean up all open Operations Errata. > > I would really appreciate some input / advice from the WG on what I should > do here — I've read and reread the thread and the document, and cannot > figure out if this Errata is correct or not…. > > I'm tempted to mark this as Hold for Document Update, but I'm not sure if > that is best. > > Errata: https://www.rfc-editor.org/errata/eid6692 <https://www.rfc-editor. > org/errata/eid6692> RFC: RFC6781 - "DNSSEC Operational Practices, Version > 2" <https://datatracker.ietf.org/doc/rfc6781/> > > Types of Errata: https://www.rfc-editor.org/errata-definitions/ <https:// > www.rfc-editor.org/errata-definitions/> > > W > > On Fri, Sep 24, 2021 at 3:35 PM, Matthijs Mekking <matthijs@pletterpet.nl > <mailto:matthijs@pletterpet.nl>> wrote: > > I am going to assume that the DNSKEY of this zone is not a trust anchor. > > So it is going to use the DS RRset, not a cached DNSKEY RRset, to > authenticate the child zone's apex DNSKEY RRset (the one from the > response). Then from RFC 4035: > > o The matching DNSKEY RR in the child zone has the Zone Flag bit set, the > corresponding private key has signed the child zone's apex DNSKEY RRset, > and the resulting RRSIG RR authenticates the child zone's apex DNSKEY > RRset. > > I read this as the cached DNSKEY RRset does not come into play when > validating the DNSKEY RRset from the response, and any implementation that > does otherwise is not compliant. > > - Matthijs > > On 24-09-2021 15:01, Paul Wouters wrote: > > On Fri, 24 Sep 2021, Matthijs Mekking wrote: > > Second, I believe the corner case you mentioned is for Figure 15 (the one > in Appendix D), and I don't understand the scenario you are describing. > What do you mean with "the resolver getting the DNKSEY RRset for NS_B would > not contain a valid key for the DNSKEY RRset of NS_B". I think the resolver > would get a new DNSKEY RRset with a pre-fetch (or if the DNSKEY RRset was > expired from cache) and that would be validated with the DNSKEY from the > response. > > If it has a valid unexpired DNSKEY RRset, and a resolver fetches that > DNSKEY RRset again, will it use the cached DNSKEY RRset or the DNSKEY RRset > from the fetched record set to validate the signature against the cached DS > RRset ? Or is this implementation specific? > > Paul > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org <mailto:DNSOP@ietf.org> > https://www.ietf.org/mailman/listinfo/dnsop <https://www.ietf.org/mailman/ > listinfo/dnsop> > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org <mailto:DNSOP@ietf.org> > https://www.ietf.org/mailman/listinfo/dnsop <https://www.ietf.org/mailman/ > listinfo/dnsop> > > _______________________________________________ > DNSOP mailing list -- dnsop@ietf.org > To unsubscribe send an email to dnsop-leave@ietf.org > > -- > Like our community service? 💛 > Please consider donating at > > https://desec.io/ > > deSEC e.V. > Kyffhäuserstr. 5 > 10781 Berlin > Germany > > Vorstandsvorsitz: Nils Wisiol > Registergericht: AG Berlin (Charlottenburg) VR 37525 >
- Re: [DNSOP] [Technical Errata Reported] RFC6781 (… Matthijs Mekking
- [DNSOP] Re: [Technical Errata Reported] RFC6781 (… Warren Kumari
- [DNSOP] [Technical Errata Reported] RFC6781 (6692) RFC Errata System
- Re: [DNSOP] [Technical Errata Reported] RFC6781 (… Paul Wouters
- Re: [DNSOP] [Technical Errata Reported] RFC6781 (… Matthijs Mekking
- Re: [DNSOP] [Technical Errata Reported] RFC6781 (… Paul Wouters
- Re: [DNSOP] [Technical Errata Reported] RFC6781 (… Matthijs Mekking
- Re: [DNSOP] [Technical Errata Reported] RFC6781 (… Paul Wouters
- Re: [DNSOP] [Technical Errata Reported] RFC6781 (… Matthijs Mekking
- [DNSOP] Re: [Technical Errata Reported] RFC6781 (… Peter Thomassen
- [DNSOP] Re: [Technical Errata Reported] RFC6781 (… Warren Kumari