IETF Logo Mail Archive

Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-negative-trust-anchors

Warren Kumari <warren@kumari.net> Sat, 09 May 2015 13:08 UTC

Return-Path: <warren@kumari.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 10AB71ACD29 for <dnsop@ietfa.amsl.com>; Sat, 9 May 2015 06:08:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.378
X-Spam-Level:
X-Spam-Status: No, score=-1.378 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, J_CHICKENPOX_81=0.6, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id etMLcL7rQqIs for <dnsop@ietfa.amsl.com>; Sat, 9 May 2015 06:08:04 -0700 (PDT)
Received: from mail-wi0-f172.google.com (mail-wi0-f172.google.com [209.85.212.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 826001ACD28 for <dnsop@ietf.org>; Sat, 9 May 2015 06:08:04 -0700 (PDT)
Received: by widdi4 with SMTP id di4so58326138wid.0 for <dnsop@ietf.org>; Sat, 09 May 2015 06:08:03 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=xlkjj8XAytOSiVAZ6iqflwul6fQqlwjUgfdxV1gpAYw=; b=RTma+HRtJ2kpcs8rD9tCVKQKBxOiQNnTSdvKXfo55GCK5WsXSyLMFMLWLR4+HbVOrj Sz1yIlUbfQkIe7M0T6KQ08q5odSxjPvsGrVbLsbpSPq7pG65LJI5w/hTEFbxvN1Zp8VZ 4UptQG0aCQsbQSFvQDGZIxROqI7oqE+tMoPtMbLyLW4ykupV3J/rQu2TQ0zDJN3s+4XV +/QO9z0sUb3ZgjsWqMvfmyeCAhGllCaccj8al5P/pvhDQd6ETl2dn0FQMxt3JwsosuP/ sKlRiLkjf1x/N7+wJqyGJinNWmepT0NnDuj7P7H21wy2ABPP2zFwPOWpLQBRHtk0cLlX lvmA==
X-Gm-Message-State: ALoCoQkoAirSiVW5fxVdaGY87oznKxt/OKZZ5nfReEjW3KDVUyx+dKWKubpL9fEhMdnZDxbLnjEQ
MIME-Version: 1.0
X-Received: by 10.180.93.36 with SMTP id cr4mr4788361wib.61.1431176883234; Sat, 09 May 2015 06:08:03 -0700 (PDT)
Received: by 10.194.47.36 with HTTP; Sat, 9 May 2015 06:08:03 -0700 (PDT)
In-Reply-To: <E146311E-22F5-4CF8-BFDD-5CA4B675B0ED@nist.gov>
References: <553EBF02.3050703@gmail.com> <793F7CBB-198C-438D-9AD3-F1414E6011F3@vpnc.org> <E146311E-22F5-4CF8-BFDD-5CA4B675B0ED@nist.gov>
Date: Sat, 09 May 2015 15:08:03 +0200
Message-ID: <CAHw9_iKoXcRkew-poVLCTJu+yJi9bhPRhbnK2AWXzoE2EkC6ZQ@mail.gmail.com>
From: Warren Kumari <warren@kumari.net>
To: "Rose, Scott W." <scott.rose@nist.gov>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/0mv8QZQvRtcRBDSPzQPCk2g0BRA>
Cc: dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-negative-trust-anchors
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 09 May 2015 13:08:06 -0000

On Wed, May 6, 2015 at 3:33 PM, Rose, Scott W. <scott.rose@nist.gov> wrote:
> I think the draft is just about ready for publication as well.
>
> On May 5, 2015, at 5:53 PM, Paul Hoffman <paul.hoffman@vpnc.org> wrote:
>
>> This document has progressed very well and is nearly ready for publication.
>>
>> Related to an earlier thread about intended status: "Informational" is most appropriate here because the document is all about proposed operations but no "best current practice". There is no problem with WGs producing Informational RFCs, and Informational RFCs can have RFC 2119 language.
>>
>> In Section 2, there should be a new paragraph after the first paragraph that describes why the "reasonable attempt" in the first paragraph is needed to determine whether the attacker has partial control of the zone, or is just mounting an on-path attack between all the nameservers and the recursive.
>>
>> In Section 2, it talks about "a popular domain name" but don't say how to determine that. Giving examples of sources of that data would be valuable.
>>
> I would recommend local query logs, naturally.


Oooh! Added.
Thanks.



>
>
>>
>> In Section 7.1, the second paragraph is *not* a security consideration, it is a proposal for how NTAs should be implemented. Please make this its own section earlier in the document, possibly called "Altering Users of NTA Use".
>>
> There is a security consideration there, reading between the lines - in that this is broadcasting a spoofable name to the world.  However, a "Altering User's" section would be a good addition to include text about apps that may break if it is known they demand to see the AD bit set in responses.


Good point. I'm assuming^W hoping that applications that assume a
domain is signed, and expect the AD bit *should* actually be doing
their own validation. But I added this to the security section (it
felt securityish).

"One side effect of implementing an NTA is that it may break client
applications that assume that a domain is signed and expect an AD bit
in the response. It is expected that many application that require
DNSSEC for a domain will perform their own validation, and so this
should not be a major issue."

Is this clear / helpful?

>
> Scott
>
>
>
> ===================================
> Scott Rose
> NIST
> scott.rose@nist.gov
> +1 301-975-8439
> Google Voice: +1 571-249-3671
> http://www.dnsops.gov/
> https://www.had-pilot.com/
> ===================================
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop



-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf

v2.23.0 | Report a Bug | By Email