IETF Logo Mail Archive

Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-dnssec-validator-requirements

Daniel Migault <mglt.ietf@gmail.com> Wed, 25 January 2023 01:57 UTC

Return-Path: <mglt.ietf@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ADA01C1527A6 for <dnsop@ietfa.amsl.com>; Tue, 24 Jan 2023 17:57:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nTDTEKL6CTV2 for <dnsop@ietfa.amsl.com>; Tue, 24 Jan 2023 17:57:03 -0800 (PST)
Received: from mail-yw1-x112d.google.com (mail-yw1-x112d.google.com [IPv6:2607:f8b0:4864:20::112d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C9024C151556 for <dnsop@ietf.org>; Tue, 24 Jan 2023 17:57:03 -0800 (PST)
Received: by mail-yw1-x112d.google.com with SMTP id 00721157ae682-4fda31c3351so215420217b3.11 for <dnsop@ietf.org>; Tue, 24 Jan 2023 17:57:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=vgvpqxNx9Pwsi8QA7asxYnBI/MPlBqhN82yJ7LWlaok=; b=StU4CUQ11rpBPGDN1+5KLGS9O/EksYk26z0NHxZnGL/bTBSWGE32kGmvr7FbulYIDN QZgPdpOFvj9WgR9cN2Cm+Sr6wYiCMrjk1uM8ieHlvfNWwm9F5yTaJqJHIO6M3Pd9Aduu CTtOMqvDFrwPRAJIQcq1FSwKyeP0y7EQ/PzW/D/7wzfl2pfhm9ALWdCfaG8ahEpUr/da dpV6z54/ZfsZasUac3Hx7IYWnwy7BRyhywWAohrVRTP2yXbmgvfSRXAQ/jWUF0D1kku4 yB0TL1tl3rgjJ1qVVg6XpogkSX/vWti2twsgDjiVPPGRjt3r6DIX20HD9CeKk4SfpdAs avHQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=vgvpqxNx9Pwsi8QA7asxYnBI/MPlBqhN82yJ7LWlaok=; b=1CroKdQ4Wj5PIBYwmrX4T2H7hki9T+JsPeHndst4sPsd1AlotGTKvJQSYzXntWHZTN EwhsG+rMP1m04sid8kdqvNDZHAtSVHyjTu+8xJ1qWcnNqzHoWKgHMq3pDmliVquEKJw1 40Z7HAo2d5X9876DxOV3v2jk7Gw4veOn6Q5D3TEmeV+fAqNpakqhrSaR87VyGC/JvPVf SH1Ec7TwXBL6iGtmDCdlmKVR+/Top3MZszynF6rhCA2pz/0za6EG/RqAp6FuFRtmULzl et38FHTAY3so0jNW7vnOv8QmUxtxcweC/nYz2Poqgo8wY+Oi9W/oAqOJKPDhiJV2BpZs OpBQ==
X-Gm-Message-State: AO0yUKULXt9lFTNUQ0nfgzcontMETVrCY5epRRFCfTOCRLjrQwmP3cdE FNoBSFknOreJFoxSHoCJaDYhg7+TyxsXz1HLKHJXWADh
X-Google-Smtp-Source: AK7set8ywReAOIcXoDFeWB0JGBlHhrlwztP+rTndLAoCZ53q+t16WB2OoO76i/3RQMmJiV26SQa0fKsaMvoKx6+Qo4o=
X-Received: by 2002:a05:690c:31d:b0:506:653f:5040 with SMTP id bg29-20020a05690c031d00b00506653f5040mr173079ywb.46.1674611822714; Tue, 24 Jan 2023 17:57:02 -0800 (PST)
MIME-Version: 1.0
References: <CADyWQ+FwRaSdpSWXBDqCG9ZPNPiG4pGUx37PVtExbqVPr5ZfmA@mail.gmail.com> <65d26b98-e0d6-e69b-10d4-17632451cab6@nic.cz> <CADZyTk=wUydEv4X8KgHe3Mj0cZTmiaR3mjn_Z2n73U-eST-HPA@mail.gmail.com> <f397b7d4-fe4f-6000-5ce5-f2faa7b27b3e@nic.cz> <CADZyTkkdn__VhRRqwKDbNx3ymTR0KJmxoTN9aKMcox-JS=pW_A@mail.gmail.com> <m1wn7gd1ms.fsf@narrans.de> <CADZyTkkGfE2+SOwO-U40-iN3PnH2Cm7aoodDVxyp_rA-_iO8uw@mail.gmail.com> <CADZyTkmNYX4uzhYVChE8f7zQGdUPR2oD6qP7nLuVoeoStEnjJA@mail.gmail.com> <CADZyTk=sSTSB3Gio4AWvAsySnYARh_=LWb_3z2MTmYLv_hVcTw@mail.gmail.com> <CADyWQ+E3aJ67rJVAk=c_Ziv5WWTQDuq3rf7TEcMXYfqzC8mTSQ@mail.gmail.com>
In-Reply-To: <CADyWQ+E3aJ67rJVAk=c_Ziv5WWTQDuq3rf7TEcMXYfqzC8mTSQ@mail.gmail.com>
From: Daniel Migault <mglt.ietf@gmail.com>
Date: Tue, 24 Jan 2023 20:56:51 -0500
Message-ID: <CADZyTkngg314Yfjmd1WqouSFr7pQNDPUfW_9o-8g+KFbHS_xNA@mail.gmail.com>
To: Tim Wicinski <tjw.ietf@gmail.com>
Cc: Florian Obser <florian+ietf@narrans.de>, dnsop@ietf.org
Content-Type: multipart/alternative; boundary="000000000000d464c105f30cf271"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/2i4_ols_NxjG9pIey-Fw1HMok9A>
Subject: Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-dnssec-validator-requirements
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Jan 2023 01:57:07 -0000

ok, I just posted the 02 version.

Yours,
Daniel

On Tue, Jan 24, 2023 at 2:28 PM Tim Wicinski <tjw.ietf@gmail.com> wrote:

> Thanks Daniel.   We've been  waiting for your updated draft.
>
> tim
>
>
> On Tue, Jan 24, 2023 at 10:14 AM Daniel Migault <mglt.ietf@gmail.com>
> wrote:
>
>> Hi,
>>
>> If you think I have addressed all comments I received, if you believe
>> that is not the case or if there are other comments, please let me know.
>> Otherwise I expect to publish a new version by the end of the week.
>>
>> Yours,
>> Daniel
>>
>> On Fri, Jan 13, 2023 at 5:21 PM Daniel Migault <mglt.ietf@gmail.com>
>> wrote:
>>
>>> Hi,
>>>
>>> I am just wondering if you have any further comments or thoughts or we
>>> declare your concerns being addressed. If you think we are fine, just let
>>> me know.
>>>
>>> Yours,
>>> Daniel
>>>
>>> On Tue, Jan 3, 2023 at 7:14 PM Daniel Migault <mglt.ietf@gmail.com>
>>> wrote:
>>>
>>>> Hi Vladimir and Florian,
>>>>
>>>> Thanks for the comment regarding the use of 5011, to update the
>>>> trust anchors. There are two situations where TAs need to be updated:
>>>> * 1) configuration so the server instances are started with
>>>> the up-to-date TA.
>>>> * 2) a running resolver instance that has been started with the old TA
>>>> and that needs a new TA to be considered.
>>>>
>>>> 1) configuration:
>>>>
>>>> TA trust store is an essential element of the configuration, and the
>>>> document recommends having a special process to ensure every new resolver
>>>> instance starts with the  up-to-date TAs. TAs are so essential in the
>>>> elaboration of trust that special care must be considered.  This means that
>>>> you need a robust mechanism to update the TAs trust store.
>>>> Many DRO will not implement that process and instead rely on software
>>>> updates to delegate the TA trust store update to the software vendor.
>>>> If the DRO is willing to have a *special/specific* additional TA that
>>>> is not updated delegated to the software vendor, the DRO will have to put
>>>> in place such a mechanism. This is a critical operation and the DRO must
>>>> have strong reasons to do so and must balance the additional operational
>>>> risks versus the additional benefits.
>>>> Given the essential aspect of the TA trust store, we recommend updates
>>>> to be handled by an automated process (as opposed to manually being
>>>> performed) BUT we also recommend the process to be manually supervised,
>>>> that is with a manual confirmation.
>>>> This mechanism is likely to require a specific relation between the DRO
>>>> and the TA issuer with potentially the mechanism, being out-of band. To
>>>> that point 5011 is probably not the best choice as mentioned by 5011 itself
>>>> in section 8.3.
>>>>
>>>> 2) running servers
>>>>
>>>> For running resolvers, there is a need to ensure that the resolver is
>>>> using the up-to-date TA. For this we recommend to follow 5011 that
>>>> indicates how to automatically put significant trust into the newly
>>>> published DNSKEY. On the other hand, if resolvers are retarted every days
>>>> we may not need to have 5011 and monitor the roll over. I think that is the
>>>> purpose of your comment.
>>>>
>>>> My impression is that there were some confusions in the text where 5011
>>>> was used. When it is limited to the running resolver, I would
>>>> recommend enabling 5011 when the TA signer implements 5011 in case the
>>>> software is not updated in a timely manner - or at least let the DRO decide
>>>> whether it is willing to enable this option as a sort of insurance - even
>>>> if it is relying on the software update as a general mechanism. I think it
>>>> might be a bit different from what you proposed initially, which is to
>>>> leave that to DRO with DNSSEC strong expertise and recommend to
>>>> only stay with software updates. If there are any strong feelings on just
>>>> relying on software updates and leaving 5011 to DNSSEC experts, I am also
>>>> fine to push toward such a direction.
>>>>
>>>> I updated the text as follows:
>>>> * clarifying TA updates for configuration versus running instances
>>>> * clarifying 5011 dot not apply for updating configuration - at least
>>>> as a primary mechanism
>>>> * emphasize that the non default model is only recommended for DRO with
>>>> DNSSEC expertise
>>>> * adding that TA update for running resolver may be performed also by
>>>> software update under the condition the DRO is likely to ensure a very
>>>> recent release is run.
>>>> * add a recommendation that when 5011 is used, the signer needs to
>>>> implement 5011 timings.
>>>>
>>>> The changes can be seen there:
>>>>
>>>> https://github.com/mglt/draft-mglt-dnsop-dnssec-validator-requirements/commit/dbb75b72a1806520ac77cf04424b0f6de0df29b5
>>>>
>>>> Yours,
>>>> Daniel
>>>>
>>>> On Sun, Nov 27, 2022 at 7:26 AM Florian Obser <florian+ietf@narrans.de>
>>>> wrote:
>>>>
>>>>> On 2022-11-25 12:26 -05, Daniel Migault <mglt.ietf@gmail.com> wrote:
>>>>> > On Wed, Nov 23, 2022 at 10:29 AM Vladimír Čunát <
>>>>> vladimir.cunat+ietf@nic.cz>
>>>>> > wrote:
>>>>> >> I am surprised  you would not recommend RFC 5011
>>>>> >>
>>>>> >> 5011 needs persistent state, a thing that resolvers/validators
>>>>> often don't
>>>>> >> need at all otherwise (cache is safe to delete).  5011 doesn't
>>>>> always work,
>>>>> >> so you need to combine with some fallback mechanism(s) anyway - for
>>>>> new
>>>>> >> installations and for stale ones (missed rotation).  Root rollover
>>>>> has
>>>>> >> happened only once in history, non-root TAs aren't that common, and
>>>>> 5011
>>>>> >> algorithm isn't very simple, so the code can easily get some bugs
>>>>> without
>>>>> >> anyone noticing until it's too late.
>>>>> >>
>>>>> >> Lots of down-sides, so I rather put the TAs into SW updates, for
>>>>> the root
>>>>> >> TA case at least.  I'd recommend trying to avoid non-root TAs, but
>>>>> if I had
>>>>> >> to choose, I'd put them into configuration.  Again a thing that I
>>>>> have to
>>>>> >> provision *anyway*, so I get the occasional TA updates basically
>>>>> for free,
>>>>> >> without needing to worry about those 5011 disadvantages.
>>>>> (occasional =
>>>>> >> 5011 defaults to requiring 30 days of overlap)
>>>>> >>
>>>>> >>
>>>>> > Oh! sure for the TA. My understanding of the text is that it
>>>>> recommends
>>>>> > 5011 for running instances, but that new instances are configured
>>>>> with
>>>>> > up-to-date TA that in most cases are updated by software update. So
>>>>> yes I
>>>>> > agree and will check this appears clearly.
>>>>>
>>>>> Another issue with 5011 is that it needs cooperation from the entity
>>>>> signing the zone during a KSK rollover. 7583 spells this out in section
>>>>> 2.2. I think Vladimír is hinting at this already, I'd say it should be
>>>>> spelled out. Especially since this is aimed at non-DNSSEC-Experts as
>>>>> you
>>>>> were saying earlier in the thread.
>>>>>
>>>>> If a DRO unilaterally decides to put in a TA for example.com as
>>>>> suggested in section 7.1.1 and using 5011 this will not end well if
>>>>> they
>>>>> don't tell the people operating the signer. They will probably not
>>>>> follow the correct timing during a KSK roll.
>>>>>
>>>>
>>>>
>>>> --
>>>> Daniel Migault
>>>> Ericsson
>>>>
>>>
>>>
>>> --
>>> Daniel Migault
>>> Ericsson
>>>
>>
>>
>> --
>> Daniel Migault
>> Ericsson
>> _______________________________________________
>> DNSOP mailing list
>> DNSOP@ietf.org
>> https://www.ietf.org/mailman/listinfo/dnsop
>>
>

-- 
Daniel Migault
Ericsson

v2.23.0 | Report a Bug | By Email