Re: [DNSOP] I-D Action: draft-ietf-dnsop-kskroll-sentinel-03.txt

Geoff Huston <gih@apnic.net> Tue, 06 March 2018 00:05 UTC

Return-Path: <gih@apnic.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9D1EC12D7FC for <dnsop@ietfa.amsl.com>; Mon, 5 Mar 2018 16:05:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=apnic.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q1-xPed5zh4U for <dnsop@ietfa.amsl.com>; Mon, 5 Mar 2018 16:05:28 -0800 (PST)
Received: from APC01-HK2-obe.outbound.protection.outlook.com (mail-hk2apc01on0051.outbound.protection.outlook.com [104.47.124.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3DC8C126DEE for <dnsop@ietf.org>; Mon, 5 Mar 2018 16:05:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apnic.onmicrosoft.com; s=selector1-apnic-net; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=to77mTFqqZKkCf6gl8bo+TStMY7QB6aS4H+AcccFQMo=; b=hAaPW7h3AcKfr3K4bMVcijG5GKXeSdeRLfR4Pla2yzmso6vQKi7EelBHpSv2gC9JRWYtZLmSseLAsGl8XHCG70FpQRazALnh6F/w0dUYJUOe89hTI8AIObdlJVQD2XHCGGTghlG/3Ix504u6yaebFscUMNOchn0MrX/FGDbh/Ks=
Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=gih@apnic.net;
Received: from 2001-44b8-1121-1a00-ecda-24c5-53c4-8186.static.ipv6.internode.on.net (2001:44b8:1121:1a00:ecda:24c5:53c4:8186) by SG2PR04MB0696.apcprd04.prod.outlook.com (2a01:111:e400:5209::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.548.13; Tue, 6 Mar 2018 00:05:22 +0000
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
From: Geoff Huston <gih@apnic.net>
In-Reply-To: <2C0BDA4D-E1E4-48A1-AB54-EFF31F55EB7E@verisign.com>
Date: Tue, 6 Mar 2018 11:05:10 +1100
Cc: dnsop <dnsop@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <DE4E39D1-DD65-44C7-9120-3C155D460BDC@apnic.net>
References: <151984683961.5212.6854317117587193083@ietfa.amsl.com> <39567D9A-312D-42A8-A108-C8F7EE249668@verisign.com> <99AB422F-C607-412B-BC5C-A1DE17CD2393@apnic.net> <2C0BDA4D-E1E4-48A1-AB54-EFF31F55EB7E@verisign.com>
To: "Wessels, Duane" <dwessels@verisign.com>
X-Mailer: Apple Mail (2.3445.5.20)
X-Originating-IP: [2001:44b8:1121:1a00:ecda:24c5:53c4:8186]
X-ClientProxiedBy: HK2PR04CA0055.apcprd04.prod.outlook.com (2603:1096:202:14::23) To SG2PR04MB0696.apcprd04.prod.outlook.com (2a01:111:e400:5209::15)
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: bb7ccb9f-d6ea-4b2c-a166-08d582f5f615
X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(5600026)(4604075)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7153060)(7193020); SRVR:SG2PR04MB0696;
X-Microsoft-Exchange-Diagnostics: 1; SG2PR04MB0696; 3:MO7ehITO/F53yNBVFRAzWIRILOuNWdgstJs0jeckYPrVs9jx2MKLx3xYcBe8N84dCAJLj1KHl//7tb1bUYSckfvWJVzUx0rNalHOtscTdyS/JTlmLk/852IVNYBkwLe1mMsNUlPynmcF2pMeHDu5M2uT9pKgoY9OA0rRD+2gA6XvNeZTEC1Lie3aGJEYqUM9cE1t93RNFQqCLVdCP57LsuoIkv8gwqaSBsgupnvxj82vddAdTxhOSTiNQE3aBN97; 25:XbeXRwS+IMHIWb9Xhh0qTtmLZJbvW7eb53wo9wwzesW31fsRxMFmPzfMeyL3qwwyy5IsbTLaEt3y9/a/2Yo75snaKg52ZI8DQ1Z3Thuv7aj4ydYQKmy8jO6KQ4wWawqZfUM8INAmKrfntcGrRDROLPz1qKyHsbhZdy+Tfz6i6KKWkUfMWkjbQXk0nNwV7thoBMBxVMvRGBaA4I5Pq4hqonb300BjCLke7DYmKy4MUwZXK7LAC3E8WTBcR8gtdAj0BWfBqo8KNN6hYfVXxwTcFvpC/3SNzUP2XsEEzqwWRMnklT1Z2UdqC5r0cl/Laf3HeVG1EZufe2WaOYwsvPHxrQ==; 31:KAil4lIBDpVmxHO7PwHxpktEY67544VCRDwLoiKojczFhdypFKFLtZLv01wcAgo593PnN4GKmgZBhwp/jvx72xqfoEKONp7i0WfJst4Yk9wSbXaFOPOJgCAPnE+jxu823H8odEdlN/vyQK99RbrdDRuHRGfEtSYNcidncifkclVXBk++cy5BlHFr2tJ4KiXMmfU9Lc0p4CmQ3ATOVqSp4kAYa0Pit6xOowRe9dFjdyY=
X-MS-TrafficTypeDiagnostic: SG2PR04MB0696:
X-Microsoft-Antispam-PRVS: <SG2PR04MB06965B7FC364A54CC16F2844B8D90@SG2PR04MB0696.apcprd04.prod.outlook.com>
X-Exchange-Antispam-Report-Test: UriScan:(158342451672863);
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(6040501)(2401047)(8121501046)(5005006)(93006095)(93001095)(10201501046)(3231220)(944501244)(52105095)(3002001)(6041288)(20161123560045)(20161123558120)(20161123562045)(20161123564045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(6072148)(201708071742011); SRVR:SG2PR04MB0696; BCL:0; PCL:0; RULEID:; SRVR:SG2PR04MB0696;
X-Microsoft-Exchange-Diagnostics: 1; SG2PR04MB0696; 4:XCyLAFG/rklVH7Egufo3iuSTtwpkciK8nq3qjpohkbxBOMjx7nW5Z84/cHRvXejQb/fjGBJCvDxwiI9CJVmRUWGzbRkG52vG88IwcU2t8PT0y4b4s+hsFe4+aLiZabn19LwuGSSCdxlbywdbWUvKLSyhKNLolKEBoT5P5m5w/ufiZBTuUiF5tKUssXpf/V9hGjgmcfhFKbT34YB3y28Bp9fwXU8tko5JxNwj6/NbSj4D2nVCFUFFpRnjVrQN9ivT+Z5uB/KSMFnZDD5utLD5uCLJ0DbzD8h9HQTRx6pl3DUOGOfaptVGXFVG6uKv74sj
X-Forefront-PRVS: 06036BD506
X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10009020)(366004)(376002)(39380400002)(396003)(346002)(39840400004)(54094003)(189003)(199004)(93886005)(6512007)(97736004)(386003)(81166006)(6506007)(5660300001)(53936002)(8676002)(4326008)(81156014)(53546011)(46003)(2950100002)(229853002)(59450400001)(83716003)(50226002)(8936002)(6916009)(8746002)(6666003)(6246003)(105586002)(68736007)(316002)(50466002)(86362001)(305945005)(7736002)(82746002)(25786009)(2906002)(16526019)(186003)(6486002)(33656002)(36756003)(47776003)(76176011)(57306001)(478600001)(52116002)(106356001)(23676004)(2486003)(52396003)(6116002)(52146003)(42262002); DIR:OUT; SFP:1101; SCL:1; SRVR:SG2PR04MB0696; H:2001-44b8-1121-1a00-ecda-24c5-53c4-8186.static.ipv6.internode.on.net; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
Received-SPF: None (protection.outlook.com: apnic.net does not designate permitted sender hosts)
X-Microsoft-Exchange-Diagnostics: =?utf-8?B?MTtTRzJQUjA0TUIwNjk2OzIzOldkM0c2dml1MW9kVDF4eExaZ2p0TU94Rzkz?= =?utf-8?B?Z3k0ZkdtSFJXYXJQZ0xpcEpQdXFkMS8vKzZqYks2V1JTakY4dTB4bUVWVjZp?= =?utf-8?B?M2RNNjFiYzZJcE5vTjZhR3ZhendvckxCREJaRHovTnlzVFNYSDFRcnFXQVhD?= =?utf-8?B?NEdFWkJVSkpLRzhEQ2wxV05HeXlyM3k1ampsNXAwbUlCalQybHIzS2piMmRn?= =?utf-8?B?aVhFd3lqZ1BTTHp6YUQ2dHB4QlR2b0pDS3lYZ0J0cEUrYXpWSmgzdVhTczNF?= =?utf-8?B?TWl6V1kzOEFYcnQrRHQyb2FCY0s1U2JLRjF6V0M2ejFrYXRrOWtmM0RXNnJz?= =?utf-8?B?YWNGcUdsbWFPSDFnOGhRcVlSdkltUjFQNEVqWTN5VktGR0NVQmxmbGxRelpT?= =?utf-8?B?R3BYaFluTHVjM3dWbTRqcktzdHVmRGtDclJCaU9vZWp2MTdRbmYzaDV3QndK?= =?utf-8?B?M3h4bUlmMmIvTXVYVkRGbHRwdzhXNzhUQ3kxcEFMWU9LVDZESFF0dFR1Wjlo?= =?utf-8?B?by9IWUdER1g1cW1xVGNINWFpZkEzc25ManBaNGJDdUhqOXFkT2J1WWU1UFZi?= =?utf-8?B?cURIQkxHVmRZVDN0dDdWbkhzZ0FCZ3R6bUdjOWN2TlVIcFRWRXVwOW14Y0Jt?= =?utf-8?B?d3NnT0dJS2xlZWI4RUJSbjE1NUl2Z2xRSWVXTUdlQXZFbWI0N0VKbkZ1MkFZ?= =?utf-8?B?UHVLb0VWQ1FZTHZSL0NQaGxEQjAxSlpzQlFBeUhnNEJZRnh3cEdHTmp6dE51?= =?utf-8?B?VllWYVRSMGYwZll6L051b0RSZGF1VmFiSnprc0FsaTJyNEI2WTkrbzZ6UEpw?= =?utf-8?B?eEdQK3REMDBhL3lDTW5OQ2t2ZlFqbXlIdmg3Nis4d0tBRUM3TzNyazQ2NTZk?= =?utf-8?B?R3hDc2s1ak1wekY2UkVlL1liRDdzSHZBc29xUjh1T0RDZnVWN0pPSlVHSUFh?= =?utf-8?B?NnFwRlRVSWtybjdGcGdURTh4dS81TTQ2Qmp5YXNzK1hrWVp5RndTRitEcEpw?= =?utf-8?B?WEZmUmcyaTNEd1dwR3FwZzBiOVpXR1RhbXM1WlRhblRjWlIxb0Zxb1hTUjhE?= =?utf-8?B?MXZUTHc0enFtdG1XYUN1emZLMTJ0SnFiaTNmaGMwdDlpbW9ZYmRWYTZFVVJO?= =?utf-8?B?L0lxWWFCZ2JnNW1KWmsrQThNaXpFZU1NbmN0di9Md2lVNTJ3TUlWTWxsQVRU?= =?utf-8?B?eHVibWdWN0M2cjBvdjJGSjhGVHdqMXNidHN3R0xlQkE1b21aeDZLbFJ3Nisz?= =?utf-8?B?V3ArU2UrSkNkZVYvMWsvazBpMm83dG9oQlpwNHN5SWFDSnVtR3oxb1gxdlND?= =?utf-8?B?eWl1TkdESVZaTG8wYmxFY1c4OXgwV3RhT0FYSTJ6NStSVVFwcHhxWE1tZ0dQ?= =?utf-8?B?eXFmODRLK21CbjdQd0dqdGJobCtnYjliNEY2TkdodmkrV096aFFRNUo1eU52?= =?utf-8?B?L3lCMzZqcnluK05IendyRzllWEtQM2djUHdXc043WW5CaVNOK3d0UVpxTDhC?= =?utf-8?B?QXlnYmhNbnh5WGpxeWs2RXYxb0ZSNXVVU0l6UEM5VnNNOG5KL2lBemM5LzZt?= =?utf-8?B?Y2crNGliQ2NiSnAzcm1MLzBjMVZyT05mbEoyV2F1cDd2Qlo0eUVnYVY3Sm1x?= =?utf-8?B?YUl3TitRcEZBd0V0bUtDaWlDbXpKYk40V2pQUVBUSnhsWkl5dHc0U004Zm1F?= =?utf-8?B?TnFxM2VYaDNuTUEzNFRNdG42ODgwZkx1b1R1WmhiT0x1QjVpL0o3USthNENO?= =?utf-8?B?SmViditRTTJjOEZnMEdwbTZtYUlOd1FFY0FOL214RFpkS21nUFhPRXBpZHg5?= =?utf-8?Q?rJsHRzdn1sWE0?=
X-Microsoft-Antispam-Message-Info: KGrwcUs6+4OQ77lCSAbadnoBTRp72Pgt2OfNyeT/Uer88pKPx1Bk3OLUk3bj87OU7ZxcGYyP65d+yI6fhm3G3C2Az6KCr3AFsEe4TFVTAyoLhnzr6VZT543ihhkRyFVkx5pRoers/9m/JWZhvDmBYKyLg9hSGslbursjd2Okf/7Km/RwT6JV6TvIYA8VzgNI
X-Microsoft-Exchange-Diagnostics: 1; SG2PR04MB0696; 6:gasQr3QIWfPBVlSmjvAOcX7hMoV+JC4gy99BVZ4zZjygKiq3GFj6s6O0r9mrTMWslCUa9IwJr4zTYwCSg0vcCTFQH//OQZJTVLoZ/+Bh7V3Q2E7Q1ISExSODX566143X0CysNScNHK/5lqSbUKBNTdktQ0IK9+3GJza1JxsvIA4HoQ6aIhjzwQ+CYoJkcOx3QVkjOyJvpM98lnHIxyeaCQ7XCZQdf0kK7lsNbuvpE5QFMrWFRojV2mLHg/FCX/pMq1VAzqVv0E9JhJn66+W+3Dc85uNGr3MArO7tyiiZEbATn9kUQb5pvq1L9tiKBFBvNWhGu2oKrdAmBm5buOWpCNYExAEreST7wtlKLsRrTvk=; 5:1QB6TeAjhb1iz61Zs3VUnm7jfk1qBcTIKIUP91fuRUWVejVxU3Z7N+MgdkH9wlhPgfac9UlJclVdDf7OwNN7MjHW4UKv7GdyVrZXK0/Q/7WOs7ZleNHbbeDwzjWIOfldfcZivAQ+rVDh81O21JGO0dwCnh77EH3gjilTc6P1qiQ=; 24:W+L0zApGMZcdOIvx7+07yw7w2g0OIZnDc/po8C3DMzvCzEKJ+sLrMBJXM5Sl2cjkN+58MjOff88foP0i1t4fLyySwRkJ2ljwMKO1SiuPNDc=; 7:afZVVXLZ14ly8fnKZyMY+VrIkWQ84c78TblLNC3ZXVjk0AfwUeKSfKlPI8svivoSP6/QfhH3uGZ120kT87EDyR4IYeY+fODNSBKkOGoSvwVrzZ9HMuaC8lo48+CuKVPhtrcoRlnsWWC+2BHFKMzRy3/bPkw1kJvbdNdl3A7rK5KNqnOsHi4vxbkidtZbtcy2SnE8UNiZu/mgfgKByyjdVTDwY6rC+zfrZUp4gUFnsdoQcAhM0BmN4HqEXOxXIuV9
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-OriginatorOrg: apnic.net
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 Mar 2018 00:05:22.2972 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: bb7ccb9f-d6ea-4b2c-a166-08d582f5f615
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 127d8d0d-7ccf-473d-ab09-6e44ad752ded
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SG2PR04MB0696
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/2lXw_kqxWRTsTDTQ2hJmvmbOunQ>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-kskroll-sentinel-03.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Mar 2018 00:05:32 -0000


> On 6 Mar 2018, at 9:31 am, Wessels, Duane <dwessels@verisign.com> wrote:
> 
> 
>> On Mar 3, 2018, at 2:32 PM, Geoff Huston <gih@apnic.net> wrote:
>> 
>> I guess that the knowledge that resolver X trusts a key with a hash value of Y does not leave me much the wiser in terms of exploitable knowledge about the (in)security of that resolver.
> 
> If there is a key or algorithm compromise for key Y then that seems like useful information to an attacker.
> 
> 


Good point - thanks for pointing it out. There are many dangers in a compromised KSK DNSKEY when resolvers still trust the key, and the sentinel approach could be used. I don't think this is a show-stopper, but it is useful to be explicit about the risks here.


>> 
>> 
>> Aren’t we getting into issues of DNS privacy here rather than the sentinel per se? Its not as if the sentinel process calls for any change in the DNS query response mechanism. There is no forking off information to third parties in any form in this draft - the user agent asks a particular query form to its DNS resolvers and the user agent will get a response. As far as I can tell, in the same way that the DNS itself admits third parties to look over the shoulder of DNS transactions in every other DNS query and response, this is no different as far as I can tell.  And in the same way as various DNS privacy mechanisms make it harder for third parties to eavesdrop on user activity, this is no different, and the user agent can take the same measures to attempt to increase the eavesdropping degree of difficulty on sentinel queries as much as any other DNS query that the user agent may make.
>> 
>> It seems I must be missing something here that has triggered your concerns Duane - could you explain them in a little more details?
> 
> 
> No, I wasn't thinking of eavesdropping.  I'm thinking whatever Geoff can do, a motivated nation state can just as easily do.  For example...
> 
> The country of Freedonia decides it doesn't trust the ICANN-controlled Internet and goes off and builds its own root server system and signs its version of the root zone with its own set of DNSSEC keys.  Persons and organizations operating in Freedonia are required to install this trust anchor and remove the IANA trust anchor.  kskroll sentinel provides a way for Freedonia to monitor compliance with this policy.  They can use known techniques (ads, embedded javascript, unique URL hostnames) to learn which keys are in the trust anchor set for resolvers/devices within (and even outside) its realm.
> 

I wonder if this is just a sentinel issue or a more generic issue? It seems like this information could be revealed in a number of ways, and it does not exclusively need a sentinel function in resolvers. For example, if researcher Duane sets up a test zone in Freedonia and sets up validly and invalidly signed domain names within the Freedonia name realm, then couldn’t a Ad-bsed large scale test reveal this information anyway without recourse to a sentinel? Endpoints outside Freedonia would presumably see two invalidly signed names, while folk within the realm would see the validly signed one and not the other. i.e. the sentinel approach would not be the only way to expose this information. 

So yes, this is a risk, but in this case its not a risk that is exclusively triggered by this sentinel behaviour, as it would be visible in a number of ways, as far as I can tell.

Geoff