IETF Logo Mail Archive

Re: [DNSOP] fragile dnssec, was Fwd: New Version

Petr Špaček <petr.spacek@nic.cz> Thu, 17 August 2017 07:39 UTC

Return-Path: <petr.spacek@nic.cz>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 077181327FF for <dnsop@ietfa.amsl.com>; Thu, 17 Aug 2017 00:39:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.999
X-Spam-Level:
X-Spam-Status: No, score=-6.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nic.cz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8m8qy--useTI for <dnsop@ietfa.amsl.com>; Thu, 17 Aug 2017 00:39:51 -0700 (PDT)
Received: from mail.nic.cz (mail.nic.cz [IPv6:2001:1488:800:400::400]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3F158132436 for <dnsop@ietf.org>; Thu, 17 Aug 2017 00:39:51 -0700 (PDT)
Received: from [192.168.3.102] (ip4-95-82-146-6.cust.nbox.cz [95.82.146.6]) by mail.nic.cz (Postfix) with ESMTPSA id 5E98962326 for <dnsop@ietf.org>; Thu, 17 Aug 2017 09:39:49 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nic.cz; s=default; t=1502955589; bh=eEvvFUjyNMeT7T8m1pif1mZ3u+P26/uSduUTtGIk828=; h=To:From:Date; b=x1lYEJyPYBij3KKVTmDx//XbUHaOM7bs/f0S1OzXCxvTMTKd3auZ//snxPyIWRRgD OB8gi2lATn7U/hKovyrxI/Jg07b0c9PqU+YE9aPwvC5GvYddIKqaXPbjFNBhNs+2Fn ri52N9HkLWAdnNzxHVpt2QyL2pg8MJLPOvpJxgCE=
To: dnsop@ietf.org
References: <20170816230917.4475.qmail@ary.lan>
From: Petr Špaček <petr.spacek@nic.cz>
Organization: CZ.NIC
Message-ID: <272dc071-c650-220c-3528-acb9467c706b@nic.cz>
Date: Thu, 17 Aug 2017 09:39:49 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <20170816230917.4475.qmail@ary.lan>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-Virus-Scanned: clamav-milter 0.99.2 at mail
X-Virus-Status: Clean
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/4Ni3Tl6PR5VjeWgSTF6GRmnlo78>
Subject: Re: [DNSOP] fragile dnssec, was Fwd: New Version
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Aug 2017 07:39:56 -0000


On 17.8.2017 01:09, John Levine wrote:
> In article <20170816071920.BA2C98287EA4@rock.dv.isc.org> you write:
>>> A colleague says "If TLDs allowed UPDATE messages to be processed most
>>> of the issues with DNSSEC would go away. At the moment we have a whole
>>> series of kludges because people are scared of signed update messages."
> 
> Someone is wildly overoptimistic.  

Or maybe not. CZ registry is now getting CDNSKEY from unsigned domains
and use the obtained value to derive parent-side DS. This allows even
third parties running DNS for the domain owner (e.g. Cloudflare) to
DNSSEC-sign domains with no action required from the domain owner.

Yes, someone might try to attack a domain using this. To lower
probability of this kind of attack CZ.NIC is nagging the technical
contact for one week before the DS gets installed into the CZ zone.

For further details please see
https://en.blog.nic.cz/2017/06/21/lets-make-dns-great-again/

We will see how it goes.

-- 
Petr Špaček  @  CZ.NIC

v2.23.0 | Report a Bug | By Email