IETF Logo Mail Archive

Re: [DNSOP] watching for signature expiration in zones you don't sign

Edward Lewis <Ed.Lewis@neustar.biz> Thu, 02 June 2011 16:23 UTC

Return-Path: <Ed.Lewis@neustar.biz>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 51DB6E06FD for <dnsop@ietfa.amsl.com>; Thu, 2 Jun 2011 09:23:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.522
X-Spam-Level:
X-Spam-Status: No, score=-106.522 tagged_above=-999 required=5 tests=[AWL=0.077, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1datR7j5lWTp for <dnsop@ietfa.amsl.com>; Thu, 2 Jun 2011 09:22:58 -0700 (PDT)
Received: from stora.ogud.com (stora.ogud.com [66.92.146.20]) by ietfa.amsl.com (Postfix) with ESMTP id 43D4AE06CC for <dnsop@ietf.org>; Thu, 2 Jun 2011 09:22:58 -0700 (PDT)
Received: from Work-Laptop-2.local (nyttbox.md.ogud.com [10.20.30.4]) by stora.ogud.com (8.14.4/8.14.4) with ESMTP id p52GMrWY060694; Thu, 2 Jun 2011 12:22:54 -0400 (EDT) (envelope-from Ed.Lewis@neustar.biz)
Received: from [10.31.204.168] by Work-Laptop-2.local (PGP Universal service); Thu, 02 Jun 2011 12:22:55 -0400
X-PGP-Universal: processed; by Work-Laptop-2.local on Thu, 02 Jun 2011 12:22:55 -0400
Mime-Version: 1.0
Message-Id: <a06240802ca0d637ec710@[10.31.204.168]>
In-Reply-To: <4DE7AFB8.6070106@ogud.com>
References: <FF1F118A-F5A8-4C62-8840-72BEE131BF9A@hopcount.ca> <F3F4A1E6-649A-47FB-8863-161C0B3B32B1@bondis.org> <5C4DD6B9-F6A8-4B79-83EA-E2A2AEB9F071@hopcount.ca> <05B243F724B2284986522B6ACD0504D7F84FF26D9F@EXVPMBX100-1.exc.icann.org> <4DE7AFB8.6070106@ogud.com>
Date: Thu, 02 Jun 2011 12:22:42 -0400
To: Olafur Gudmundsson <ogud@ogud.com>
From: Edward Lewis <Ed.Lewis@neustar.biz>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-Scanned-By: MIMEDefang 2.68 on 10.20.30.4
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] watching for signature expiration in zones you don't sign
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Jun 2011 16:23:00 -0000

Time is a pain in the neck.  Conversations over the meaning of timers 
and time fields have gone on for a long time.

Keep in mind the difference between absolute (or wall clock) time and 
relative time.  The latter is even stickier because the time may be 
relative to an event that is local and not even zone-wide.

What timers are used to do is to govern different, often orthogonal 
operations and events in the DNS system.  The TTL is there to govern 
freshness of cached records in a server.  The SOA timers are there to 
govern the freshness of a copy of a zone in a slave server. 
Authority (only) servers have no notion of time and we've made 
strides to keep it that way.  (At least in the protocol.)

DNSSEC came along with absolute time.  That is a novelty of the 
extensions.  The time was used to do two things - protect the 
cryptographic relevance of the signature and to limit the impact of 
replay attempts.

Along the way many have confused the meaning of the timers.  TTL 
trimming to the signature expiration is one abuse, arguably one that 
makes sense.  In the purity of the protocol it doesn't but given 
operational realities that there may be a forced downstream validator 
that needs this trimming to be done.

At 11:43 -0400 6/2/11, Olafur Gudmundsson wrote:

>Strictly speaking from a protocol point of view any signature that expires
>before (zone expiry + RR TTL) is a potential validation failure.

The signature expiration is in absolute time.  Zone expiry (and 
refresh/retry) is a relative time.  TTL is also a relative time.

Whether the signature expiration time will arrive before the 
expiration of the zone or the cache entry is a question relative to 
the time you ask.

The base time for, say zone expiry, is relative to the slave server 
and is not revealed via the protocol.  And it is server specific, not 
zone specific!

So - there's no way to determine if "any signature ... expires 
before" zone expiry or RR TTL.

>Any Signature that expires before corresponding TTL is a likely validation
>failure if there is a non DNSSEC validating cache in the path.

What do you mean by "in the path"?

There's no protocol error in shipping an expired signature.  It's up 
to the receiver to decide if that matters.  We stopped requiring zone 
loading to check signatures like 10 years ago.

>Any Signature that has expired is bad.

http://tools.ietf.org/html/draft-wijngaards-dnsop-trust-history-02 
says differently.

>The issue is that many zone owners do not

>a) Do not know how long it takes to distribute their modified zone to all
>the servers in the NS set. (frequent assumption is 0 seconds)

>b) Forget about the possible impact of zone expiry when secondary server
>can not reach distribution server.

>c) Forget about maximum TTL in zone

I'm not sure where you are going here - but C isn't a problem in 
caches that do TTL trimming.   A & B aren't limited to being DNSSEC 
issues.
-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis
NeuStar                    You can leave a voice message at +1-571-434-5468

Now, don't say I'm always complaining.
Wait, that's a complaint, isn't it?

v2.23.0 | Report a Bug | By Email