Re: [DNSOP] watching for signature expiration in zones you don't sign
Edward Lewis <Ed.Lewis@neustar.biz> Thu, 02 June 2011 16:23 UTC
Return-Path: <Ed.Lewis@neustar.biz>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 51DB6E06FD for <dnsop@ietfa.amsl.com>; Thu, 2 Jun 2011 09:23:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.522
X-Spam-Level:
X-Spam-Status: No, score=-106.522 tagged_above=-999 required=5 tests=[AWL=0.077, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1datR7j5lWTp for <dnsop@ietfa.amsl.com>; Thu, 2 Jun 2011 09:22:58 -0700 (PDT)
Received: from stora.ogud.com (stora.ogud.com [66.92.146.20]) by ietfa.amsl.com (Postfix) with ESMTP id 43D4AE06CC for <dnsop@ietf.org>; Thu, 2 Jun 2011 09:22:58 -0700 (PDT)
Received: from Work-Laptop-2.local (nyttbox.md.ogud.com [10.20.30.4]) by stora.ogud.com (8.14.4/8.14.4) with ESMTP id p52GMrWY060694; Thu, 2 Jun 2011 12:22:54 -0400 (EDT) (envelope-from Ed.Lewis@neustar.biz)
Received: from [10.31.204.168] by Work-Laptop-2.local (PGP Universal service); Thu, 02 Jun 2011 12:22:55 -0400
X-PGP-Universal: processed; by Work-Laptop-2.local on Thu, 02 Jun 2011 12:22:55 -0400
Mime-Version: 1.0
Message-Id: <a06240802ca0d637ec710@[10.31.204.168]>
In-Reply-To: <4DE7AFB8.6070106@ogud.com>
References: <FF1F118A-F5A8-4C62-8840-72BEE131BF9A@hopcount.ca> <F3F4A1E6-649A-47FB-8863-161C0B3B32B1@bondis.org> <5C4DD6B9-F6A8-4B79-83EA-E2A2AEB9F071@hopcount.ca> <05B243F724B2284986522B6ACD0504D7F84FF26D9F@EXVPMBX100-1.exc.icann.org> <4DE7AFB8.6070106@ogud.com>
Date: Thu, 02 Jun 2011 12:22:42 -0400
To: Olafur Gudmundsson <ogud@ogud.com>
From: Edward Lewis <Ed.Lewis@neustar.biz>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-Scanned-By: MIMEDefang 2.68 on 10.20.30.4
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] watching for signature expiration in zones you don't sign
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Jun 2011 16:23:00 -0000
Time is a pain in the neck. Conversations over the meaning of timers and time fields have gone on for a long time. Keep in mind the difference between absolute (or wall clock) time and relative time. The latter is even stickier because the time may be relative to an event that is local and not even zone-wide. What timers are used to do is to govern different, often orthogonal operations and events in the DNS system. The TTL is there to govern freshness of cached records in a server. The SOA timers are there to govern the freshness of a copy of a zone in a slave server. Authority (only) servers have no notion of time and we've made strides to keep it that way. (At least in the protocol.) DNSSEC came along with absolute time. That is a novelty of the extensions. The time was used to do two things - protect the cryptographic relevance of the signature and to limit the impact of replay attempts. Along the way many have confused the meaning of the timers. TTL trimming to the signature expiration is one abuse, arguably one that makes sense. In the purity of the protocol it doesn't but given operational realities that there may be a forced downstream validator that needs this trimming to be done. At 11:43 -0400 6/2/11, Olafur Gudmundsson wrote: >Strictly speaking from a protocol point of view any signature that expires >before (zone expiry + RR TTL) is a potential validation failure. The signature expiration is in absolute time. Zone expiry (and refresh/retry) is a relative time. TTL is also a relative time. Whether the signature expiration time will arrive before the expiration of the zone or the cache entry is a question relative to the time you ask. The base time for, say zone expiry, is relative to the slave server and is not revealed via the protocol. And it is server specific, not zone specific! So - there's no way to determine if "any signature ... expires before" zone expiry or RR TTL. >Any Signature that expires before corresponding TTL is a likely validation >failure if there is a non DNSSEC validating cache in the path. What do you mean by "in the path"? There's no protocol error in shipping an expired signature. It's up to the receiver to decide if that matters. We stopped requiring zone loading to check signatures like 10 years ago. >Any Signature that has expired is bad. http://tools.ietf.org/html/draft-wijngaards-dnsop-trust-history-02 says differently. >The issue is that many zone owners do not >a) Do not know how long it takes to distribute their modified zone to all >the servers in the NS set. (frequent assumption is 0 seconds) >b) Forget about the possible impact of zone expiry when secondary server >can not reach distribution server. >c) Forget about maximum TTL in zone I'm not sure where you are going here - but C isn't a problem in caches that do TTL trimming. A & B aren't limited to being DNSSEC issues. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NeuStar You can leave a voice message at +1-571-434-5468 Now, don't say I'm always complaining. Wait, that's a complaint, isn't it?
- [DNSOP] watching for signature expiration in zone… Joe Abley
- Re: [DNSOP] watching for signature expiration in … João Damas
- Re: [DNSOP] watching for signature expiration in … Joe Abley
- Re: [DNSOP] watching for signature expiration in … Tony Finch
- Re: [DNSOP] watching for signature expiration in … Edward Lewis
- Re: [DNSOP] watching for signature expiration in … Tony Finch
- Re: [DNSOP] watching for signature expiration in … Jim Reid
- Re: [DNSOP] watching for signature expiration in … Tony Finch
- Re: [DNSOP] watching for signature expiration in … Jim Reid
- Re: [DNSOP] watching for signature expiration in … Richard Lamb
- Re: [DNSOP] watching for signature expiration in … Paul Hoffman
- Re: [DNSOP] watching for signature expiration in … Olafur Gudmundsson
- Re: [DNSOP] watching for signature expiration in … Edward Lewis
- Re: [DNSOP] watching for signature expiration in … Richard Lamb
- Re: [DNSOP] watching for signature expiration in … David Conrad
- Re: [DNSOP] watching for signature expiration in … Marc Lampo
- Re: [DNSOP] watching for signature expiration in … Marc Lampo
- Re: [DNSOP] watching for signature expiration in … João Damas