[DNSOP] Do we need new draft that recommends number limits ?
Kazunori Fujiwara <fujiwara@jprs.co.jp> Tue, 12 March 2024 08:19 UTC
Return-Path: <fujiwara@jprs.co.jp>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B1EBC14F6AF for <dnsop@ietfa.amsl.com>; Tue, 12 Mar 2024 01:19:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=jprs.co.jp
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8O0Fa7bFAK4d for <dnsop@ietfa.amsl.com>; Tue, 12 Mar 2024 01:19:07 -0700 (PDT)
Received: from off-send41.osa.jprs.co.jp (off-send41.osa.jprs.co.jp [117.104.133.135]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 87CA2C14F6A9 for <dnsop@ietf.org>; Tue, 12 Mar 2024 01:19:06 -0700 (PDT)
Received: from off-sendsmg31.osa.jprs.co.jp (off-sendsmg31.osa.jprs.co.jp [172.23.8.161]) by off-send41.osa.jprs.co.jp (Postfix) with ESMTP id AA1224058FD for <dnsop@ietf.org>; Tue, 12 Mar 2024 17:19:05 +0900 (JST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jprs.co.jp; s=373623; t=1710231545; bh=Ljrh3j+1CcddylBWkCjoQDFvmPHb7TbVdGNI1X2timI=; h=Date:To:Subject:From; b=j8YD1jgbjebeLSn6hJXcPGOB2Rdl+6MJcim4RQzMe/dkm2nzkyxq2zYOBSomPBozV yXw+ZyzxCHtjtrzSqa/H0R43mWxEot01aHYZLOFWn1CBRIxvuwPEohiNWeW9suhscH WPeTw8KseVlYi7JMidyz+n7J7xPNXTkZoYqyW7X6hp1dfYwPXnFd1rVl2vB0VV1pr1 4aVUo9jSued7usIZYqsX4Eix59MwsmTjEQaU6Ix9Y9m+rk2Kx2yUjRPXeEbr/kVMc2 +cY7a9RhoElT9FkVOUBc++ai8Q9/bvdt8E0zcXen8e7lsu79hiPOPwTrLjvJRGn6Xd pOK8yzlLNWHnQ==
Received: from off-sendsmg31.osa.jprs.co.jp (localhost [127.0.0.1]) by postfix.imss91 (Postfix) with ESMTP id 202AB60254E8 for <dnsop@ietf.org>; Tue, 12 Mar 2024 17:19:05 +0900 (JST)
Received: from localhost (off-cpu08.osa.jprs.co.jp [172.23.4.18]) by off-sendsmg31.osa.jprs.co.jp (Postfix) with ESMTP id 0ACB960254E3 for <dnsop@ietf.org>; Tue, 12 Mar 2024 17:19:05 +0900 (JST)
Date: Tue, 12 Mar 2024 17:19:04 +0900
Message-Id: <20240312.171904.558689864486146903.fujiwara@jprs.co.jp>
To: dnsop@ietf.org
From: Kazunori Fujiwara <fujiwara@jprs.co.jp>
X-Mailer: Mew version 6.8 on Emacs 24.5.1
Mime-Version: 1.0
Content-Type: Text/Plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-TM-AS-GCONF: 00
X-TM-AS-Product-Ver: IMSS-9.1.0.1373-9.0.0.1002-28246.005
X-TM-AS-Result: No-0.905-5.0-31-10
X-imss-scan-details: No-0.905-5.0-31-10
X-TMASE-Version: IMSS-9.1.0.1373-9.0.1002-28246.005
X-TMASE-Result: 10-0.905100-10.000000
X-TMASE-MatchedRID: +T4Z3mpR0x5CXIGdsOwlUhJmPIoQFzZ7ZggZX8gYmrXDqO6/8R69QODZ 9e5/iDkcF7XT2gjDRRBSVCWwHXaI9rl/NE0vQj9WWTWEh5N2a9EpA2ExuipmWq0GJL2EV5pMGep k4hFKMhKif5vyUNGo9pGTpe1iiCJqtD9qpBlNF8qOT4nXYOKEROunGEBqPil+pEmIv6Iva04Lbi gRnpKlKZx+7GyJjhAUNTUbWJM4jZELu2NoakPkOpR9tCi88KW5gnNdyNKPO5hSpWeaOY3RjJDfd 9ED3T1ZkkE/qPabMXI2v+EIFuqsBxVkGOZZMPFGxQ8i6LWSKIyiYNIGNiwAcIRjQSfYkjqdRy2+ Idlt80CUTGVAhB5EbQ==
X-TMASE-SNAP-Result: 1.821001.0001-0-1-22:0,33:0,34:0-0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/8M8EXWbPbm3jY_6stvlZGdPffNE>
Subject: [DNSOP] Do we need new draft that recommends number limits ?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Mar 2024 08:19:12 -0000
With DNS, there are several things to consider, such as the number and number of times that can complicate name resolution or cause DoS. For example, number of CNAME chains or number of chains of "unrelated" name server names are not limited. (Each implementations limit.) "KeyTrap" also seems to be caused by the configuration of a large number of DNSKEY RRs and RRSIG RRs in one domain name. For example, - Number of CNAME chains - Number of "unrelated" name server name resolutions (hard to write) - Number of NS RRs in each delegation - Number of RRs in one RRSet. - Number of RRSIG RRs in one RRSet - Number of DNSKEY RRs in one domain name DNSOP WG limitted NSEC3 Parameters in RFC 9276, beyond which DNSSEC validation was not required. Then, we can generate new recommendations that limit numbers and if it exceeds that limits, it might be a name resolution error or no validation. Rather than writing a draft for each limitation, I think it would be better to compile them all into one draft. -- Kazunori Fujiwara, JPRS <fujiwara@jprs.co.jp>
- [DNSOP] Do we need new draft that recommends numb… Kazunori Fujiwara
- Re: [DNSOP] Do we need new draft that recommends … Paul Vixie
- Re: [DNSOP] Do we need new draft that recommends … John Levine
- Re: [DNSOP] Do we need new draft that recommends … Mark Andrews
- Re: [DNSOP] Do we need new draft that recommends … Mark Delany
- Re: [DNSOP] Do we need new draft that recommends … John R Levine
- Re: [DNSOP] [Ext] Do we need new draft that recom… Edward Lewis