Re: [DNSOP] Stephen Farrell's Yes on draft-ietf-dnsop-edns-key-tag-04: (with COMMENT)
Stephen Farrell <stephen.farrell@cs.tcd.ie> Fri, 17 February 2017 01:10 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 048B5129650; Thu, 16 Feb 2017 17:10:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.302
X-Spam-Level:
X-Spam-Status: No, score=-4.302 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eOMCIkc81IAr; Thu, 16 Feb 2017 17:10:29 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CDA7C129559; Thu, 16 Feb 2017 17:10:28 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 56996BE77; Fri, 17 Feb 2017 01:10:26 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NlByu1hcW1OI; Fri, 17 Feb 2017 01:10:25 +0000 (GMT)
Received: from [10.87.48.210] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 892ACBE74; Fri, 17 Feb 2017 01:10:24 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1487293825; bh=P09LBwMDdtG3xN00breqOoIc7jC03yJVkuFq3x+FqcQ=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From; b=qIXQf4zQqfRgOV0nCGWPgE9DLZNgr5iYoMfTPEsibgR+NF0UgMdTnpUgY5tAD/rD3 hM9R/3RvKw/hZjYeDRKlAynwQjQWE7EM2rOf81TIo8RFQHouNTyQJ6nypn++uZPOhW znbPpxy1c7wPAUW6pghsyYFW0tFYj6WiF+XRF6yE=
To: "Wessels, Duane" <dwessels@verisign.com>
References: <148721128491.31391.12912602191917167130.idtracker@ietfa.amsl.com> <30D3A4E8-D55D-4D5E-AB3F-28D3B0C4EF99@verisign.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <f8db9028-e3f3-fc8f-ce68-92393d5bce68@cs.tcd.ie>
Date: Fri, 17 Feb 2017 01:10:23 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
In-Reply-To: <30D3A4E8-D55D-4D5E-AB3F-28D3B0C4EF99@verisign.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="864VCvAC0rwGpT1ExVNhTVw6FMA9adlph"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/8ODZGxcBsP3Ts7qRckoI-dL4dAI>
Cc: Tim Wicinski <tjw.ietf@gmail.com>, "draft-ietf-dnsop-edns-key-tag@ietf.org" <draft-ietf-dnsop-edns-key-tag@ietf.org>, "dnsop@ietf.org" <dnsop@ietf.org>, "dnsop-chairs@ietf.org" <dnsop-chairs@ietf.org>, The IESG <iesg@ietf.org>
Subject: Re: [DNSOP] Stephen Farrell's Yes on draft-ietf-dnsop-edns-key-tag-04: (with COMMENT)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Feb 2017 01:10:31 -0000
Hiya, On 16/02/17 21:43, Wessels, Duane wrote: > > Hi Stephen, > > >> >> ---------------------------------------------------------------------- >> >> COMMENT: >> ---------------------------------------------------------------------- >> >> >> >> - abstract: referring to section 1.1 from here seems wrong, >> the abstract ought be readable by itself > > Agreed. I propose to remove that sentence and let the abstract stand > on its own. > > >> >> - section 5: Is the key tag query only and solely intended to allow >> the authoritative to track how clients are paying attention (or >> not) to key rollovers? If there's another purpose I'm not clear >> about it. > > Yes, that is the sole purpose. Do you think this needs to be made > more explicit? Up to you. It wasn't clear to me at first, but was clear when I finished reading. > > >> >> - 5.3: "I believe that to be..." seems like the wrong language to >> use with >1 author. > > Yes. This sentence was already removed from the authors' shared > source file shortly after -04 was sent out. > >> >> - section 7/8: Is there a missing security/privacy consideration >> here, in that an authoritative server here could arrange to hand >> out key tags that are specific to (in the limit) each query, so >> that when the resolver queries a sub-domain, and thereafter, the >> client will be identifiable to the authoritative server? One could >> do this by generating new keys per querier so that if I ask about >> example.com I get given a tag that's unique to me, and then some >> web content pushes me to ask about www.example.com and every time I >> do that I emit that user-specific key tag. While that'd be unlikely >> for a large zone, it might be feasible as a tracker if some "bad" >> domain sets up a specific subdomain for such purposes. That said, >> I'm not clear how much better this is for the attacker compared to >> simply using a tracking name in the authority component of the URL >> for e.g. some 1x1 gif. > > One important aspect to clarify here is that resolver shouldn't be > transmitting the key tags for every query. They are only to be sent > with or at the same time as DNSKEY queries. > > 4.2 says that the edns-key-tag option MUST NOT be sent for non-DNSKEY > queries. > > 5.2 says the need to issue a DNSKEY query is also the trigger to > issue a key tag query. > > Additionally, the document says that resolvers SHOULD transmit the > key tags for zones with configured trust anchors and MAY do so for > non-trust anchor zones. For most resolvers only the root zone would > be configured as a trust anchor. > > Lastly, there is a practical limitation here in that each unique key > given out would require a corresponding unique DS record in the > parent zone. A malicious zone operator might be able to get away > with tens of unique keys, but probably not hundreds. The one > exception to this would be if the malicious actor operated both a > parent zone and a child zone. > > Given all that, do you think it warrants a paragraph in the privacy > section? Again, up to you. The issue is fairly borderline so I won't argue if you don't wanna. S. > > > DW >
- [DNSOP] Stephen Farrell's Yes on draft-ietf-dnsop… Stephen Farrell
- Re: [DNSOP] Stephen Farrell's Yes on draft-ietf-d… Wessels, Duane
- Re: [DNSOP] Stephen Farrell's Yes on draft-ietf-d… Stephen Farrell