IETF Logo Mail Archive

Re: [DNSOP] rfc4641bis: NSEC vs NSEC3.

Alex Bligh <alex@alex.org.uk> Fri, 22 January 2010 20:31 UTC

Return-Path: <alex@alex.org.uk>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AFFE23A6944 for <dnsop@core3.amsl.com>; Fri, 22 Jan 2010 12:31:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9qgQ46bIvi5d for <dnsop@core3.amsl.com>; Fri, 22 Jan 2010 12:31:19 -0800 (PST)
Received: from mail.avalus.com (mail.avalus.com [89.16.176.221]) by core3.amsl.com (Postfix) with ESMTP id 329603A6837 for <dnsop@ietf.org>; Fri, 22 Jan 2010 12:31:18 -0800 (PST)
Received: from [192.168.100.124] (87-194-71-186.bethere.co.uk [87.194.71.186]) by mail.avalus.com (Postfix) with ESMTPSA id 91018C563AD; Fri, 22 Jan 2010 20:31:13 +0000 (GMT)
Date: Fri, 22 Jan 2010 20:31:12 +0000
From: Alex Bligh <alex@alex.org.uk>
To: Paul Wouters <paul@xelerance.com>
Message-ID: <D6C3D7B5FE44C580F05A1673@nimrod.local>
In-Reply-To: <alpine.LFD.1.10.1001221446090.24208@newtla.xelerance.com>
References: <200904282021.n3SKL3sg051528@givry.fdupont.fr> <59A58419-FDBD-4810-B2FA-0D293FFA00A5@NLnetLabs.nl> <alpine.LFD.1.10.1001211245180.12114@newtla.xelerance.com> <1AEAE091-2EB3-41DC-A51B-8DD49C10FAD5@NLnetLabs.nl> <24C8A8E2A81760E31D4CDE4A@Ximines.local> <alpine.LFD.1.10.1001221446090.24208@newtla.xelerance.com>
X-Mailer: Mulberry/4.0.8 (Mac OS X)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Cc: dnsop WG <dnsop@ietf.org>, Alex Bligh <alex@alex.org.uk>
Subject: Re: [DNSOP] rfc4641bis: NSEC vs NSEC3.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Alex Bligh <alex@alex.org.uk>
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Jan 2010 20:31:20 -0000

Paul,

--On 22 January 2010 14:51:38 -0500 Paul Wouters <paul@xelerance.com> wrote:

>>> the NSEC3 RR chain. Therefor, Opt-Out should be avoided if possible.
>>
>> 1. Therefor*e*
>>
>> 2. I don't think the last sentence follows from the foregoing, in that
>>  this behaviour is desirable for the zone operator! (I know what
>>  you mean).
>>
>> 3. Aside from that, I don't think an injunction to avoid Opt-Out in
>>  these terms is sensible in a delegation only zone. In such a zone,
>>  I don't really see the additional security risk from opt out across
>>  insecure delegations, given if a spoof can be done, it can be
>>  done at the delegated zone level.
>
> If I secure example.org, and .org is signed, OPT-OUT might cause a spoofed
> exemple.org to not be caught by the user's validating resolver. Therefor,
> I do think opt-out should be avoided when possible.

If I run .org, which is signed, but example.org is NOT signed (i.e.
is an unsigned delegation), there seems to be little reason to avoid opt out
across it. Whilst it might be harder to spoof the absence or existence
of the delegation, I can still spoof the contents (or absence of
contents) in example.org. So, whilst opt-out should be avoided
across intervals containing secure delegations, I see no reason
to avoid it across intervals that don't contain secure delegations.

>>  There are considerable operational
>>  advantages in Opt Out (zone size, cryptographic complexity etc.)
>
> I understand zone size, though I don't understand "cryptographic
> complexity".
> Having different "security values" attached to data within the same zone
> seems
> more complex to me, not less complex?

I meant computational resource requirements resultant from crypto
operations, not algorithmic complexity.

The owner names in NSEC3 RRs are cryptographic hashes of the original owner
name. Assume you have a delegation only zone consisting of sparse secure
delegations amongst many insecure delegations. If you are using NSEC3 at
all, using opt-out substantially reduces the number of NSEC3 records (since
many insecure delegations will cluster together within the opt-out
interval) and thus the length of the NSEC3 chain, and hence reduce the
number of cryptographic hash calculations. Similarly the zone itself is
smaller, so less work to sign. The situation is exacerbated where the
insecure delegations are volatile.


It might be worth mentioning (but is perhaps blindingly obvious) that
NSEC3 is substantially more complex in terms of implementation than
NSEC. Whilst one can by visual inspection spot the odd problem with
a small zone's NSEC chain, it's far harder with NSEC3. Obviously, if
a tool chain is used to NSECify and sign the zone, that's a problem
for the implementor rather than the operator.

-- 
Alex Bligh

v2.23.0 | Report a Bug | By Email