Re: [DNSOP] [Ext] Re: Resolver behaviour with multiple trust anchors

Edward Lewis <edward.lewis@icann.org> Wed, 01 November 2017 11:07 UTC

Return-Path: <edward.lewis@icann.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 344E413F6DE for <dnsop@ietfa.amsl.com>; Wed, 1 Nov 2017 04:07:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7YOF6cLY-PEp for <dnsop@ietfa.amsl.com>; Wed, 1 Nov 2017 04:07:51 -0700 (PDT)
Received: from out.west.pexch112.icann.org (pfe112-ca-2.pexch112.icann.org [64.78.40.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 997DD13F66C for <dnsop@ietf.org>; Wed, 1 Nov 2017 04:07:51 -0700 (PDT)
Received: from PMBX112-W1-CA-1.pexch112.icann.org (64.78.40.21) by PMBX112-W1-CA-1.pexch112.icann.org (64.78.40.21) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Wed, 1 Nov 2017 04:07:49 -0700
Received: from PMBX112-W1-CA-1.pexch112.icann.org ([64.78.40.21]) by PMBX112-W1-CA-1.PEXCH112.ICANN.ORG ([64.78.40.21]) with mapi id 15.00.1178.000; Wed, 1 Nov 2017 04:07:49 -0700
From: Edward Lewis <edward.lewis@icann.org>
To: Paul Wouters <paul@nohats.ca>
CC: Moritz Muller <moritz.muller@sidn.nl>, =?utf-8?B?w5NsYWZ1ciBHdcOwbXVuZHNzb24=?= <olafur@cloudflare.com>, "dnsop@ietf.org" <dnsop@ietf.org>
Thread-Topic: [DNSOP] [Ext] Re: Resolver behaviour with multiple trust anchors
Thread-Index: AQHTUoHMo0gQ4Vv3GkS3sSxF5cUXoaL/06IA
Date: Wed, 1 Nov 2017 11:07:49 +0000
Message-ID: <36701057-FB2C-46DE-BC7B-23CA53D8ECB1@icann.org>
References: <121CDBC2-D68C-48EE-A56E-46C61FC21538@sidn.nl> <CAN6NTqxy4SWxsUNZyBA=1TZxdhWtVxaTDYLoA1qO2nKf202g9w@mail.gmail.com> <E94AE36A-CA69-47DB-A2B7-41D0C3644855@nohats.ca> <4678D8A8-1AA0-4684-BFD1-40C969305C49@icann.org> <alpine.LRH.2.21.1710311541090.23568@bofh.nohats.ca>
In-Reply-To: <alpine.LRH.2.21.1710311541090.23568@bofh.nohats.ca>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.27.0.171010
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [192.0.47.234]
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="B_3592364868_918416071"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/995lWXEpm9l1wxDBqJLOCO-9Y24>
Subject: Re: [DNSOP] [Ext] Re: Resolver behaviour with multiple trust anchors
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Nov 2017 11:07:53 -0000

On 10/31/17, 15:52, "DNSOP on behalf of Paul Wouters" <dnsop-bounces@ietf.org on behalf of paul@nohats.ca>; wrote:
>this zone can never be stolen from me by a parent.
    
Can you elaborate on this, what do you mean "stolen" by a parent?

The reason I am asking - choosing one strategy (any key, configured key rules, DS rules) is based on what one most wants to solve.  For "robustness" in the sense of most aggressively getting an answer, opting to accept any (and I'll use the word:) approved key is going to lead to more answers being validated.  "More answers" may or may not be a good thing, but the fact is that numerically, having more trusted points from which to build chains will lead to more validated answer sets.

By "approved" I mean any key that has passed muster to be a trusted key in the resolver and/or there is a chain of trust from the key set back to another trusted key.  Please don't take this as a general definition, I'm using it only within the context of this mail message and only within the confines of the protocol's technical work, not any judgement regarding legitimacy in operations.

Back to the question above, to help enumerate the scenarios in which one would opt to not trust a key that has been learned via a chain of trust in the face of a trusted key, it would help to understand what is meant by a parent "stealing" a zone.

What I am thinking is:

(Un- cut point/DS set is removed, re- cut point/DS set is changed.)

01 A child may be un-delegated by operational error at the parent.
02 A child may be un-delegated in accordance with the registration agreement.
03 A child may be un-delegated outside of the registration agreement.

04 A child may be re-delegated by operational error at the parent.
05 A child may be re-delegated in accordance with the registration agreement.
06 A child may be re-delegated outside of the registration agreement.

07 A child may be un-DSd by operational error at the parent.
08 A child may be un-DSd in accordance with the registration agreement.
09 A child may be un-DSd outside of the registration agreement.

10 A child may be re-DSd by operational error at the parent.
11 A child may be re-DSd in accordance with the registration agreement.
12 A child may be re-DSd outside of the registration agreement.

Before getting into the "why's", the impacts of cases:

01-03: Answers for the zone's data will be NXDOMAIN (once TTLs expire)
04-06: Answers will come from a different administrative authority
05-09: Answers will be accepted as Insecure unless the trust anchor is configured
10-12: Answers signed by other keys may be received

Cutting along the why's:

01,04,07,10 (Operator error) - The underlying DNS service error must be fixed, in the meantime, flexibility is desired to prevent service disruption.

02,05,08,11 (Justified change) - The issue lies above the level of DNSSEC.  By "justified change", this includes term expiration, lack of payment, failing to abide by acceptable use policy, etc.  Beyond the scope of the technology, this might even come as a result of a court order, to name a reason for this category.  In this case, the parent exerts the protocol prerogative of where it delegates names to enforce whatever policy governs.

03,06,09,12 (Unjustified change) - This would include any reason that could be seen as "corruption" of the registry operator role.  I would include all cases of "stolen" to be here, lacking a better definition of "stolen."

A dimension I haven't included is whether a validator has a trust anchor for the name in question or not.  (If not, then the issue of the conflict doesn't matter.)

The next step here is to look at the relative frequency of each case.  Mind, I'm not including child operator error in any of this (which would expand the cases).

The reason for drilling into this is the assertion that trusting configured trusted keys over the DS record is "the only workable solution".  I'm not convinced, I think that the cases in which that is the preferred option is in the minority of the failure modes.

What's in the back of my mind is that ultimately, there's still the DNS problem - the parent unilaterally controls the existence and direction of the delegation.  DNSSEC can't overcome that.  DNSSEC can only choose to be more restrictive (and thus brittle in some sense) or be as lenient as possible (for robustness in the sense of getting an answer to the query).