IETF Logo Mail Archive

Re: [DNSOP] [Ext] Call for Adoption: draft-hoffman-dnssec-iana-cons

Ben Schwartz <bemasc@google.com> Wed, 06 January 2021 21:59 UTC

Return-Path: <bemasc@google.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AFF333A1318 for <dnsop@ietfa.amsl.com>; Wed, 6 Jan 2021 13:59:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.972
X-Spam-Level:
X-Spam-Status: No, score=-17.972 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.373, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dsTeveR7u80p for <dnsop@ietfa.amsl.com>; Wed, 6 Jan 2021 13:59:42 -0800 (PST)
Received: from mail-il1-x134.google.com (mail-il1-x134.google.com [IPv6:2607:f8b0:4864:20::134]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1CA733A1315 for <dnsop@ietf.org>; Wed, 6 Jan 2021 13:59:42 -0800 (PST)
Received: by mail-il1-x134.google.com with SMTP id w17so4675795ilj.8 for <dnsop@ietf.org>; Wed, 06 Jan 2021 13:59:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=yZ/e/sfd2T4/tYLXDxhsvgxaQIfYVepbSoevRPBVM+U=; b=SEZqwqulpf9/Hg/zdfyONY1gmWpA5BrzseBVt2EH1+uDOVwMkFNEeIlvOnyDNtKqAW NTjS/26CcKJuqhDU7rMLHjv+SX/MN0mUsMp9s5P+pg8VzgfNPPMPCoyuLpzOKHXXc2WB Xl7wHuzJTNm382kjWHUjjH162vLhhaig+isVKpg2hkTeb5ZlY/1/4t3OR8wfl0d0xfG3 KD+PWD9INzKdaeMRb7KHz3bjyX3gWT2Fun9U6acqTluQGVBeqsFSX91xdtqyUCDeTNPu uV3MDjUG3+EumT5wlvuDT6vUHBEbGh5JBtC7FsuyGgRbjB8fWWYqXMFzZO7Eznyf1Ypn h6Dg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=yZ/e/sfd2T4/tYLXDxhsvgxaQIfYVepbSoevRPBVM+U=; b=XjPUWO2MwfelMI/eqy9yF2bs6YLSDfEjfvXZgeE0u6JXz/TObaMPJDE3AKpgmKpB9P OAudoV5SwTUqx/vQwUfiakR+N4+v+PzzjGw6KsreGr7GaTz5Yqy2NbbyAD+KsVJopXpP v2kjo1u+Am02v9AfccsDCvYyudCKfDN1YwBXgfti+NTND3yRYfU/PzN0y/TPhxHa8TyW FkkkshVaHvdQTvJFQM+WqXL1lRnhiRSBVG8D8peVfn5JhYNFMSozY8i4NxrLWCk9+zkk 3IDN/0FSqJrUWKO9sMtbSG8Gx+4UU6bCQ0gclWtPSlpbGJfhi2sJtrJSr7MLFMvFvFyD u5Qg==
X-Gm-Message-State: AOAM531tBUDOXgKIn7P8kgqPR5NcvJHcap/YvE6XFr6orWID69fttSyR 3hKHjXZ30Ubem2TCu1lE6AfPK1K7fyk5OdEqQw/VdA==
X-Google-Smtp-Source: ABdhPJxvFzw3PHQRFrUKVzygQynBVoy/mmvYqwyHlc0JVdgEidRL0wPoCkGTzUg04qCQtXyxrzghGhJZaUVPtd/Ae3Q=
X-Received: by 2002:a05:6e02:1a8e:: with SMTP id k14mr6376774ilv.275.1609970381152; Wed, 06 Jan 2021 13:59:41 -0800 (PST)
MIME-Version: 1.0
References: <CADZyTkn1QuvjencR8+wVtQ9bzQHJT9JXXNku1LPr3YRmRt4KQg@mail.gmail.com> <CABcZeBMr5Muijx5V7Se1UcxTB9DbAzF1iXZb7_FzEGfw982x8w@mail.gmail.com> <65e3288d-bdfe-ff10-2fbc-63a5d2dd9508@cs.tcd.ie> <797AAE77-2D50-4189-81D8-44BA495146F5@icann.org> <546e60c6-b109-8552-dfb4-7d3ba2ecbc71@cs.tcd.ie> <E58B4013-9491-43ED-83C9-250FF7647570@icann.org> <0746397c-ed85-429c-ff6e-a4a559520e86@cs.tcd.ie> <487928351.1557.1609759876775@appsuite-gw1.open-xchange.com> <60ba1f68-b07f-7a06-539f-60ce442ffbff@cs.tcd.ie> <195eb4c7-306f-97e1-b0df-f6678ebe732@nohats.ca> <ebb27f27-a243-67cd-2b5c-d2ecea741942@cs.tcd.ie> <24505bb1-cf40-25a7-337c-9b50fedfedc1@nohats.ca> <98299ffc-056b-16ee-1929-78543f5ec6d5@cs.tcd.ie> <F66DA99B-910E-4324-895D-F617B447612F@gmail.com> <CAHbrMsAqNXENeP2AdkEs7OC+YL6_z9VU89B7mNu3qOFBc7PQ=A@mail.gmail.com> <3a914ab5-2744-cec0-bbc8-bf39ec64a051@nohats.ca> <CAHbrMsDAMsXzAhcu35_GqL54JNF2jO-HhYWEZyE2VLP=V8dN5A@mail.gmail.com> <47a8a8df-c4d8-78e-ec5e-cfdc6daea130@nohats.ca> <BE8EEAE6-A33A-41FF-908E-821FB3850422@icann.org>
In-Reply-To: <BE8EEAE6-A33A-41FF-908E-821FB3850422@icann.org>
From: Ben Schwartz <bemasc@google.com>
Date: Wed, 06 Jan 2021 16:59:29 -0500
Message-ID: <CAHbrMsCrzNAeTAw1-egP8sRAG3AUi1+nE4O=r++AV8qEvexiZA@mail.gmail.com>
To: Paul Hoffman <paul.hoffman@icann.org>
Cc: dnsop <dnsop@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="000000000000b07bee05b84270bc"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Apua2tbyiWgcb7Zn6s7bh4tvuj8>
Subject: Re: [DNSOP] [Ext] Call for Adoption: draft-hoffman-dnssec-iana-cons
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Jan 2021 21:59:44 -0000

Paul Wouters is correct, the "validate all" behavior I'm describing is
basically Unbound's "harden-algo-downgrade".  (I don't know if it does
"validate all" or a priority list.)

My claim is that, if this were the default validator behavior, the original
debate here would largely go away.  Adding algorithms to a zone, even
algorithms that you don't really trust, would be safe, and the registry
would be less controversial.

If we applied similar logic to DNSKEY, that would solve the RSA-1024
problem.  Currently, zone owners can either publish RSA-1024 DNSKEYs (and
be vulnerable if RSA-1024 is broken, which appears imminent), or they can
_not_ publish them, and cause users who don't support their other key type
(e.g. ECDSA) to lose DNSSEC entirely.  RSA-1024 is neither sufficiently
secure for general use nor so worthless that we lose nothing if, by
dropping it, we deny DNSSEC to those users ... but those are the only
options we offer.

>  Literally any preference order
> > would be more secure than the behavior recommended in RFC 6840.
>
> Is it? Are you referring here to treating unknown (eg refused)
> algorithms as insecure?
>

No, I'm referring to marking the result as Bogus when one RRSIG tells you
so, instead of continuing down the list of RRSIGs looking for one that
validates (RFC 6840's "any single valid path").

v2.23.0 | Report a Bug | By Email