IETF Logo Mail Archive

Re: [DNSOP] signalling mandatory DNSSEC in the parent zone

Ulrich Wisser <ulrich@wisser.se> Tue, 02 March 2021 17:44 UTC

Return-Path: <ulrich@wisser.se>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 04F563A07DA for <dnsop@ietfa.amsl.com>; Tue, 2 Mar 2021 09:44:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=wisser.se
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yA21Nuxso5lF for <dnsop@ietfa.amsl.com>; Tue, 2 Mar 2021 09:44:35 -0800 (PST)
Received: from mout-p-202.mailbox.org (mout-p-202.mailbox.org [IPv6:2001:67c:2050::465:202]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1908E3A0C2E for <dnsop@ietf.org>; Tue, 2 Mar 2021 09:44:25 -0800 (PST)
Received: from smtp2.mailbox.org (smtp2.mailbox.org [IPv6:2001:67c:2050:105:465:1:2:0]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-202.mailbox.org (Postfix) with ESMTPS id 4Dqkyt0QD2zQlS0; Tue, 2 Mar 2021 18:44:22 +0100 (CET)
X-Virus-Scanned: amavisd-new at heinlein-support.de
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wisser.se; s=MBO0001; t=1614707059; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=X6zCZ7rpv8TLqhqRP8H3UJUfFtjemVHh10ZGNTVmbL8=; b=OOICCmyjhQk3AggY03mGBK1e7PrNOp15Tt26hbhLtWr4AD8YAzEOPadtWqXoBDh//jq4Vl jQ+RRPHW0Wy4Zi4w28c26KaudWgO7XcaB6abSBQJh9uwWzH0DXu2M7Rjp3V92grrklt1Wg LSu5u2SSH/om9DI1EO+NAW5aGq2F5FiDH6pIHdumr/IRrER+PiaZWnWvAtD3ez5ScH5Vl5 f1l1Tb0hp1oXDBfWMXJSTiCe9dRVJlPYdxUawzDYhN40sacUSl4gQjHzyEjcMN9M2DJ8Uk uHcXlDwHx7cZNYyAmKoiyu15GpP8bte5p/PiZcm0BsTKY1QW3Nt31BNEt6HNEQ==
Received: from smtp2.mailbox.org ([80.241.60.241]) by spamfilter06.heinlein-hosting.de (spamfilter06.heinlein-hosting.de [80.241.56.125]) (amavisd-new, port 10030) with ESMTP id J1i6EVZwdGC5; Tue, 2 Mar 2021 18:44:15 +0100 (CET)
From: Ulrich Wisser <ulrich@wisser.se>
Message-Id: <4F547B26-11F1-406E-BF63-054F3E23D116@wisser.se>
Content-Type: multipart/alternative; boundary="Apple-Mail=_97AD255F-4B46-4DCD-A6FE-02E6C3C3F389"
Mime-Version: 1.0
Date: Tue, 02 Mar 2021 18:44:13 +0100
In-Reply-To: <CAH1iCirdEXZUsXRvr+623vk5v10WevmYjRsY_inJPd_j2P+Atg@mail.gmail.com>
Cc: Mark Andrews <marka@isc.org>, "dnsop@ietf.org WG" <dnsop@ietf.org>
To: Brian Dickson <brian.peter.dickson@gmail.com>
References: <20210301.205459.413147497474184552.he@uninett.no> <DE24E067-C0D3-4E26-B7FB-EF8311AE5E0A@isc.org> <5D1D786F-216A-4AD3-840E-CAFE5CA49B6C@wisser.se> <4577DCF6-9D72-4D46-90DD-F289F112E639@isc.org> <0FD37A06-9DD4-46EB-BBB9-C480155CC9F1@wisser.se> <430E9927-D129-4872-BC1D-BF1F8E924B63@isc.org> <CAH1iCirdEXZUsXRvr+623vk5v10WevmYjRsY_inJPd_j2P+Atg@mail.gmail.com>
X-MBO-SPAM-Probability: **
X-Rspamd-Score: 2.45 / 15.00 / 15.00
X-Rspamd-Queue-Id: C9E9917D5
X-Rspamd-UID: 492068
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/D34YnLqIUbua9zcqG_xVuoMavd4>
Subject: Re: [DNSOP] signalling mandatory DNSSEC in the parent zone
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Mar 2021 17:44:38 -0000

I don’t think the dnssec specification say that a rr set has to be signed with an algorithm that is specified in the ds rr set.
The spec requires rrsigs of each algorithm to be present at the authoritative. But there is no requirement on the validation to stay with one algorithm.

What I want to accomplish is that two name server operators can move a domain between them even when they use different algorithms. With lax-validation this is possible, at least when the validator supports both algorithms.

This move would of course make the authoritatives not rfc compliant for some time.
Both authoritative would have to have a ZSK in their dnskey set that uses an algorithm for which they do not serve rrsigs.
I believe this to be a lesser problem than switching dnssec off.

/Ulrich



> On 2 Mar 2021, at 18:25, Brian Dickson <brian.peter.dickson@gmail.com> wrote:
> 
> 
> 
> On Tue, Mar 2, 2021 at 4:47 AM Mark Andrews <marka@isc.org <mailto:marka@isc.org>> wrote:
> 
> > On 2 Mar 2021, at 23:06, Ulrich Wisser <ulrich@wisser.se <mailto:ulrich@wisser.se>> wrote:
> > 
> > 
> > 
> >> On 2 Mar 2021, at 12:55, Mark Andrews <marka@isc.org <mailto:marka@isc.org>> wrote:
> >> 
> >> 
> >> 
> >>> On 2 Mar 2021, at 22:52, Ulrich Wisser <ulrich@wisser.se <mailto:ulrich@wisser.se>> wrote:
> >>> 
> >>> @Håvard No, that isn’t sufficient. A resolver could have the old DNSKEY set in cache but get signatures from the new servers. This can be solved by cross signing the ZSK -> put the ZSK of the other provider in the respective DNSKEY set, no need to exchange private keys, only the DNSKEY records. Then you will always have a validation path.
> >>> 
> >>> @Mark, that is exactly what I am talking about, a forced algorithm change can only work, when both operators cooperate and if we insist on lax-validation. We need both!
> >> 
> >> It doesn’t even work then as there the signatures of the non DNSKEY records are of the wrong algorithm.
> > 
> > Why would the signatures of the non DNSKEY RRset need to be of the same algorithm as the KSK?
> > Lax-validation says that “any validation path” should be accepted. 
> > 
> > example.com <http://example.com/>. DS 123 8 2 xxx
> > 
> > example.com <http://example.com/>. DNSKEY 257 3 8 xxx
> > Example.com. DNSKEY 256 3 8 yyy
> > example.com <http://example.com/>. DNSKEY 256 3 13 zzz
> > example.com <http://example.com/>. RRSIG DNSKEY 8 …
> > 
> > www.example.com <http://www.example.com/>. TXT “example”
> > www.example.com <http://www.example.com/>. RRSIG TXT 13 …
> > 
> > In my eyes there is a clear validation path to the www rr.
> 
> It leads to bogus in a server that *only* support algorithm 8 because THERE IS NOT AN RRSIG OF WITH ALGORITHM 8
> 
> Rather than argue about this example (which may be incomplete and/or erroneous), let's try to "fix" the example, and clarify which algorithm is new, and which algorithm is old, including what is on each of the two servers in terms signatures and keys?
> 
> (Clearly this cannot be valid to be on one server, given the DS and RRSIG(TXT) are not the same algorithm).
> 
> I think the requirement for considering the addition, is the inclusion of both ZSKs in both instances of the zone, AND the publication of both DS records in the parent.
> 
> If this happens well in advance of the change of NS record in the parent, what else needs to happen?
> And how is this handled by validators that handle algorithm 8 but not algorithm 13?
> 
> If the example is expanded and corrected, I believe the answer should be, the algorithm 13 only zone is either insecure, or bogus, depending on the absence or presence of the algorithm 8 DS.
> 
> I don't see a clean way to avoid a race condition between the NS records in the parent, and the DS records in the parent, given caching.
> 
> This is likely why Joe Abley was suggesting going insecure for a brief period is the only way to avoid anyone getting "bogus" as a validation state.
> 
> Algorithm 8 would go insecure permanently, while Algorithm 13 would go insecure for a brief period then go secure again.
> 
> Perhaps the brief bogus for Algorithm 8 is acceptable, in which case the decision is really one to be made by the zone owner.
> 
> Brian

v2.23.0 | Report a Bug | By Email