IETF Logo Mail Archive

Re: [DNSOP] draft-ietf-dnsop-dnssec-roadblock-avoidance & support for local DNS views

Petr Spacek <pspacek@redhat.com> Wed, 08 July 2015 15:43 UTC

Return-Path: <pspacek@redhat.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F14B1A00C6 for <dnsop@ietfa.amsl.com>; Wed, 8 Jul 2015 08:43:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.012
X-Spam-Level:
X-Spam-Status: No, score=-5.012 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MclfsVyob9MS for <dnsop@ietfa.amsl.com>; Wed, 8 Jul 2015 08:42:59 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1D8DA1A00C1 for <dnsop@ietf.org>; Wed, 8 Jul 2015 08:42:59 -0700 (PDT)
Received: from int-mx09.intmail.prod.int.phx2.redhat.com (int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.22]) by mx1.redhat.com (Postfix) with ESMTPS id 8371AAB960 for <dnsop@ietf.org>; Wed, 8 Jul 2015 15:42:58 +0000 (UTC)
Received: from pspacek.brq.redhat.com (ovpn-204-45.brq.redhat.com [10.40.204.45]) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id t68FgukW031483 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO) for <dnsop@ietf.org>; Wed, 8 Jul 2015 11:42:58 -0400
Message-ID: <559D4500.6020706@redhat.com>
Date: Wed, 08 Jul 2015 17:42:56 +0200
From: Petr Spacek <pspacek@redhat.com>
Organization: Red Hat
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: dnsop@ietf.org
References: <54DB8233.5010405@redhat.com> <D2829CD2-1951-4F0B-848F-F05A9BBD011E@ogud.com>
In-Reply-To: <D2829CD2-1951-4F0B-848F-F05A9BBD011E@ogud.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.22
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/DZpl3CL0gIolafqDj4rYigxN9Mw>
Subject: Re: [DNSOP] draft-ietf-dnsop-dnssec-roadblock-avoidance & support for local DNS views
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jul 2015 15:43:00 -0000

On 26.6.2015 22:45, Olafur Gudmundsson wrote:
>> On Feb 11, 2015, at 11:24 AM, Petr Spacek <pspacek@redhat.com> wrote:
>> draft-ietf-dnsop-dnssec-roadblock-avoidance is a nice idea in general but
>> current version of "Roadblock Avoidance", section 5, version 01 has a
>> significant drawback:
>>
>>       Else if the resolver is labeled "Not a DNS Resolver" or
>>          "Non-DNSSEC capable"
>>
>>           Mark it as unusable and try next resolver
>>
>> This effectively cuts off the client from local DNS view, which can
>> effectively mean that internal resources on the network will be unavailable.
>>
> You are correct we ignore split-DNS completely and that is on purpose.  It is unfortunately badly/not defined. 
> But in your case there is in many cases simple solution “when running SPLIT-DNS make sure internal DNSSEC resolvers are DNSSEC capable and sign inside and outside if there is overlap in names.” 

Unfortunately this approach ignores existence of old or broken resolvers, e.g.
in hotel networks where user has no control over the network. Think about
roaming users.

The community around Fedora distribution is right now trying to get caching &
validating resolver to every installation by default and this is not going to
happen if we cannot workaround broken networks reliably. It does not seem like
a good idea to either to show pop-up 'This network seems broken, do you want
to turn off validation?' or to simply ignore existence of DNS names which are
resolvable only locally.

Both approaches will upset users and the only result will more pushback
against DNSSEC validation on end-systems and exclamations like 'World is not
ready for DNSSEC!'

SPLIT-DNS is not going away and it would be shame if it would stop DNSSEC from
being used to its full potential.

What other options do we have to workaround this?

Petr Spacek  @  Red Hat

>> On public networks it may be perfectly fine to sacrifice local names to get
>> DNSSEC validation.
>>
>> However, on internal networks it is a big problem for practical usability of
>> the system. I personally experienced this when using dnssec-trigger on
>> networks where DHCP does not send complete list of local DNS domains. (Also, I
>> have to say that the fact that dnssec-trigger disables DNSSEC validation for
>> list of domains supplied DHCP effectively takes all the security away …)
> 
> This is side effect of the badly specified nature of SPLIT-DNS, 
> 
>>
>> Generally my concern is about practical usability of the proposed solution:
>> Imagine that I'm road-warrior/consultant who is traveling all the time and is
>> working for different companies. When I arrive to a customer I should not need
>> to spend time fiddling with network configuration to get connected to local
>> network before I can start working on customer's problem.

v2.23.0 | Report a Bug | By Email