IETF Logo Mail Archive

Re: [DNSOP] CNSRRSIG (was: Re: [Ext] draft-fujiwara-dnsop-delegation-information-signer))

Brian Dickson <brian.peter.dickson@gmail.com> Fri, 11 December 2020 01:21 UTC

Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B4B713A1382 for <dnsop@ietfa.amsl.com>; Thu, 10 Dec 2020 17:21:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u8fQqphQulsb for <dnsop@ietfa.amsl.com>; Thu, 10 Dec 2020 17:21:20 -0800 (PST)
Received: from mail-vs1-xe2c.google.com (mail-vs1-xe2c.google.com [IPv6:2607:f8b0:4864:20::e2c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DC4443A1347 for <dnsop@ietf.org>; Thu, 10 Dec 2020 17:21:19 -0800 (PST)
Received: by mail-vs1-xe2c.google.com with SMTP id u7so3949852vsg.11 for <dnsop@ietf.org>; Thu, 10 Dec 2020 17:21:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=opqkKmDcTqHk5qQJm8AfhJBxppFthmSfkhlNHBpusiM=; b=thhGdrxW6rw7S2rFOYn34UwHgRGl76oybu6ZSn7taouVsxwFLCIalUYToqsq0LocwR jGYWEZix21/p93sIUwMeOTxIL6iaKt8FzK4JOa0vZ8B7ykqjVfgdcHYKrl0Ykp7a/dpn Sbv6PDnjhVuR6zsZaaKmasKSmkALdLd9GrSK9T3W05Ly4cr6v+8zV2PYp8yw0hNcXph7 1OwIFwHvO+XhQ3kBokP6Vp6iBLPTaF7LqiA4GOjQlVN5lhtkf1BK4xiVec7ZLg1Ps/Ja /AxLNhEbF7mizP/WI2qE2HiHwRwQ0lh9kI3xyNrqs/xnLDFR/k7OzM8Yqsep0DDQhAUV 2CRw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=opqkKmDcTqHk5qQJm8AfhJBxppFthmSfkhlNHBpusiM=; b=Uq+s9LP/DiEk547ReDCtw3b5zWbgzcabSpPK2CP+CKwx5Cf74g+oJRUhMGO4UxumfA 24TwWhb1c3dVQTrWzs3u6YkBMuXWsaw5DeOkMAPQ0OO527chSdCbOATemWW/pm+upVRN g+5aFMkKnLvbIq5rW7362lxA1FRjq4IpeyPRqLTF6h+fg+Hr54k9cDcXN1Teixw7vaZr gPY+pREZFblUF5uQeLlYE2TiGkzmX3rPfsKTKJqG9WZmEUgln3L23W8w5MxFPbmMHJ1k 4C+U0mBV0EAv4+T5RUvf/tY1kzbF1WptYqFqJCkVLgs7kWNQhvMjCS9x+GM9KyMXHri6 NZuA==
X-Gm-Message-State: AOAM533Rlcy+JskHxhFfW0lZHsb3sw3XrJPN++l5PeV0T/ek32mocZFb 2OQkADX3ilLt7IRCdCL0LeqUI5UciKr/owhODEc=
X-Google-Smtp-Source: ABdhPJwfseW33VQqs1keE8FHy7/w7zop+TNeiJVbvjHGWCV39/1AOhsmIT7uoeeQNLQ8OZEbZEBLMt2UvtaZ/9BYoVo=
X-Received: by 2002:a67:7742:: with SMTP id s63mr10926631vsc.49.1607649678770; Thu, 10 Dec 2020 17:21:18 -0800 (PST)
MIME-Version: 1.0
References: <F3CB048D-F6DB-46D7-A151-E9526FA51F47@icann.org> <A8AECB8C-E6D4-4360-A85F-2525BF001435@hopcount.ca> <9BB8435F-F416-49CF-A232-FDCE526DCDD5@icann.org> <6D93A6AB-FD9F-4BB7-9953-15867984B315@hopcount.ca>
In-Reply-To: <6D93A6AB-FD9F-4BB7-9953-15867984B315@hopcount.ca>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Thu, 10 Dec 2020 17:21:07 -0800
Message-ID: <CAH1iCiqLUpfJ8L+VZC4c-wXkC6km2jnUv+Bf0Bxyjx-T_bsETQ@mail.gmail.com>
To: Joe Abley <jabley@hopcount.ca>
Cc: Paul Hoffman <paul.hoffman@icann.org>, dnsop <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000006c74905b6261c68"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/E3MXpDu6zb13bczKe5uCJKkGXlY>
Subject: Re: [DNSOP] CNSRRSIG (was: Re: [Ext] draft-fujiwara-dnsop-delegation-information-signer))
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Dec 2020 01:21:22 -0000

On Thu, Dec 10, 2020 at 4:52 PM Joe Abley <jabley@hopcount.ca> wrote:

> On 10 Dec 2020, at 19:41, Paul Hoffman <paul.hoffman@icann.org> wrote:
>
> >> "Authenticate authoritative servers" is a bit vague for me. Parent and
> child are namespace concepts and not relying parties that you'd ordinarily
> expect to be able to authenticate anything.
> >
> > A resolver asks a parent what the NS records are for the child. Today,
> an on-path attacker can change the answer and the resolver would not be the
> wiser, so the resolvers cannot trust such answers to do things like look up
> TLSA records. There is a desire for resolvers to be sure that what the
> child NS records they receive from the parent is what the parent has in its
> zone for the child so they can use this information to ask for TLSA records.
>
> The problems that DNSSEC is trying to solve are with identifying
> inauthentic data ultimately requested by applications. If an intermediate
> referral response includes an inauthentic NS RRSet with no RRSIGs it cannot
> be identified as inauthentic, but it doesn't really matter because any data
> that is expected to be signed from the inauthentic servers will fail
> validation and the application will be protected.
>
> The problems that dprive is trying to solve concern surveillance
> opportunities and information leakage. that if an imtermediate referral
> response includes an inauthentic NS RRSet with no RRSIGs it could cause
> queries on behalf of an application to be harvested by an untrusted third
> party at one of those inauthentic servers, which could represent a
> surveillance opportunity.
>
> The proposal is hence to provide a way for an intermediate referral
> response that includes an inauthentic NS RRSet to be identified as
> inauthentic so that subsequent queries to the untrusted third party servers
> can be suppressed.
>
> Did I read that back correctly?
>
>
Yes.

Brian


> I've now typed "inauthentic" enough that I am starting to doubt that it is
> a word, but "bogus" has a particular and different meaning in DNSSEC so I
> was trying to avoid it.
>
>
> Joe
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>

v2.23.0 | Report a Bug | By Email