IETF Logo Mail Archive

Re: [DNSOP] [v6ops] [IANA #989438] ipv4only.arpa's delegation should be insecure.

Ted Lemon <mellon@fugue.com> Wed, 13 June 2018 02:36 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C9FF6126F72 for <dnsop@ietfa.amsl.com>; Tue, 12 Jun 2018 19:36:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.61
X-Spam-Level:
X-Spam-Status: No, score=-2.61 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uROodIYmqfaj for <dnsop@ietfa.amsl.com>; Tue, 12 Jun 2018 19:36:15 -0700 (PDT)
Received: from mail-io0-x232.google.com (mail-io0-x232.google.com [IPv6:2607:f8b0:4001:c06::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 606E2127332 for <dnsop@ietf.org>; Tue, 12 Jun 2018 19:36:15 -0700 (PDT)
Received: by mail-io0-x232.google.com with SMTP id d22-v6so1770269iof.13 for <dnsop@ietf.org>; Tue, 12 Jun 2018 19:36:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=jzcsE2+EXTnQ6+QICo64zzGesuVCPGXiSIkr6qkZuio=; b=YDYPmAKMJ0Uyq8LKj3MGTPka70Vuf9t+TbBzGc9gsXsnZBCjjXMNjjBE40gMBuJPZi baPnXB6bvb3tjFtUoKKI+m20rTvG7yDlHiQnoBpL0tEhxHXu2gAO9Wh+CdYDehr/CTpK vU0r0Ze4KME5mV+EoqUMFhlKYjNWH75qGvvHPiaf/wxe6JrabjX/h3TyUwoR1MvndLWF Xh1R16LnGK2SPVW0wcYkxqIUkwYOEDfpU4OQ7kyLt9oZnMDNxEdiAlGn3uQuwDebLan7 n6BTvnFdXMrmEalthxT2CvrSgCy5YDjjNCQc8eoNoSH82G7AIhJrLWGFtl7oTbiCew5Y 3mAQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=jzcsE2+EXTnQ6+QICo64zzGesuVCPGXiSIkr6qkZuio=; b=gR1h3FKrJ+zibigH00hNUZnyA2py3ayZm2JnT2M/7V8fA5VIcb5rNRFIWCcxjc2Z1M dX88jb7iisk4oobvLnuN+9JCab5e45r1NFXql9aw0ynKSvdI8VYNxKyeO9nHwC4zVeE5 uaJKG1h7GNDulIs+LtQz1YOw+E2gMlfNADG/o777Qjauipgv6fI22P9wN6mi5/SiSXEu 1RtYtU1PiMKbIqhM3tJ8eonczdbm2bEtS6BVKdraFvX1cpddZpUANzt4jxKUywLJ2bRP hq+gxmuDyA4wjSPuqkO3XOhsek3/CiLfUCyM8Ox05SHJaqlnutiiQ+voVVPBPf1Hvg08 8GEA==
X-Gm-Message-State: APt69E2UwGqz2d7Df5A8RZPu1zhkJTp0OFVmpMRSMWm+5uQrg9X4OmPa Em9GfI1vpAIr6ih+Uxu+ZjtQcTnaRQQTE0qQiBZevw==
X-Google-Smtp-Source: ADUXVKIpTy+TcH1Wbvmlq7HAKme3HzKSuMh6w9G/4TXLb4ZDvWZrdAXRE8HAmX9fGzXNv8UGz65mrNwxiYV4Lu+uER8=
X-Received: by 2002:a6b:9156:: with SMTP id t83-v6mr3154874iod.32.1528857374595; Tue, 12 Jun 2018 19:36:14 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a4f:6f86:0:0:0:0:0 with HTTP; Tue, 12 Jun 2018 19:35:34 -0700 (PDT)
In-Reply-To: <43D81243-B2D8-4622-B03D-D20DB7EC243C@apple.com>
References: <rt-4.2.9-2607-1515188710-296.989438-6-0@icann.org> <FAA35F1A-9AD4-4993-9A5C-53A6143B9DE7@isc.org> <43D81243-B2D8-4622-B03D-D20DB7EC243C@apple.com>
From: Ted Lemon <mellon@fugue.com>
Date: Tue, 12 Jun 2018 19:35:34 -0700
Message-ID: <CAPt1N1=7XEp+0U6m7zeAjqSjmhSwYZ+3ZQe5usqmqjwoKXAVfA@mail.gmail.com>
To: David Schinazi <dschinazi@apple.com>
Cc: Mark Andrews <marka@isc.org>, Stuart Cheshire <cheshire@apple.com>, Michelle Cotton via RT <iana-questions@iana.org>, dnsop <dnsop@ietf.org>, "v6ops@ietf.org WG" <v6ops@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b9b592056e7cd88c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/EM_vdwpz4wjVcslh5K8J_Lki1s0>
Subject: Re: [DNSOP] [v6ops] [IANA #989438] ipv4only.arpa's delegation should be insecure.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jun 2018 02:36:24 -0000

LGTM.   It sounds like Mark is arguing that RFC6761 also needs updated.
Possibly this document could do that, but it would need to be reframed a
bit.

On Tue, Jun 12, 2018 at 7:28 PM, David Schinazi <dschinazi@apple.com> wrote:

> Hi everyone,
>
> Stuart and I have a draft that attempts to address these issues, please
> let us know if you think it does or doesn't.
>
> https://tools.ietf.org/html/draft-cheshire-sudn-ipv4only-dot-arpa
>
> Thanks,
> David Schinazi
>
>
> On Jun 12, 2018, at 18:29, Mark Andrews <marka@isc.org> wrote:
>
> The Domain Name Reservation Considerations in RFC 7050 do not cover
> whether
> a delegation should be signed or not.  Due to that omission in
> constructing the set
> of questions to be asked RFC 7050 fails when the client is behind a
> validating resolver
> that has NO SPECIAL KNOWLEDGE of IPV4ONLY.ARPA.
>
> There are 2 pieces of work that are required.
> 1) update the list of questions that need to be asked needs to include
> whether a delegation
>     needs to be signed or not.
> 2) update RFC 7050 to include explicit instructions to say DO NOT sign
> IPV4ONLY.ARPA.
>
> Item 1 is dnsop work as far as I can see.  Item 2, I think, should be
> v6ops work.
>
> HOME.ARPA is a example of a unsigned delegation.
> 10.IN-ADDR.ARPA is a example of a unsigned delegation.
>
> There is zero benefit in IPV4ONLY.ARPA being signed.  Its contents on the
> Internet
> are well known.  The contents with NAT64 in using are well known except
> for the
> AAAA query.  The answer to that query is *expected to change*.  That
> answer cannot
> be validated.
>
> Mark
>
> Begin forwarded message:
>
> *From: *"Michelle Cotton via RT" <iana-questions@iana.org>
> *Subject: **[IANA #989438] ipv4only.arpa's delegation should be insecure.*
> *Date: *6 January 2018 at 8:45:10 am AEDT
> *To: *marka@isc.org
> *Reply-To: *iana-questions@iana.org
>
> Hello,
>
> Following up on a thread from the end of the year.  Who will bring this to
> the DNSOps working group?  Will someone notify us if there is an consensus
> on a conclusion of what needs to be done?
>
> Thanks in advance.
>
> --Michelle Cotton
>
>
> On Sun Dec 10 22:40:29 2017, danwing@gmail.com wrote:
>
> I had replied to the errata. I agree it warrants additional
> discussion, and had also suggested same. Dnsops seems appropriate.
>
>
>
> The question is not to much where the attacker is, but what DNSSEC
> guarantee is provided. DNS64 imagines the client could do its own
> validation — if it wanted.  To date, effectively zero clients seem to
> want to do their own DNSSEC validation.
>
> -d
>
> On Dec 10, 2017, at 11:13 AM, Savolainen, Teemu (Nokia-TECH/Tampere)
> <teemu.savolainen@nokia.com> wrote:
>
> Hi,
>
> Dan Wing seem to have moved to VMWare, but cc'ing him now with an
> email address I found from an I-D..
>
> I'm not really following IETF nowadays, so I don't know if this has
> been discussed.
>
> Also I'm not sure why ISPs couldn’t first verify the A response's
> validity and then generate AAAA response to the client as document...
> but I suppose it could be considered to be more proper action to
> modify insecure responses than secure responses. I'm just worried
> what happens if there's attacker between ISP and root, in which case
> the IPv4 address part of the response could be modified by attacker
> and then delivered to client in the ISP's synthetic AAAA record..
>
> So I cannot accept the errata straight away, but it should be
> discussed with people who are more experts on this than I am.
>
> Best regards,
>
> Teemu
>
>
> -----Original Message-----
> From: Michelle Cotton via RT [mailto:iana-questions-
> comment@iana.org]
> Sent: 9. joulukuuta 2017 1:22
> Cc: ietf@kuehlewind.net; spencerdawkins.ietf@gmail.com;
> jouni.nospam@gmail.com; Savolainen, Teemu (Nokia-TECH/Tampere)
> <teemu.savolainen@nokia.com>
> Subject: [IANA #989438] ipv4only.arpa's delegation should be
> insecure.
>
> Hello,
>
> Just checking to see if anyone had a chance to look at this.
> Dan Wing's email addressed bounced (dwing@cisco.com).
>
> Thanks,
> Michelle
>
>
>
> On Tue Nov 28 14:43:00 2017, michelle.cotton wrote:
> Hello Authors and Area Directors,
>
> We have received a message pointing out an errata report that would
> modify the actions that were performed for RFC7050.
>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.rfc-
> 2Deditor.org_errata_eid5152&d=DwIGaQ&c=uilaK90D4TOVoH58JNXRgQ&r=
> IMDU0f3LtPMQf5XkZ06fNg&m=hjPiqrkJLcvBw1fuqRPXMX6h76vuapCYz_DxRRq7SkM&s=
> uCKCSggUUCCU7iPuRs-
> usGcL3T69Fia9gTOy4UQwhLk&e=
>
> Has this report been discussed?  Will the result be an approved
> errata
> report or a new RFC?
>
> Thanks in advance.
>
> Michelle Cotton
> Protocol Parameters Engagement Sr. Manager
>
>
>
>
>
>
>
>
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742              INTERNET: marka@isc.org
>
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops
>
>
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>
>

v2.23.0 | Report a Bug | By Email