Re: [DNSOP] On Powerbind

Ben Schwartz <bemasc@google.com> Wed, 15 April 2020 02:39 UTC

Return-Path: <bemasc@google.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D0A133A1583 for <dnsop@ietfa.amsl.com>; Tue, 14 Apr 2020 19:39:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.599
X-Spam-Level:
X-Spam-Status: No, score=-17.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id krGWNCsT4ZBJ for <dnsop@ietfa.amsl.com>; Tue, 14 Apr 2020 19:39:39 -0700 (PDT)
Received: from mail-wr1-x429.google.com (mail-wr1-x429.google.com [IPv6:2a00:1450:4864:20::429]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9CB1A3A1582 for <dnsop@ietf.org>; Tue, 14 Apr 2020 19:39:38 -0700 (PDT)
Received: by mail-wr1-x429.google.com with SMTP id j2so17200402wrs.9 for <dnsop@ietf.org>; Tue, 14 Apr 2020 19:39:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=qO9p37qy5/EcyfWLC9Q/rI1NUMQXlwDsVUioBhko8uc=; b=NEKTnGva1C9tnIjKKHOhGx5sn5D8XcYCBTPIicMN67rvEjSm0+7YmU4DklG8zJ2yqs xrH3tpihx82+kiuAu/BZbXPsk4hmOT0riK/9+ken99Yh1hmC/c7HgR7tJ9ixNrQ/trPN HTr0EzAZtyXHMAALPzumapvg/mZgD/u//iNhdf55CDt/pVnb1XxKVTEIuoIfG8cuY+WS hftfE0lXvl7LQ8eW0p6IPl6+qOkjAiF119fhFbCy2JZ9R9ojvryDcRc61LiXFKGdhvn/ AJ4s52PY4HyWrfGgtSGNlLBcjDuqzqcXBrLQdwJ85e+gvIerBaEymyaPeILb8dbEfhkn FGRg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=qO9p37qy5/EcyfWLC9Q/rI1NUMQXlwDsVUioBhko8uc=; b=bRvjkl4HLY9pMG3/mi35vcMeamRJjY+tQwPGnSHkpolIBT+eSnaWJ9IqlRCQBy9Ma2 nGj9NC/BWT5U+tHpcLg2eIwDmHV+E5gboqXBoG3diulvqRgo7JD6JuHPwUvD1VESWdaj lxaTJUNz2eyqjDldu2FFbpRVbXrnjA5uNjhJQfwJhM8g0y53w3i5foSFsqjEIvWnV0nX eXGf4tf4WGimI3zbooPlv9l5v0KayXqkvquUBWK83WPqQfy8TLY0hf4qCDPNaxm62G91 uv3wo4Ggq/KgL+8j72aiyx9Hy478En1WzQMD7vlM7E+bVXquz9SlY6v2BXRat/irIIII hh+g==
X-Gm-Message-State: AGi0Pua1ySYgB8rzkWCZhByiophS3XakMxSy8J4WoTha1UVF5r9979jw bewQLTm4BtONBaO1BO/rV6kKGC45zNIflKb7pqmy99nlSfc=
X-Google-Smtp-Source: APiQypIS6Weu3C5z2tYoYyxco+J3BbcHegqyc1zOSZhdaPj9vLx/J5JJesEEPo2ZwRHPkKXWRgZyAFMmlB4uioSsDM0=
X-Received: by 2002:a5d:6310:: with SMTP id i16mr13981631wru.177.1586918376521; Tue, 14 Apr 2020 19:39:36 -0700 (PDT)
MIME-Version: 1.0
References: <CAHbrMsAbHV8M2GR95nyZ-vCZOGghgxrdVD5NaTC=05q16HBd5Q@mail.gmail.com> <ybllfmxvhlr.fsf@w7.hardakers.net> <CAHbrMsAg4KMmMzntS-sWSeYJ3CWywC=Jv5pqBFdmCFmsY3tjUw@mail.gmail.com> <alpine.LRH.2.21.2004141951540.5865@bofh.nohats.ca>
In-Reply-To: <alpine.LRH.2.21.2004141951540.5865@bofh.nohats.ca>
From: Ben Schwartz <bemasc@google.com>
Date: Tue, 14 Apr 2020 22:39:24 -0400
Message-ID: <CAHbrMsDgih9f2Et7x627JuYnZhinfWn80Zi_cBoO7UXR-gMGfg@mail.gmail.com>
To: Paul Wouters <paul@nohats.ca>
Cc: Wes Hardaker <wjhns1@hardakers.net>, dnsop <dnsop@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="000000000000294de305a34b3a59"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/FFk_h3rCV74bqLbHMRVDPzN_Fzo>
Subject: Re: [DNSOP] On Powerbind
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Apr 2020 02:39:42 -0000

Thanks for the explanation, Paul.  Overall, I agree that Powerbind seems
low-risk, so I don't mind it being available for people who care about it.

The strongest argument I can think of for Powerbind is that it prevents a
certain class of accidental misconfigurations for delegation-only zones.

It also might enable a reduction in how much labor is required to maintain
a DNSSEC transparency system, by providing some partial automation.  This
requires some assumptions about DNSSEC transparency that are not yet
obvious.

On Tue, Apr 14, 2020 at 8:24 PM Paul Wouters <paul@nohats.ca> wrote:

> On Tue, 14 Apr 2020, Ben Schwartz wrote:
>
> >       The point of powerbind is to specifically state "I'm delegation
> only".
> >       Without knowledge of that, you end up having to log everything,
> per your
> >       own conclusion, because there is no way to know if its a
> delegation-only
> >       zone.
> >
> > I'm still not able to understand this.  Suppose nic.footld puts a
> statement for humans on their website that says
> > ".footld promises to be delegation-only".
>
> First, this approach does not work. Not all TLD's have the ICANN mandated
> nic.<TLD>. There is no standard on how to publish this information. There
> is a chicken and egg problem getting to the website. You have to parse
> this data. Get the mimetype right. Website outages would be problematic.
> Website could be blocked to prevent reading the text. What is the expiry
> date of this data? Look at the various security "web canaries" that have
> been put up. They all fail to be maintained. And if anything Public Suffix
> has shown us this kind of data cannot be tracked properly outside the
> DNS. A few drafts have even attempted to pull in public suffix into some
> DNS record type because of this. If there is no link between the statement
> and the policy, they will diverge over time and cause false positives.
>

I actually agree: PSL should live in the DNS, because it is entirely the
zone owner's decision whether they want PSL behavior.  However, DNSSEC
transparency logging _cannot_ be controlled by the DNS, because log
operators must decide for themselves which zones they are willing to log.
Otherwise they become arbitrary data storage systems for anyone in the
world.

Powerbind would allow a log operator to say "I will log any delegation-only
TLD".  I think any practical log will still need manual intervention to add
cases like .co.uk, and perhaps also to remove delegation-only TLDs that
nonetheless exhibit spammy behavior, but overall Powerbind still saves some
amount of labor in that case.  I tend to think that a log operator could
already just log everything in all the TLDs, delegation-only or not, but I
don't have the data to prove it.

Second, with powerbind, you don't have to do a poor man's "after the
> fact" protection. You can mark violating data as BOGUS and prevent it
> from being accepted as valid before harm has been done. It's more than
> just a post-mortem that Certificate Transparency offers for the WebPKI.
>

I don't agree with this characterization.  A hostile or compromised TLD can
just as easily impersonate its children with Powerbind as without.

A third minor advantage is that setting this bit could become part of
> the IANA/ICANN process for current and new gTLDs. It would then prevent
> these entities from misusing/abusing their TLD zone in the future.


As above, it would not.


> For
> example to do "sitefinder" type wildcard matching.


This is still possible with Powerbind, using online signing or NSEC3
opt-out.


> And this would get
> free enforcement via validating resolvers.
>
> >       As the first sentence in the abstract says "This document
> >       introduces a new DNSKEY flag called DELEGATION_ONLY that indicates
> that
> >       the particular zone will never sign zone data across a label.".
> IE, the
> >       whole point is to communicate that a zone is such a zone.
> >
> > This seems like it can easily be communicated just to humans, manually
> enabling logging for each zone of
> > interest.  Since only the TLDs and similar zones are really of any
> interest for logging, manually maintaining a
> > list of zones to log is not difficult.
>
> Public suffix has a simiar problem showing this process is error prone.
> In fact, powerbind could obsolete this manually curated list, if all
> public suffix parents would implement this bit.
>

I definitely disagree.  Powerbind proves the existence of a zone cut, which
is not what membership in the Public Suffix List means.  It's perfectly
possible to need a zone cut in a place where you would not want PSL
behavior, and vice versa.

> Certificate Transparency operators similarly maintain lists of approved
> > CAs whose certificates are permitted in their log.  A curated list of
> this kind is required regardless; otherwise
> > a hostile or buggy zone could spam the log with records.
>
> Moving trust to a concortium of browser vendors and CAs is the opposite of
> what we are trying to achieve here. We are trying to get to a scenario
> where the owner of data can say what is and what is not allowed and
> expected to happen, and to allow these owners to voluntarily reduce their
> own power.


Powerbind (without DNSSEC transparency) doesn't reduce the power of the
zone owner.  They can easily impersonate (or repudiate) their children
before and after.


> I'm grateful to Comodo and Google and Mozilla and others for
> CT, but we want to not have to trust them (or others) more than we need to.
>
> > I still don't see why we need a machine-readable label to tell the logs
> that a zone is delegation-only, but if we
> > do need one, we can have it without changing the behavior of recursive
> resolvers, and without needing to place
> > anything in the parent (i.e. root) zone.
> >
> > What am I missing?
>
> DNSSEC Transparency is only one part of what powerbind allows you to do.
> Enforcing reduced power/trust in keys in resolvers is the other part.
>
> And we might disagree about the value of enforcment. But as I tried
> to explain during the meeting, the value added is not for our little
> community of engineers that trust each other. It is for people at large
> to not need to trust some cabal and who do not trust ICANN, Verisign
> or the USG.


In the absence of DNSSEC Transparency, someone who doesn't trust a TLD
before Powerbind has no additional reason to trust it afterward.  The TLD's
ability to make mischief is not reduced.

It only takes one bit and a dozen lines of validating resolver
> code. And it is opt-in. In that sense it seems reasonable to let those
> that see value in this use it. If people think there might be serious
> operational risks, I would also be very interested to hear that. So
> far, the only two items I know of are orphan glue and no longer being
> able for TLD NS records to be entries within the zone itself. And I
> do think these are managable - especially the orphaned glue is already
> a lifeline given to failing child zones.
>
> What I am interested in from a technical point of view is if we forgot
> any technical issues or difficulties. Did we miss a use case? Can or
> should we try to protect other records? Are we forgetting anything
> related to wildcards, CNAMEs or DNAMEs ?
>
> With that, I'm going to step back and let this discussion continue for
> a bit without me replying to every message, as I think it is really
> important to hear other people's viewpoints on this too.
>
> Paul
>