Re: [DNSOP] Whiskey Tango Foxtrot on key lengths...

Mark Andrews <> Wed, 02 April 2014 02:51 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 311281A00AE for <>; Tue, 1 Apr 2014 19:51:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.711
X-Spam-Status: No, score=-1.711 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id OBzEhs7Pd3jC for <>; Tue, 1 Apr 2014 19:51:22 -0700 (PDT)
Received: from ( [IPv6:2001:4f8:0:2::2b]) by (Postfix) with ESMTP id 30A091A0097 for <>; Tue, 1 Apr 2014 19:51:22 -0700 (PDT)
Received: from (localhost []) by (Postfix) with ESMTP id 7A81EC94E1; Wed, 2 Apr 2014 02:51:00 +0000 (UTC) (envelope-from
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=dkim2012; t=1396407073; bh=f+XctU8ZK1GUkxjPylorfX3iNEo8skujHgmB+tknW9I=; h=To:Cc:From:References:Subject:In-reply-to:Date; b=fuwODsSkbO173qmPrJZ9+8q/IBkuKqUVRqfElysNW2Yk0RaT0TanOkwXKr8TWeGrK FTJHTtQ9sEfvhL21ZgoSf6lyM90bYSpR4HVLDaYkEpIfsxxivANcy1I+FXgKXm9fgL v3zCBYBOAhyNNyeGYS066B16Fs0ZpUTKwW1r9InI=
Received: from ( []) by (Postfix) with ESMTP; Wed, 2 Apr 2014 02:51:00 +0000 (UTC) (envelope-from
Received: from (localhost []) by (Postfix) with ESMTP id E7E79160058; Wed, 2 Apr 2014 02:52:13 +0000 (UTC)
Received: from ( []) by (Postfix) with ESMTPSA id ED58F160053; Wed, 2 Apr 2014 02:52:12 +0000 (UTC)
Received: from (localhost [IPv6:::1]) by (Postfix) with ESMTP id 2A6011229CC3; Wed, 2 Apr 2014 13:50:55 +1100 (EST)
To: =?ISO-8859-1?Q?Colm_MacC=E1rthaigh?= <>
From: Mark Andrews <>
References: <> <> <> <> <> <> <> <> <> <>
In-reply-to: Your message of "Tue, 01 Apr 2014 18:25:12 -0700." <>
Date: Wed, 02 Apr 2014 13:50:54 +1100
Message-Id: <>
X-DCC--Metrics:; whitelist
Cc: Nicholas Weaver <>, "" <>, Phillip Hallam-Baker <>, =?ISO-8859-1?Q?Matth=E4us_Wander?= <>, Bill Woodcock <>
Subject: Re: [DNSOP] Whiskey Tango Foxtrot on key lengths...
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 02 Apr 2014 02:51:24 -0000

In message <>
, =?ISO-8859-1?Q?Colm_MacC=E1rthaigh?= writes:
> On Tue, Apr 1, 2014 at 5:31 PM, Mark Andrews <> wrote:
> > > This too is going too far; of course they can, they can ask another
> > > recursive resolver.
> >
> > Which also passes through bogus answers.  I will repeat stub resolvers
> > can't recover from recursive servers that pass through bogus answers.
> >
> DNSSEC is a mitigation against spoofed responses, man-in-the-middle
> interception-and-rewriting and cache compromises. These threats are
> endpoint and path specific, so it's entirely possible that one of your
> resolvers (or its path) has been compromised, but not others. If all of
> your paths have been compromised, then there is no recovery; only
> detection. But that is always true for DNSSEC.

There is also the good answers mixed in with the bad answers coming
to the recursive server which is supposed to discard the bad answers
and wait for the good answer which will be in the query stream.

> > > Defaulting to CD=0 renders DNSSEC, essentially, pointless. Resolvers, and
> > > the path between resolvers and stubs, are the easiest components in the
> > > lookup chain to subvert.
> >
> > CD=0 tells the resolver to validate the answers it getsi if it is
> > validating.  It has NOTHING to do with whether you are validating
> > or not.  You have fallen for the myth that CD=1 indicates that you
> > intend to validate and that CD=0 means that you are not validating.
> >
> > DO=1 is the ONLY bit REQUIRED to be set if you are validating.
> >
> > If DO=1 is set you should assume the client may be validating.
> > Named assumes this when deciding if it will intentionally break
> > DNSSEC validation down stream.
> >
> As you pointed out, if I set CD=1, I always expect a meaningful answer
> containing signatures that I can validate.  If I set CD=0, then an empty
> SERVFAIL response is valid. If I get SERVFAIL, how do I validate that it's
> a real error?

You re-check with CD=1.

> Your suggestion is to regress to the CD=0 case and re-check
> it (or maybe do your own recursion?). Why not just do CD=0 all along?

CD=1 is for bad trust anchors / clocks in the validating recusive server.
CD=0 is for attacker sending spoofed traffic at the recursive server.

Different fail/attack profiles, different query bits needed.

The recursive server sorts the wheat from the chaff and passes the
stub resolver the wheat.

> Now I agree that a resolver should always validate the signatures anyway,
> and if I were writing a caching resolver, I'd never cache rrsets that fail
> validation, even if the user has CD set to 1. But that's separate.
> > > DNSSEC is quite capable to protecting that path.  Why do you need
> > > > a second protocol.
> > >
> > > That statement is not consistent with setting CD=0 on that path.
> >
> > I sugges that you go re-read all the DNSSEC RFC's if you believe
> > that because you are categorically WRONG.
> >
> Please stay civil, and also please don't assume that I haven't read the
> If you set CD=0, you can't authenticate the failure case, empty SERVFAILs
> can be spoofed or inserted towards the stub. And how do you disambiguate
> between SERVFAILs that are validation errors and other server failures?

You retry with CD=1, which I stated initially.  Note if the recursive
server is returning SERVFAILs to CD=0 it will be causing problems
for all its clients so will likely be fixed.  Additionally CD=0 helps
when the recursive server mis-classifies authoritative servers as not
supporting EDNS.

> Without some kind of resolver redundancy (so recovering via retrying
> another resolver) I don't see a way. Of course if all of your resolvers
> return SERVFAIL, you're left in the same situation - but again, if every
> path you have has been compromised, there is no escape.
> But this can all be boiled down to;  As you've already written, you agree
> that CD=1 is necessary in the failure case - it's the only hope of
> authenticating the error. So why bother with CD=0 at all?

Because CD=1 does not get the good answers to the stub when the
responses to the recursive server are being spoofed.

> Colm
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: