IETF Logo Mail Archive

Re: [DNSOP] Stupid thought: why not an additional DNSKEY record flag: NSEC* only...

Ólafur Guðmundsson <olafur@cloudflare.com> Thu, 05 January 2017 23:53 UTC

Return-Path: <olafur@cloudflare.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 453ED12940B for <dnsop@ietfa.amsl.com>; Thu, 5 Jan 2017 15:53:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Pt5PNYGTWwK2 for <dnsop@ietfa.amsl.com>; Thu, 5 Jan 2017 15:53:02 -0800 (PST)
Received: from mail-wm0-x22d.google.com (mail-wm0-x22d.google.com [IPv6:2a00:1450:400c:c09::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3EE561293D6 for <dnsop@ietf.org>; Thu, 5 Jan 2017 15:53:02 -0800 (PST)
Received: by mail-wm0-x22d.google.com with SMTP id k184so7406187wme.1 for <dnsop@ietf.org>; Thu, 05 Jan 2017 15:53:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=ExDpDBaPgYqwVQzhCwaYuy+In48yTwKpD8eqLekw0JU=; b=TqVSY/URdeCZtBq3HNTaHDEn5dQffgtco6ETf/ivpH5zZdmavr5eRHjnAFFxFnofRI bQn3NNZyxAwxAKbGjEIWkp4vplTB5cT4aYisgF5C7jBIHufvEDDD8e0gUSsfxyJot59y Ss5C8SAakKKw7maFF8a2jr75GgV7MkYWBSYxE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=ExDpDBaPgYqwVQzhCwaYuy+In48yTwKpD8eqLekw0JU=; b=HizQLl5L0qaG6ENr44Sz2NGK+IOSZUN4ySSue8bQvLiEhBFz/d2wOFUehF6UUlzPIk 1TUlcvNYH68+vOgnjrwpxRkX8b4Ik2uFVFtopUEZ72EF3LR9rVkKM/ivqIkWdLkxop+j z9RzRXidCadwrZkb9qDVyOjI/YIrl1mfWbuk91+essi0YKNsDUTA3xI/Xez2x1Vofrmc 4ymm/vPF9xphmAD2AhFWJbeujsZXn9fpCxT3Dl3Brq8e/dUMY3ONndFda4/ebgSjTy5x sapVrbFZOi78RNvBLvj5LBqir16RgJZ7pgxsF2ZsRu0D+npz7rf0OvGHlgpq0gL+wd1l ouxg==
X-Gm-Message-State: AIkVDXJDsgxg5mGoLwrgAmqspLCRQJp8P1asUKeHgu7gr5ZK0zdZj+LVgmc5jjUnzbXFSgMMJuAZkRuAjtXkU701
X-Received: by 10.28.48.145 with SMTP id w139mr373578wmw.113.1483660380736; Thu, 05 Jan 2017 15:53:00 -0800 (PST)
MIME-Version: 1.0
Received: by 10.28.11.13 with HTTP; Thu, 5 Jan 2017 15:53:00 -0800 (PST)
In-Reply-To: <FEDF56ED-D27D-44A7-8989-C8920BC6C1CE@icsi.berkeley.edu>
References: <FEDF56ED-D27D-44A7-8989-C8920BC6C1CE@icsi.berkeley.edu>
From: Ólafur Guðmundsson <olafur@cloudflare.com>
Date: Thu, 05 Jan 2017 18:53:00 -0500
Message-ID: <CAN6NTqzgmzKCq+Gu1gOxAf=O7cS67FMr1MOVnGfNoux8-hLrww@mail.gmail.com>
To: Nicholas Weaver <nweaver@icsi.berkeley.edu>
Content-Type: multipart/alternative; boundary="001a11423f32f6251e054561990e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/H-yz69gg5kjA2gH-93g7ARE_9IY>
Cc: dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] Stupid thought: why not an additional DNSKEY record flag: NSEC* only...
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Jan 2017 23:53:04 -0000

On Wed, Jan 4, 2017 at 12:33 PM, Nicholas Weaver <nweaver@icsi.berkeley.edu>
wrote:

> Any system which prevents zone enumeration requires online signing,
> https://www.cs.bu.edu/~goldbe/papers/nsec5faq.html
>
> But NSEC5 is almost certainly not going to be adopted, simply because of
> the partial deployment problem.
>
> NSEC3 lies work today, but people worry that NSEC3 might have server
> compromise compromise the ZSK.
>
>
>
> So why not simply add a new DNSKEY record flag: NSEC3-only.  This flag
> means that the key in question can only be used to sign an NSEC* record
> when presenting NXDOMAIN.
>

I used to think that was a good idea, but .... given that this will add
keys to the DNSKEY set I think it is not worth it with RSA the DNSKEY sets
are too large in most cases.
With ECC keys on the other hand this might be reasonable.

What is the problem you are solving by having a NSEC-only key ?
is it key management,  sharing keys with DNS operators, or something else.


At Cloudflare we sign a all DNSEC answers on the fly with the exception of
DNSKEY/CDS/CDNSKEY which we have to do centrally.
This is working and we do not worry too much about ZSK compromise, as we
can roll them when we need.
 We just use Minimally covering NSEC records (no need to do NSEC3),
we are looking into adoption that on the fly when under random prefix DDoS
attacks, to resolvers that we know support agressive NSEC processing.


> This way, you can deploy this solution today using white lies, and as
> resolvers are updated, this reduces the potential negative consequence of a
> key compromise to “attacker can only fake an NXDOMAIN”, allowing everything
> else to still use offline signatures.
>
>
Why is key compromise in DNS more worrying than in HTTPS ?
HTTP servers have keys online all the time.


> Combine with caching of the white lies to resist DOS attacks and you have
> a workable solution that prevents zone enumeration that is deployable today
> and has improved security (key can only fake NXDOMAIN) tomorrow.
>
>
The problem with a FLAG is that it will require
a) validator/resolver support
b) have a workable key management

I think we can do this w/o the flag

Regards,
Olafur

v2.23.0 | Report a Bug | By Email