Re: [DNSOP] [DNSSEC-Bootstrapping] Fwd: New Version Notification for draft-thomassen-dnsop-dnssec-bootstrapping-02.txt
Peter Thomassen <peter@desec.io> Tue, 09 November 2021 03:55 UTC
Return-Path: <peter@desec.io>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E039A3A0CF0; Mon, 8 Nov 2021 19:55:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.229
X-Spam-Level:
X-Spam-Status: No, score=-5.229 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, NICE_REPLY_A=-3.33, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=a4a.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yPMr14licS9x; Mon, 8 Nov 2021 19:55:29 -0800 (PST)
Received: from mail.a4a.de (mail.a4a.de [IPv6:2a01:4f8:10a:1d5c:8000::8]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E46253A0BDF; Mon, 8 Nov 2021 19:55:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=a4a.de; s=20170825; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:MIME-Version :Date:Message-ID:Subject:From:References:Cc:To:Sender:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=JZSBqxnPPfthTv1o+vz0/A22e4oH4eTvaeJSyYF/OIc=; b=Vfm1lKLouG8iWJaNM160CWZsJf lScBjqhf0Rymp1u68UdujbM5+dw0kloVyLlqdeGKszk8+IjNC2LjWQsJ0t2cnb6sObmxQrEtm8l1N ICxNl1XM+LmXkyk4pnJR+P5625Zcm7TPx1ZWzs3p/5CcNIFsBouV5JbhI0KfNcEjHbYoru8UI9ZZZ PnJWiv81dmIOocKwOSEA5ii6JuT33Rzt1hjEqWYAHe2mQdHZ0vklYuL+3Fr68EGj4SOaJRrFt1dfs kPuSfmJnGr+RZn53faynY8A/B2VBjizMXFjax8n7DKhdguBMkB+bxq/Wzik/uUprImRpoI5OvVWL7 SZMqpOYQ==;
Received: from ip5f5aec68.dynamic.kabel-deutschland.de ([95.90.236.104] helo=[192.168.1.171]) by mail.a4a.de with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from <peter@desec.io>) id 1mkIE7-0003HA-Lm; Tue, 09 Nov 2021 04:55:15 +0100
To: Paul Wouters <paul.wouters=40aiven.io@dmarc.ietf.org>
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>, dnssec-bootstrapping@ietf.org
References: <163520620129.17275.16274772439094875607@ietfa.amsl.com> <91154628-0ca3-15d8-c6bd-b71232b2e64b@desec.io> <8d3b2ae-70e3-74b4-40a0-70e848acc4aa@nohats.ca> <66e2a81b-b971-cdea-0f40-cfed68be574f@desec.io> <705c1434-532-6840-8ae4-545bde91822@nohats.ca>
From: Peter Thomassen <peter@desec.io>
Message-ID: <37fa7324-643a-9c3c-4256-97abe52f1118@desec.io>
Date: Tue, 09 Nov 2021 04:55:12 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.13.0
MIME-Version: 1.0
In-Reply-To: <705c1434-532-6840-8ae4-545bde91822@nohats.ca>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Language: de-DE
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/H8TgiG67ElmMjIRdfebhCmwcwyQ>
Subject: Re: [DNSOP] [DNSSEC-Bootstrapping] Fwd: New Version Notification for draft-thomassen-dnsop-dnssec-bootstrapping-02.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Nov 2021 03:55:42 -0000
On 11/9/21 3:29 AM, Paul Wouters wrote: >> - IPv6 reverse DNS hostnames (under ip6.arpa.) already have length 73. > > But would they hit 255 ? No, this was only an illustration: Had there been some standard which prevented such long names, then IPv6 reverse DNS names would not have been possible. But, luckily, nothing go in the way. We don't know how long names will be in the future, and what will get in whose way. >> I wouldn't dare make a prediction about what kind of names could be >> introduced in the next decade (think of underscore labels for TLS >> identities, perhaps with other parameters encoded in front etc.). > > Per definition, you can create domain names that are too long to support > _underscore labels on top of them. And yet there we did not use hashing > either? When adding labels (e.g. an underscore label) in front of a domain name, the name of the parent / origin is fixed, so hashing it isn't an option. It's not possible to change the length of the suffix. However, it's possible to choose the length of the prefix that is being added, and it may make sense to make sure it's not unnecessarily long. >> Other technical considerations: >> >> - Not hashing creates semantic collisions. Practical example from our >> deployment at deSEC: The list of delegations under dedyn.io is long >> and changes frequently, so we'd probably like to put bootstrapping >> records for children of dedyn.io into a separate zone. >> Without hashing, that zone would be dedyn.io._boot.<NS>.If we do >> that, then we can't use bootstrapping for dedyn.io itself, because >> dedyn.io._boot.<NS> would be an apex name. This collides with the >> requirement that bootstrapping records MUST NOT occur at the apex >> (where they would signify *that* zone's own DS info). > > You can't bootstrap in-baliwick anyway, can you? There seems to be a misunderstanding: The not-in-bailiwick limitation means that a nameserver can't bootstrap its own domain, for lack for a pre-existing validation path. But in the above example, it was not assumed that any of the zones mentioned has any in-bailiwick NS. To clear up the misunderstanding, I'll write out the example in detail. dedyn.io has NS ns1.desec.io and ns2.desec.org. Children of dedyn.io typically have the same NS rrset. When a customer registers a new name under dedyn.io (it is a public suffix), we currently have some kind of hook that creates the DS records in the dedyn.io zone. Once there is a good bootstrapping protocol, there should be no need to keep that kludge. We would like to use the bootstrapping protocol to enable DNSSEC for such sub-zones. For that, we have to read the bootstrapping records, which would be, without hashing, located at something like example.dedyn.io._boot.ns1.desec.io (sticking to _boot for now). Because dedyn.io has a lot of delegations and keeps changing, we'd like to run bootstrapping for dedyn.io in a separate zone (same for com). We'd arrive at a setup like this: dedyn.io._boot.ns1.desec.io # bootstrapping zone for dedyn.io children com._boot.ns1.desec.io # bootstrapping zone for com children _boot.ns1.desec.io # zone for all other bootstrapping Now let's consider bootstrapping for dedyn.io *itself* (not one of its children!). The location of the bootstrapping records for this domain would be dedyn.io._boot.ns1.desec.io, which is the same as the name of the *zone* which constains bootstrapping records for domains *under* dedyn.io, such as at example.dedyn.io._boot.ns1.desec.io. We therefore cannot put dedyn.io's bootstrapping records at dedyn.io._boot.ns1.desec.io, as this is a zone apex, and putting CDS/CDNSKEY records there would indicate that the DS records for the zone "dedyn.io._boot.ns1.desec.io" should be updated, as opposed to signaling bootstrapping records for the zone "dedyn.io". This has nothing to do with in-bailiwick. The problem occurs because bootstrapping records cannot be at the apex (as to not overload the meaning of apex CDS/CDNSKEY records), but by "inheriting" the structure under dedyn.io, a situation arises where this condition is not met. The solution is to not "inherit", but flatten the hierarchy, which is what the hash does. With hashing, children of dedyn.io would have their bootstrapping records under h(dedyn.io)._boot.ns1.desec.io, such as example.h(dedyn.io)._boot.ns1.desec.io. In contrast, the bootstrapping records for dedyn.io *itself* would live at dedyn.h(io)._boot.ns1.desec.io. No collision occurs. Note that this is not an apex name, even if h(io)._boot.ns1.desec.io is made a separate zone for operational reasons. Similary, the name for bootstrapping of example.dedyn.io is not an apex name, even if h(dedyn.io)._boot.ns1.desec.io is made a separate zone. It is unclear to me how such situations would properly be dealt with if the bootstrapping owner names retained the target domains' hierarchy. One could of course specify that you can only ever bootstrap *one* name along a certain branch of the DNS tree. But what would be the motivation for such a limitation? I'm sure the situation could be complicated futher by considering more sophisticated delegation hierarchies (e.g. dedyn.io is at ns1.desec.io, foo.dedyn.io is not, but bar.foo.dedyn.io is again at ns1.desec.io, and so on). These are all things the protocol should be ignorant of. The hash ensures that *different things* get *different names*. It is a namespacing mechanism, and avoids overloading the names of bootstrapping records with the names of bootstrapping zones. Such overloading would be unclean design even if the was no pre-existing use of CDS/CDNSKEY records at the apex. >> - Clear datastructures simplify implementation (in my experience). >> Hashing leads to a very predictable data structure with always two >> labels in front of the underscore label. Also, that label would be >> an ENT; all records live at the leaves of the tree. This assumption >> cannot be made when the names are simply concatenated (see above). > > ENT's aren't that great :P For example, with query minimalization on > AWS Route53, these have been broken for years. I'd stay away from ENTs. Haha :-) Yes, I'm with you. My point was precisely that without hashing, you may sometimes get an ENT at a certain hierarchy level and sometimes you don't, so you'll have to deal with both cases. With hashing, you'll only have to deal with the case that there is an ENT at the hash label, which in turn may simplify debugging etc. >> Are there any conceptual downsides of the hashed label that would >> outweigh these points? > > Yes. Speaking of NSEC3, that is super hard for people to grasp. To us > experts it is obvious, but all the hashes makes a new person who looks > at it pretty confused. I think it would be good in general to try and > make it so that operators can debug DNS issues with the dig command, > without needing advanced tools. I think the main confusion about NSEC3 stems from the iterations stuff and from sophisticated denial-of-existence, including when wildcards are in the game. We have none of that here. I agree about the dig command. But, it's only possible (e.g. for DNSSEC debugging) because dig has some explicit things implemented, e.g. options like +multiline or +trace. One could thus turn your concern around and say that to aid debugging, it would be cool if debugging tools like dig would get equipped with suitable capabilities. ;-) >> While I don't feel strongly, I wonder in how many cases somebody would >> really look at that during that extra wait interval. Also, CDS/CDNSKEY >> processing already requires checking that updated DS records don't >> break resolution. > > Yes, but if someone accidentally pushes a DNSSEC deployment out and > pulls it back in after 5 minutes, you don't want this protocol to have > pushed the machinary into production and causing ServFails. Similarly, > I find BGP / routing attacks still scary, and attackers can only briefly > hold the route hijacks up. So waiting a day would really offer a lot > of protection here. Fair enough. I made a note to add a sentence along those lines. Thanks for your input! Peter -- Like our community service? 💛 Please consider donating at https://desec.io/ deSEC e.V. Kyffhäuserstr. 5 10781 Berlin Germany Vorstandsvorsitz: Nils Wisiol Registergericht: AG Berlin (Charlottenburg) VR 37525
- [DNSOP] Fwd: New Version Notification for draft-t… Peter Thomassen
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Wouters
- Re: [DNSOP] Fwd: New Version Notification for dra… John Levine
- Re: [DNSOP] Fwd: New Version Notification for dra… Peter Thomassen
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Wouters
- Re: [DNSOP] [DNSSEC-Bootstrapping] Fwd: New Versi… Peter Thomassen
- Re: [DNSOP] [DNSSEC-Bootstrapping] Fwd: New Versi… Nils Wisiol
- Re: [DNSOP] [DNSSEC-Bootstrapping] Fwd: New Versi… Paul Wouters
- Re: [DNSOP] [DNSSEC-Bootstrapping] Fwd: New Versi… Peter Thomassen
- Re: [DNSOP] [DNSSEC-Bootstrapping] Fwd: New Versi… Paul Wouters
- Re: [DNSOP] [DNSSEC-Bootstrapping] Fwd: New Versi… Christian Elmerot
- Re: [DNSOP] Fwd: New Version Notification for dra… Peter Thomassen
- Re: [DNSOP] [DNSSEC-Bootstrapping] Fwd: New Versi… Peter Thomassen
- Re: [DNSOP] [DNSSEC-Bootstrapping] Fwd: New Versi… Bob Harold
- Re: [DNSOP] [DNSSEC-Bootstrapping] Fwd: New Versi… Peter Thomassen