Re: [DNSOP] Roman Danyliw's Discuss on draft-ietf-dnsop-dns-zone-digest-12: (with DISCUSS and COMMENT)

Roman Danyliw <rdd@cert.org> Mon, 12 October 2020 16:24 UTC

Return-Path: <rdd@cert.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C4933A15A2; Mon, 12 Oct 2020 09:24:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RdRj77E68eYW; Mon, 12 Oct 2020 09:24:49 -0700 (PDT)
Received: from veto.sei.cmu.edu (veto.sei.cmu.edu [147.72.252.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 28D763A159B; Mon, 12 Oct 2020 09:24:49 -0700 (PDT)
Received: from korb.sei.cmu.edu (korb.sei.cmu.edu [10.64.21.30]) by veto.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id 09CGOkQY005966; Mon, 12 Oct 2020 12:24:46 -0400
DKIM-Filter: OpenDKIM Filter v2.11.0 veto.sei.cmu.edu 09CGOkQY005966
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=yc2bmwvrj62m; t=1602519887; bh=2iwDWYWvveVoOvBO5seGhxEbEIptPb9xWq6d/P0/vdQ=; h=From:To:CC:Subject:Date:References:In-Reply-To:From; b=HeVD6bgQsvEcnfZ69vRQYohTiMd6glw9uKAO76H2Y8tB1Rn0goTOhzxCF/d+x6UV8 GkwiV3SZvzb2xfD3Acba6xY9lDVpMHeUpZ8ty4gL1cm+lg6+1lT424Nc1E7xIf2PTO nC/BjhfbEWVbmyxX21SZXHm3agGA9L7t/XdxyO2g=
Received: from MORRIS.ad.sei.cmu.edu (morris.ad.sei.cmu.edu [147.72.252.46]) by korb.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id 09CGOh5T013351; Mon, 12 Oct 2020 12:24:44 -0400
Received: from MORRIS.ad.sei.cmu.edu (147.72.252.46) by MORRIS.ad.sei.cmu.edu (147.72.252.46) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1979.3; Mon, 12 Oct 2020 12:24:43 -0400
Received: from MORRIS.ad.sei.cmu.edu ([fe80::555b:9498:552e:d1bb]) by MORRIS.ad.sei.cmu.edu ([fe80::555b:9498:552e:d1bb%13]) with mapi id 15.01.1979.003; Mon, 12 Oct 2020 12:24:42 -0400
From: Roman Danyliw <rdd@cert.org>
To: "Wessels, Duane" <dwessels=40verisign.com@dmarc.ietf.org>
CC: "draft-ietf-dnsop-dns-zone-digest@ietf.org" <draft-ietf-dnsop-dns-zone-digest@ietf.org>, Tim Wicinski <tjw.ietf@gmail.com>, "dnsop-chairs@ietf.org" <dnsop-chairs@ietf.org>, "dnsop@ietf.org" <dnsop@ietf.org>, The IESG <iesg@ietf.org>
Thread-Topic: Roman Danyliw's Discuss on draft-ietf-dnsop-dns-zone-digest-12: (with DISCUSS and COMMENT)
Thread-Index: AQHWm4scjI2g8fCOZk60H2rcJ0wpo6mM04UA///AHKCAA0+HgIAETbrw
Date: Mon, 12 Oct 2020 16:24:41 +0000
Message-ID: <d5e8101c9c40421489b35a7e15e8b726@cert.org>
References: <160195246471.4620.11112787341926255318@ietfa.amsl.com> <514C2BA5-37C3-48E5-B1FE-DCA96C7F37B3@verisign.com> <5fbeea49742e4866878af08d9681c8fe@cert.org> <51CC3897-1A88-41F7-A56C-0BB4E69EBBC9@verisign.com>
In-Reply-To: <51CC3897-1A88-41F7-A56C-0BB4E69EBBC9@verisign.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.64.203.52]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/HtVzD7MvC2ay0mI09LO8-VnwNsk>
Subject: Re: [DNSOP] Roman Danyliw's Discuss on draft-ietf-dnsop-dns-zone-digest-12: (with DISCUSS and COMMENT)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Oct 2020 16:24:51 -0000

Hi Duane!

Thanks for the extensive changes in -13.  They address my concerns.  I have left one remaining comment about clarifying "provably secure" with a reference.  Otherwise, I've cleared my ballot.

Regards,
Roman

> -----Original Message-----
> From: iesg <iesg-bounces@ietf.org> On Behalf Of Wessels, Duane
> Sent: Friday, October 9, 2020 2:40 PM
> To: Roman Danyliw <rdd@cert.org>
> Cc: draft-ietf-dnsop-dns-zone-digest@ietf.org; Tim Wicinski
> <tjw.ietf@gmail.com>om>; dnsop-chairs@ietf.org; dnsop@ietf.org; Wessels, Duane
> <dwessels=40verisign.com@dmarc.ietf.org>rg>; The IESG <iesg@ietf.org>
> Subject: Re: Roman Danyliw's Discuss on draft-ietf-dnsop-dns-zone-digest-12:
> (with DISCUSS and COMMENT)
> 
> 
> 
> > On Oct 7, 2020, at 1:52 PM, Roman Danyliw <rdd@cert.org> wrote:
> >
> >
> > In that case (where no assumptions are made about the transport), it seems
> that only these scenarios from the list above apply:
> >
> > With an on-path attacker (and trusted server hosting the zone file)
> >
> > ** No DNSSEC  = integrity: NO; authenticity = NO
> > ** DNSSEC = integrity: YES; authenticity = YES
> >
> > With a rogue server hosting the zone file (but is not the operator of the zone)
> >
> > ** No DNSSEC = integrity: NO; authenticity = NO
> > ** DNSSEC = integrity: YES; authenticity = YES
> >
> > Or more succinctly, without DNSSEC, the two stated security properties aren't
> provided.
> >
> > I'm not sure of what the best way is to resolve this mismatch based on the
> use cases.  I can see (at least) two paths to resolution:
> >
> > (1) Specify that ZONEMD records MUST only be used with DNSSEC -- this will
> preserve the authenticity and integrity properties described in Section 1.1. and
> 6.  An additional step or two might be needed to the verification process in
> Section 4.  Does this impact the planned use cases or workflows?
> >
> > (2) Provide appropriate caveats that ZONEMD information may not mean
> what you think it means depending on whether DNSSEC is used.  This likely
> means: the motivational goal in Section 1.1 may need to be weakened; the
> analysis of alternatives in Section 1.2 won't make sense (for the non-DNSSEC
> case); and an appropriate applicability-like statement might also be necessary
> to describe how to use an insecure checksum.  Section 6 would needs
> additional language to capture the difference between the DNSSEC vs. non-
> DNSSEC deployment.  Editorially, clearer words like checksum might also help.
> 
> Thanks Roman, I see your point.  With the help of my coauthors we have made
> some edits that I think will address your concerns.
> Rather than try to include them all here, it will probably be easier to read the
> diff of the next revision that we hope to
> submit later today.  Alternatively I can give you a github pull request link
> showing the changes if that would be helpful.
> 
> DW