Re: [DNSOP] [Ext] Security Considerations Suggestion for draft-ietf-dnsop-rfc7816bis
"Hollenbeck, Scott" <shollenbeck@verisign.com> Wed, 01 April 2020 13:11 UTC
Return-Path: <shollenbeck@verisign.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C50013A0E95 for <dnsop@ietfa.amsl.com>; Wed, 1 Apr 2020 06:11:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YCmDL3NJNkIm for <dnsop@ietfa.amsl.com>; Wed, 1 Apr 2020 06:11:33 -0700 (PDT)
Received: from mail6.verisign.com (mail6.verisign.com [69.58.187.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 570DA3A0EAB for <dnsop@ietf.org>; Wed, 1 Apr 2020 06:11:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=12764; q=dns/txt; s=VRSN; t=1585746692; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=aWbnaeYE3AK8cXQKGzkOmq2hSqEIDEAMrycZC/fbzq8=; b=oQ2wGawwP/Rc8U0J4z2KLkWSMHAneXLUg2aYOC1gya+QRlp7Twr+8o9+ 4wh3BbjmYThHI0gqe8JpEDthj/Cc7M/9mdxt9grtTPZH+yN2pFv6mephk HEu1GgUc2LNcmquklt12j8v7p3+mOdxg19JFouXMKbkU1I+pbGKG+kYJE jdIySYu8rz8qwkDGvEcultf6Fmz9rixXn8rNZHpKjsebTFeNxVaVP29yq ZC6kQ0Q2q5WXRgjEN2qrIQcM+Vtyw4IMypYuN+qsLx+i2Cqz4hcjch8s5 jHCqUNHhSfdm5GKxOSeVxBTmd1JgNzWyZxMnGeLu9Va97fFk7ZZoG+oKF w==;
IronPort-SDR: Xme1neFDGIxQYzk5kpjsDy6jr9b2HeEJlClzJnaDVG/w9GGc4+5Voz244owJOr3ViI/UVA9RN7 HILGIP2PrAoyYjdMiWvaoBJs+MmKY1M7SRX9zTC4ISXNEbxDQ4OLE7ZG1zq5hRkedywqYMg6Sa gnRnv17EdvMj0mVs7bv+bTRwQjOMSkj7zgeUmWOI0rgErsFDf8bJiGePojM7eeWrR3Uw20weJr 09b6uOWuD0eSLH/lV1QfI0ByKKiBmf5lHBobsDnHMh1rhaEzyFcP71csqUVCpsWd+iAqVW5SR9 nVI=
X-IronPort-AV: E=Sophos; i="5.72,331,1580792400"; d="p7s'?scan'208"; a="1001155"
IronPort-PHdr: 9a23:tp703xHuydI97MTO0Ink7J1GYnF86YWxBRYc798ds5kLTJ76p8yzbnLW6fgltlLVR4KTs6sC17OL9fi6EjJYqdbZ6TZeKcAKD0dEwewt3CUeQ+e9QXXhK/DrayFoVO9jb3RCu0+BDE5OBczlbEfTqHDhpRQbGxH4KBYnbr+tQt2agMu4zf299IPOaAtUmjW9falyLBKrpgnNq8Uam4RvJrsxxxfTvndEZetayGJ0KVmOmxrw+tq88IRs/ihNtP8t7dJMXbn/c68lUbFWETMqPnw668HsqRTNVxaE6GEGUmURnBpIAgzF4w//U5zsrCb0tfdz1TeDM8HuQr86RTqt76FwSB/1kygHLCI28HvWisNrkq1Wpg+qqgFlzI7VZIGVM+d+fr/YcNgHS2dNQtpdWipcCY6ncYABE/QOMvpZr4nlplsBsx2+BRW3BOjyzjNEn2L60bEm3+gkFwzNwQ4uEM8UsHnMrNv7KrocUfy7wqfLwzXMbfJW1ivy54XTfRAtvfOMUKpsfcbN10UiER7OgFWKqYziOjOYzuoBvWqc7+pkUeKglWgnpBpvrTezxccgkpTCiJ8JxVDD6SV53Ig5LsC/RU5gYd6kF59QtyWEOItwWcwtXX1nuCUhx70Yp5G7ZikKyI8mxx7QbfyLaZSH4hXmVOuIJzpzmXFreKqnihqv7USs0PDwW8u63VpQsyZIktfBumoC2hHX8sSLV+dx8l281TuNywzf8PxILE83mKbBNpIswaY8lpQNvknAAiP7nUD7ga2KeUk44Oel7vnrban6qZKZN4J7lx/xMqorl8G7HOs3LxYBUm6G8uqmzrLj51f2QLBSg/0zlanWrY7VKNwApq68Hw9VyoEj6wujDzu+0NQXg30HLFVddR+ak4bnI0zCL/DgA/mwglugjClny+rYPrL9BZXNNGDDnK37crlg8UJc1hAzzctZ555OFr4BJ/fzVlfwtNzeEBA5LxS5z/v7BNlny48TW2yCDrWEPK7Sv1KE/O0iLu2UaI8Qojn9Kvwl5/D0jX8+nF8QZbKp3ZsQaHC8GvRpPUOZbmHyjdgdEmcHpRQ+Q/LwiF2DSj5TZnmyX6Qm6j4nD4KmCJ/PRpqxj7yZwCe7AppWa3heCl+WDHfoc5+IW/cLaCKcLM9hlyYLVb66Ro8gyR6hrgn6y7x9IurT4C0Yuorp1MJp6O3LiREy6Tt0AtyA3GGLVGF0mXsISiQ33K9hvUx9xE2P0a9ig/xXRpRv4KZxWxo+fb7bweJ/Ata6DhrIY9PPSFGoTNCvBxkwRds3xZkJeUkrSPu4iRWWlQqtB7sYkbaGD59wupnX2GTtbY4p0HbB0K0siVMrSchnK2C8h7V++A6VDInMxRbK3522fLgRiXaevFyIynCD6QQBCFZ9
X-IPAS-Result: A2FEAACykoRe/zGZrQpmGgEBAQEBAQEBAQMBAQEBEQEBAQICAQEBAYF7g0CBBgqVJJtGAwcBAQEBAQEBAQEDBAEvBAEBhEQCglw4EwIDAQELAQEBBQEBAQEBBQMBAQEChkuCOykBg2ABAQEBAw5XFAwEAgEIEQQBAQEuAjAdCAEBBA4FCAYGBYMOgX5vrU2CJ4VLhHgQgTiBU4k/gTmBQj6BEYJmLj6CZwSBSy+FWQSNdokkcYFFliZ3AweCPYN3gj+QWSWbbqsgAgQCBAUCFYFpgXtwUIJsUBgNjikXFY4QdAKNezFfAQE
Received: from BRN1WNEX02.vcorp.ad.vrsn.com (10.173.153.49) by BRN1WNEX02.vcorp.ad.vrsn.com (10.173.153.49) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1913.5; Wed, 1 Apr 2020 09:11:00 -0400
Received: from BRN1WNEX02.vcorp.ad.vrsn.com ([fe80::7c0a:1cc:5def:9dde]) by BRN1WNEX02.vcorp.ad.vrsn.com ([fe80::7c0a:1cc:5def:9dde%4]) with mapi id 15.01.1913.005; Wed, 1 Apr 2020 09:11:00 -0400
From: "Hollenbeck, Scott" <shollenbeck@verisign.com>
To: Paul Hoffman <paul.hoffman@icann.org>
CC: "dnsop@ietf.org" <dnsop@ietf.org>
Thread-Topic: [Ext] [DNSOP] Security Considerations Suggestion for draft-ietf-dnsop-rfc7816bis
Thread-Index: AdYHX/gsc8iq0mP+SZ6sVAg3JqLxBQAR9u6AAB87w+A=
Date: Wed, 01 Apr 2020 13:11:00 +0000
Message-ID: <84b8345761994f059f1a98e788ea775b@verisign.com>
References: <51d9f36f70b84586a347a64088d7da4e@verisign.com> <67714498-6868-435D-941C-6E54E1DBEA2F@icann.org>
In-Reply-To: <67714498-6868-435D-941C-6E54E1DBEA2F@icann.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.170.148.18]
Content-Type: multipart/signed; micalg="2.16.840.1.101.3.4.2.1"; protocol="application/x-pkcs7-signature"; boundary="----=_NextPart_000_0032_01D60805.78E48830"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/I2K2c25Qr6sh_sa3owl5HtYjW98>
Subject: Re: [DNSOP] [Ext] Security Considerations Suggestion for draft-ietf-dnsop-rfc7816bis
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Apr 2020 13:11:36 -0000
> -----Original Message----- > From: Paul Hoffman <paul.hoffman@icann.org> > Sent: Tuesday, March 31, 2020 11:01 AM > To: Hollenbeck, Scott <shollenbeck@verisign.com> > Cc: dnsop@ietf.org > Subject: [EXTERNAL] Re: [Ext] [DNSOP] Security Considerations Suggestion > for draft-ietf-dnsop-rfc7816bis > > On Mar 31, 2020, at 6:34 AM, Hollenbeck, Scott > <shollenbeck=40verisign.com@dmarc.ietf.org> wrote: > > > > I originally sent this to the list last July. Olafur provided some feedback > (which has been incorporated into the text suggested below), but it seems > to have slipped past the document editors. Trying again since the document > has been revived after it recently expired... > > > > I've recently been reading draft-ietf-dnsop-rfc7816bis and I'd like to > propose some additional text for the Security Considerations section in the > spirit of this sentence from the abstract: > > > > "Future versions of this draft will contain descriptions of different > minimisation implementation choices that have been made since the RFC > 7816 first came out, as well as deployment experience." > > > > QNAME minimization has the consequence of reduction in the amount of > information seen by authoritative name server operators. Active > consideration of that consequence is worth capturing as a factor to be > weighed when making the choice to implement QNAME minimization. Here's > suggested text: > > > > "In addition to the performance considerations described in Section 4, > there's also a security consideration associated with the reduction of data > sent to parental name servers: they lose some of their ability to assess > security threats. This ability has proven to be useful in, for example, studies > of name collision vulnerabilities. It was also instrumental in the research that > led to the discovery of the JASBUG vulnerability. The reduction will also have > an impact on the level of detail available for research studies such as DNS- > OARC's annual Day in the Life of the Internet (DITL) data collection exercise. > > > > For this reason, operators should consider the potential impact on threat > analysis and research when reducing the level of detail included in queries to > parental name servers. Without such consideration, a collection of individual > decisions to reduce query information, over time, may well have the > unintended consequence of "deciding" to no longer support threat analysis > and research that the operational DNS community has historically relied on. > Alternative mechanisms for facilitating threat analysis and research are > beyond the scope of this document." > > Sorry for missing that message last year. I remember it now, and I strongly > disagree with the wording you propose. > > (Disclaimer: ICANN uses the data we see at the root server we operate for > security analysis, as does Verisign.) > > Privacy-reducing exposure of data almost always can be supported as > allowing better monitoring for security. That's always the balance. The folks > who run root servers who use the data coming to them for security analysis > will naturally want more data. The folks sending queries to the root servers > who want more privacy will naturally want to send less data. > > It is appropriate to mention this tension in the Security Considerations > section. However, because the default is already "send full queries > upstream", the current text seems sufficient to alert the reader of the > privacy benefits. > > Said a different way, if the wording above is needed for this document, it is > needed for every document that adds encryption or reduces query traffic; > the IETF has not done that much in the past. OK, point taken. The Security Considerations section describes the balance between privacy benefits and performance. It would also be worth explicitly noting that the loss of data is a forensic analysis detriment, but with no one else expressing any concern I won't belabor the point. Section 8 contains some text describing research results. Would be helpful to include observations from an authoritative server operator? If so, I'll see what I can come up with. Scott
- [DNSOP] Security Considerations Suggestion for dr… Hollenbeck, Scott
- Re: [DNSOP] [Ext] Security Considerations Suggest… Paul Hoffman
- Re: [DNSOP] [Ext] Security Considerations Suggest… Hollenbeck, Scott