[DNSOP] Re: Secdir early review of draft-ietf-dnsop-compact-denial-of-existence-04

Michael Sinatra <michael@brokendns.net> Wed, 31 July 2024 00:58 UTC

Return-Path: <michael@brokendns.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D2404C14F685 for <dnsop@ietfa.amsl.com>; Tue, 30 Jul 2024 17:58:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.109
X-Spam-Level:
X-Spam-Status: No, score=-2.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=brokendns.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fl8NzowWBrXe for <dnsop@ietfa.amsl.com>; Tue, 30 Jul 2024 17:58:16 -0700 (PDT)
Received: from burnttofu.net (burnttofu.net [IPv6:2607:fc50:1:9d00::9977]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ADD25C14F5E5 for <dnsop@ietf.org>; Tue, 30 Jul 2024 17:58:16 -0700 (PDT)
Received: from elwha.brokendns.net (elwha.brokendns.net [206.125.172.202]) by burnttofu.net (8.18.1/8.18.1) with ESMTPS id 46V0wCng034756 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT); Tue, 30 Jul 2024 20:58:13 -0400 (EDT) (envelope-from michael@brokendns.net)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=brokendns.net; s=bt; t=1722387493; bh=x6Kr403LWC4RI4+6lAabOfMoiP3vA8Aef1E2MycfQL0=; h=Date:Subject:To:References:From:In-Reply-To; b=EngLBVXCvEI4kgig9frBmnEJ/nAYcnU3wX88zP5GlikJjteGldnoJxa0eYROpefMs yP502wcE9aiQ6QmIbf7kVucEKj15IfychRKIJw+dpHGkqiV+i4JCaF2pTUR166r2wg KXYw5cvu3oN4kxaTbjUzNBlTbP8O9G8LDchmmz7DW9htabJ5Oabdrwznd7T06AxWXu AKDfOSCsivEuqWk4ACxHieNSLkytT3mbPi/EsNoEv7IFqAglYLBkthn4SqHWsTKiKW b3/BV3hZdjC8jO0A4xZPnl5JXYeBq0fPZ0wsg9m142DkrB0qytz5yoCtqrnaE8/YjK y/ZtyDe0HxR4Q==
Received: from [IPV6:2604:5500:c2ce:f700:701f:be28:9b88:64ad] (unknown [IPv6:2604:5500:c2ce:f700:701f:be28:9b88:64ad]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by elwha.brokendns.net (5.65c/IDA-1.4.4/5.63) with ESMTPSA id 91B6F7262; Tue, 30 Jul 2024 17:58:11 -0700 (PDT)
Message-ID: <d62f53f0-fe73-4e35-84cb-ddda704a73eb@brokendns.net>
Date: Tue, 30 Jul 2024 17:57:37 -0700
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: dnsop@ietf.org, bew.stds@gmail.com
References: <172238346320.1988233.11549951810315868557@dt-datatracker-659f84ff76-9wqgv>
Content-Language: en-US
From: Michael Sinatra <michael@brokendns.net>
In-Reply-To: <172238346320.1988233.11549951810315868557@dt-datatracker-659f84ff76-9wqgv>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Message-ID-Hash: 5HOBSD4YP5B3SFHODBOETX5SU4H5TY4O
X-Message-ID-Hash: 5HOBSD4YP5B3SFHODBOETX5SU4H5TY4O
X-MailFrom: michael@brokendns.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: Secdir early review of draft-ietf-dnsop-compact-denial-of-existence-04
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/JhYJaxcVVJk1m1H2-8wa47dXOX8>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

I have also added a nit (as an Issue) to the github repo for this doc, 
as I'd like the authors consider explicitly stating that the inability 
for resolvers to synthesize NXDOMAIN responses for zones using this CDoE 
mechanism can make certain DOS attacks (e.g. Water Torture) more 
effective than with plain NSEC.

https://github.com/shuque/id-dnssec-compact-lies/issues/6

I realize that a close read of Section 5 of the draft makes it clear 
that RFC 8198 aggressive ncaching won't work, but it might be useful to 
also call that out as a security consideration (i.e. the effectiveness 
of Water Torture relies on the *lack* of negative caching).  Happy to 
discuss further if the authors desire.

michael

On 7/30/24 4:51 PM, Brian Weis via Datatracker wrote:
> Reviewer: Brian Weis
> Review result: Has Nits
> 
> I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the
> IESG. These comments were written primarily for the benefit of the
> security area directors. Document editors and WG chairs should treat
> these comments just like any other last call comments.
> 
> The summary of the review is Has Nits.
> 
> This document adds a “Compact Denial of Existence in DNSSEC” method
> to a couple of existing “denial of existence” methods using DNSSEC
> (i.e., NSEC and NSEC3).  Denial of Existence means “proving that a
> DNS name or record type does not exist”. It does this by returning
> a dynamically signed DNS response with this information.  A new RR
> type (NXNAME) is defined in the document, which is returned by a
> server with the “denial of existence” declaration.  This method is
> said to be smaller in size and requires less cryptographic computing
> than the previous methods, including when those methods dynamically
> sign updates.
> 
> With the caveat that I am not very familiar with DNS protocols,
> this document seems to have generally considered the security
> ramifications of the method. The risks of on-line signing of DNS
> records are covered. Additionally, the document states that this
> method “prevents adversaries from enumerating the entire contents
> of DNS zones by walking NSEC chains”.
> 
> Security Considerations also mentions that some security tools rely
> on particular return codes to detect non-existent domain names, and
> their current method may be impacted by this change. This is
> unfortunate, but I suspect that there was no clean way to accommodate
> those semantics in this design. It is noted that if security tools
> support this new method that they will be relying on signed data
> rather than the unsigned header to obtain the same information.
> Also, the document describes an optional header flag which a resolver
> that returns a different status. This seems to be intended to aid
> security tools, but perhaps if they’ve updated their tool to send
> a new header flag they would also be able to update it to accept
> the main method described in this document.  Is theres another
> practical reason for this optional feature? Or are the semantics
> of a resolver understanding both the old and new main methods just
> complicated and this makes it easier for them?
> 
> I’m a little confused by this statement in Section 4 (Response Code
> Restoration): “For non-existent names, implementations should try
> wherever possible, to preserve the response code value of 3 (NXDOMAIN).
> This is generally possible for non-DNSSEC enabled queries,
> namely those which do not set the DNSSEC_OK EDNS flag (DO bit).” I
> believe this is describing a case where the response does not include
> DNSSEC. Based on the name of the document that it was concerned
> only with a DNSSEC response, so it’s not clear to me why this
> suggestion needs to be made.
> 
> One general suggestion is that it might be helpful for the RFC Editor
> if there was an explicit note somewhere warning them that Section 6.2
> contains an (RFC TBD) self-reference that they’ll need to resolve.
> 
> 
> _______________________________________________
> DNSOP mailing list -- dnsop@ietf.org
> To unsubscribe send an email to dnsop-leave@ietf.org