Re: [DNSOP] Whiskey Tango Foxtrot on key lengths...

Colm MacCárthaigh <> Wed, 02 April 2014 01:25 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 39A791A0056 for <>; Tue, 1 Apr 2014 18:25:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.677
X-Spam-Status: No, score=-1.677 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id fZbJ_LxT-Qz4 for <>; Tue, 1 Apr 2014 18:25:16 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 6E4591A0052 for <>; Tue, 1 Apr 2014 18:25:16 -0700 (PDT)
Received: by with SMTP id l6so11919466oag.25 for <>; Tue, 01 Apr 2014 18:25:12 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=Csz4GhE2Fk8SarvxgP9xOY9fRcuXu1Y4zNHvf7lq3b4=; b=aBiD0efaNaXFiswPbNqNjWXRYTzyU8bt/fB7MDcOuL+Xm/EFyBcrbtv9UiJ3HphAO4 JJPdim/dFHWblMds0XhUbXWT8JeFyzQ6hZylEIgXhzxY6qGVKSzu8sKiUQ8FDcjQsncG VyUhbk1y0ml3qHdo80oH9d3sr75yO2cfS2yvChHJ/NW+4EGn2LJTSLANhnSSIPfZrnXL Q8n57TAdWT5IPa+2fUN/IEyPWtHw22mawNkZIrz4GLu/YKBiF7zvGI/mwpV2Y4nr5W9O 0QvRDsuBUMVqVHcs0Z74Vhg6hO5IqYwNXh+eLr1Bv8Frn47DbxQYYuwh4RST7Jt2zifk 58PQ==
X-Gm-Message-State: ALoCoQmFJ5ohDcX2HEQN8ChFEfIWGG4P9Q+4Hru9haY8aJLdihtghOB4bWRyea+SoE/uN/uUPUad
MIME-Version: 1.0
X-Received: by with SMTP id i5mr31282894oeo.17.1396401912678; Tue, 01 Apr 2014 18:25:12 -0700 (PDT)
Received: by with HTTP; Tue, 1 Apr 2014 18:25:12 -0700 (PDT)
In-Reply-To: <>
References: <> <> <> <> <> <> <> <> <>
Date: Tue, 1 Apr 2014 18:25:12 -0700
Message-ID: <>
From: =?ISO-8859-1?Q?Colm_MacC=E1rthaigh?= <>
To: Mark Andrews <>
Content-Type: multipart/alternative; boundary=001a11c300def88e1804f6052728
Cc: Nicholas Weaver <>, "" <>, Phillip Hallam-Baker <>, =?ISO-8859-1?Q?Matth=E4us_Wander?= <>, Bill Woodcock <>
Subject: Re: [DNSOP] Whiskey Tango Foxtrot on key lengths...
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 02 Apr 2014 01:25:18 -0000

On Tue, Apr 1, 2014 at 5:31 PM, Mark Andrews <> wrote:

> > This too is going too far; of course they can, they can ask another
> > recursive resolver.
> Which also passes through bogus answers.  I will repeat stub resolvers
> can't recover from recursive servers that pass through bogus answers.

DNSSEC is a mitigation against spoofed responses, man-in-the-middle
interception-and-rewriting and cache compromises. These threats are
endpoint and path specific, so it's entirely possible that one of your
resolvers (or its path) has been compromised, but not others. If all of
your paths have been compromised, then there is no recovery; only
detection. But that is always true for DNSSEC.

> > Defaulting to CD=0 renders DNSSEC, essentially, pointless. Resolvers, and
> > the path between resolvers and stubs, are the easiest components in the
> > lookup chain to subvert.
> CD=0 tells the resolver to validate the answers it getsi if it is
> validating.  It has NOTHING to do with whether you are validating
> or not.  You have fallen for the myth that CD=1 indicates that you
> intend to validate and that CD=0 means that you are not validating.
> DO=1 is the ONLY bit REQUIRED to be set if you are validating.
> If DO=1 is set you should assume the client may be validating.
> Named assumes this when deciding if it will intentionally break
> DNSSEC validation down stream.

As you pointed out, if I set CD=1, I always expect a meaningful answer
containing signatures that I can validate. If I set CD=0, then an empty
SERVFAIL response is valid. If I get SERVFAIL, how do I validate that it's
a real error? Your suggestion is to regress to the CD=0 case and re-check
it (or maybe do your own recursion?). Why not just do CD=0 all along?

Now I agree that a resolver should always validate the signatures anyway,
and if I were writing a caching resolver, I'd never cache rrsets that fail
validation, even if the user has CD set to 1. But that's separate.

> > DNSSEC is quite capable to protecting that path.  Why do you need
> > > a second protocol.
> >
> > That statement is not consistent with setting CD=0 on that path.
> I sugges that you go re-read all the DNSSEC RFC's if you believe
> that because you are categorically WRONG.

Please stay civil, and also please don't assume that I haven't read the

If you set CD=0, you can't authenticate the failure case, empty SERVFAILs
can be spoofed or inserted towards the stub. And how do you disambiguate
between SERVFAILs that are validation errors and other server failures?
Without some kind of resolver redundancy (so recovering via retrying
another resolver) I don't see a way. Of course if all of your resolvers
return SERVFAIL, you're left in the same situation - but again, if every
path you have has been compromised, there is no escape.

But this can all be boiled down to;  As you've already written, you agree
that CD=1 is necessary in the failure case - it's the only hope of
authenticating the error. So why bother with CD=0 at all?