[DNSOP] comments on draft-pwouters-powerbind-01
神明達哉 <jinmei@wide.ad.jp> Thu, 12 July 2018 19:36 UTC
Return-Path: <jinmei.tatuya@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1CE11130F63 for <dnsop@ietfa.amsl.com>; Thu, 12 Jul 2018 12:36:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.422
X-Spam-Level:
X-Spam-Status: No, score=-0.422 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, FROM_EXCESS_BASE64=0.979, HEADER_FROM_DIFFERENT_DOMAINS=0.25, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mRCGiYtA1Des for <dnsop@ietfa.amsl.com>; Thu, 12 Jul 2018 12:36:39 -0700 (PDT)
Received: from mail-lj1-f177.google.com (mail-lj1-f177.google.com [209.85.208.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A540A130EF9 for <dnsop@ietf.org>; Thu, 12 Jul 2018 12:36:38 -0700 (PDT)
Received: by mail-lj1-f177.google.com with SMTP id v9-v6so12521576ljk.4 for <dnsop@ietf.org>; Thu, 12 Jul 2018 12:36:38 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=peJtDj9zDfNJAw5HNTfobyBhOofUD/z0BKcQ56XFrs4=; b=tKNGgPzFPvlupNh6PLQdO2ilIKJ0nQRQbBNqijWer4vP1tNf3g+YkPCni8nUIm6Gz/ S9zmW8IqBxgeCcnLW9FjALKHUiRgq5XYWVlGqwNxOYLFNvGieKFXswoOJXlngFywLraT l8cxozrORgLav8JjuWB0nwjCqcpS5dkPklsFH67mxRQm7TePlWDFTeA+7gx9qeEdxM/c cuipCRCGT/coZ2vJivJ5JyH5L2ZS1LnD9ojzd7JmOjMX3b8qRB5sKp5zaTevSDF9+hph U0tgm0EVyqLd8c/0uGkmLOijfpcrWTTCaIaz2ebwHjKihQ7LI/93OjN6LK5SX9jcvs4l FXVw==
X-Gm-Message-State: AOUpUlH4MfLZbAnBGc0YBbpCbG5MY/nvCSN/H1xGOlX8CW975paPEIQj SRmazVQdHNZASQTxDsHoWmJ+mKdaUTrwgFXynfToVcIu
X-Google-Smtp-Source: AAOMgpdN1cOgInoLfjtVwvNKWWJTdFGiuNnmMEEoxjTVGJFPEIKkhrMZ+n72WscN9cIQhNqm6XqHVnrIlz/YGo8Arv8=
X-Received: by 2002:a2e:4951:: with SMTP id b17-v6mr1356571ljd.67.1531424196584; Thu, 12 Jul 2018 12:36:36 -0700 (PDT)
MIME-Version: 1.0
From: 神明達哉 <jinmei@wide.ad.jp>
Date: Thu, 12 Jul 2018 12:36:25 -0700
Message-ID: <CAJE_bqccJL65kOHKrGcVBYVGCv9qnRaPqvXeXARNS3q4SxoJdA@mail.gmail.com>
To: dnsop <dnsop@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/KnQ4eFmoH6QPM3Ru-AKpTtlvOrI>
Subject: [DNSOP] comments on draft-pwouters-powerbind-01
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Jul 2018 19:36:41 -0000
I don't have a strong reason for opposing the proposal, but, frankly, the need for this wasn't clear to me just by reading the draft. I see the potential problems with evil parents, but the draft didn't convince me that it's an important and critical enough to justify a new protocol extension (which made me recall the camel discussion), not least because if the parent is malicious in the DNS then all bets are off already. If there's actually a consensus that this is an important problem to solve, I wouldn't challenge that. But it would help newer/future readers if this doc explains the need more specifically and in more detail. It's also not clear how effective this is against the evil parent tweaking the delegation (changing NS, e.g). The draft seems to try to address this point in a few places: [...] However, both of these actions cannot be hidden, thus exposing such malicious behavior when combined with public transparency logs. [...] Replacing the NS and DS records of a child zone can still be done in a targetted attack mode, but these events are something that can be easilly tracked by a transparency infrastructure similar to what is now in use for the WebPKI using [RFC6962](bis). but I was not sure why we can't also do this for the "deep link state" problem (replacing a delegation with a parent's authoritative record). That's probably because I don't know much about the tracking "by a transparency infrastructure". In that case it might help if it explains it in more detail. I have a few more specific comments: - I'd suggest making the requirement to validator implementations more explicitly: [...] if any such signed data is encountered by validating resolvers, that this data should be interpreted as BOGUS. Probably in a separate section like "Validator Behavior" rather than in Introduction, and maybe with an RFC2119 keyword. - Section 3 [...] For example, the DNSSEC root key could ignore the NS records for ".org" and "example.org" and could place a record "www.example.org" directly into its own zone, with a "the DNSSEC root key could ignore..." doesn't make much sense to me. Does this perhaps mean "the root zone could ignore..."? - Section 4 hierarchy. This commits a parent in the DNS hierarchy to only sign NS and DS records (i.e. all non-glue, delegation records) for its child zones. Should this be "NSEC(3) and DS records"? -- JINMEI, Tatuya