IETF Logo Mail Archive

Re: [DNSOP] New version of draft-ietf-dnsop-resolver-priming

神明達哉 <jinmei@wide.ad.jp> Fri, 15 January 2016 18:03 UTC

Return-Path: <jinmei.tatuya@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A90681B3098 for <dnsop@ietfa.amsl.com>; Fri, 15 Jan 2016 10:03:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.978
X-Spam-Level:
X-Spam-Status: No, score=-0.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XADYtRThyYIg for <dnsop@ietfa.amsl.com>; Fri, 15 Jan 2016 10:03:03 -0800 (PST)
Received: from mail-io0-x229.google.com (mail-io0-x229.google.com [IPv6:2607:f8b0:4001:c06::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 145701B3097 for <dnsop@ietf.org>; Fri, 15 Jan 2016 10:03:03 -0800 (PST)
Received: by mail-io0-x229.google.com with SMTP id 77so462933834ioc.2 for <dnsop@ietf.org>; Fri, 15 Jan 2016 10:03:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=JC5lofJg5vLYq7FzG3nBg/OKpLvlqq7B34KCDSwfvGM=; b=TOEONsDTfmBxVfmY4Zq/OJ12CwYTFw+NkIaqea9cRhfTFTbP2i03jWEL3LaJENluY+ Oam3SOp75jUPnhPHn6lstlb34r81P69VOHfEkt8RgkvCAay2oCKORavq7FKVYM5jpFbF Cf7b2mKyfKCXSglYsv5tD3CGNkZJoBf99pp7eQTX9lrQG3WFqp+aPfyrMcsr5YOf4t8m G6gDvDfPA6P7JLOKrrwzL5zjP1HOuc5sx1LQG7cMU/fhavGkMXwXRvOmMaUQPLmY8tb3 BJSmmV7eAa5dBzY8zQp2s3rb4zb4lm5W+WWflYwyWZ6bPBiV558at50anYg+jful3r4r KREg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=JC5lofJg5vLYq7FzG3nBg/OKpLvlqq7B34KCDSwfvGM=; b=imr5LdeMQiKEd0dz2dibJL7TsM9235+z/GwbtoW3Pll/z8qUFoVlr3aHSG40hfO7WQ 48B4eBFGjqwQfef/bgeVszlzuJmK9FemAyG+Vl6yYJcRhSCW6nZkPXk0Bx5DxF99FF3S PjJWE+2l0Vt1SaaVOsmwL+FH1gNJG7uRycJBgZienLSbV23ivRcvPK/KiRDmBGpqgqnr G867ms+j/McunzACwRJ8YiVt+THPDi5oRxZ+HHBvITRf0M5EeWMPYKYe+noLyvwDYTir 5bW1S+aIiGPXaFgvz605TpN9ybLRb20FzRNbmD1RiiWsi0PcjL04tJsFsYQXgzvpKWwg Tc+A==
X-Gm-Message-State: ALoCoQlRvx71vo0+eewv7uzYr+s3Q5dUDITktu0jggRkoP1FE8Eovbhh747qhx3bvl3blhmZoF/yEWh2VOp4SVAxU9hgKGalYA==
MIME-Version: 1.0
X-Received: by 10.107.198.83 with SMTP id w80mr10974455iof.178.1452880982426; Fri, 15 Jan 2016 10:03:02 -0800 (PST)
Sender: jinmei.tatuya@gmail.com
Received: by 10.107.129.80 with HTTP; Fri, 15 Jan 2016 10:03:02 -0800 (PST)
In-Reply-To: <4DC64D5D-CCCD-4A07-A285-C9E16773F56C@vpnc.org>
References: <E19574D8-7460-4910-B65F-5355DFCA7313@vpnc.org> <CAJE_bqfWFGfjmXwEhXNfEsE_crH6e51Y1HrYrCD4AnWHwMVSiQ@mail.gmail.com> <4DC64D5D-CCCD-4A07-A285-C9E16773F56C@vpnc.org>
Date: Fri, 15 Jan 2016 10:03:02 -0800
X-Google-Sender-Auth: mh-xqONsrzPsFh26fOynyp4IXyw
Message-ID: <CAJE_bqdN-dn8VHmQo-iVOo40Z40=8SeK-3CvFKT7jTr-qJ4LOA@mail.gmail.com>
From: 神明達哉 <jinmei@wide.ad.jp>
To: Paul Hoffman <paul.hoffman@vpnc.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/L35B5_hcrxIXTEVe-7Qrs5QxUBs>
Cc: dnsop WG <dnsop@ietf.org>
Subject: Re: [DNSOP] New version of draft-ietf-dnsop-resolver-priming
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Jan 2016 18:03:08 -0000

At Thu, 14 Jan 2016 17:29:04 -0800,
"Paul Hoffman" <paul.hoffman@vpnc.org> wrote:

> > Here are my comments on the 06 version:
> >
> > - Section 3.1
> >
> >  [...]  This would be when the resolver starts with an empty cache,
> >  and when one or more of the NS records for the root servers has
> >  expired.
> >
> > This seems to talk about a recursive server behavior that allows a
> > subset of an RRset to expire.  Is that the intent?  Is there any
> > reason why we can't simply say "...and when the NS RRSet for the
> > root zone has expired."?
>
> Good catch. The RRset will expire at the same time.
>
> > (btw I think 'root zone' is better
> > than 'root servers' here).
>
> This is not the expiration on the whole root zone, only on the NS
> records. The expiration of the root zone itself comes from the SOA,
> which has a different value than the TTLs on the NS RRset. That is, in
> the current root, the expiration in the SOA is 604800 but the TTLs on
> the NS records are 518400.

I'm afraid we are talking about the different things (perhaps partly
my bad, I mixed two different issues).  What I tried to say is this:

The current draft test is:

   [...]  This would be when the resolver starts with an empty cache,
   and when one or more of the NS records for the root servers has
   expired.

After fixing the RRSet-based TTL on which we seem to agree, it would
be:

   [...]  This would be when the resolver starts with an empty cache,
   and when the NS RRSet for the root servers has expired.

My incremental different suggestion was to revise it further:

   [...]  This would be when the resolver starts with an empty cache,
   and when the NS RRSet for the root zone has expired.

Is it clear enough now, or did you mean this last text has an issue
(like as if it talked about zone expiration)?

> > - Section 3.3
> >
> >  [...]  At the time this
> >  document is being published, there is little use to performing DNSSEC
> >  validation on the priming query because the "root-servers.net" zone
> >  is not signed, and so a man-in-the-middle attack on the priming query
> >  can result in malicious data in the responses.
[...]
> The first bullet point is not necessary for your argument. Would the
> following be better than the quoted sentence?
>
> At the time this document is being published, there is little use to
> performing
> DNSSEC validation on the priming query. This is because being able to
> validate
> the NS records is not sufficient for having authenticated addresses for
> the root
> servers: having validated A and AAAA RRsets for each root server is also
> needed.
> Without those validated A and AAA RRsets, a man-in-the-middle attack on
> the
> priming query can result in malicious data in the responses

Looks good to me (I'd say "A and AAAA RRsets for each root server
*name*" though).

> > - Section 4.1
> >
> >  answer section) and an Additional section with A and/or AAAA RRSets
> >  for the root name servers pointed at by the NS RRSet.
> >
> > Similar to the previous point, it seems to be based on some implicit
> > assumptions including:
> > - all root servers are authoritative for the root-servers.net zone
> > - all these servers populate the additional section from a different
> >   zone they are authoritative for than that for the query name ("."
> >   in this case)
> > - none of the root server implementations use the
> >   "minimal-responses" (or equivalent) option
> >
> > I think these should be clearly stated.
>
> Those implicit assumptions are not needed for the current text. RFCs
> 1034 and 1035 and 2181 do not restrict what can be put in the Additional
> section to only being things for which the server is authoritative.

Right, but there's no requirement what to be put in the additional
section, so this "expected property" relies on a particular
implementation behavior (rather than something we can expect from any
"protocol-compliant" implementation).  That's fine to me, but I
thought it should be clearly stated.

--
JINMEI, Tatuya

v2.23.0 | Report a Bug | By Email