IETF Logo Mail Archive

Re: [DNSOP] signalling mandatory DNSSEC in the parent zone

Brian Dickson <brian.peter.dickson@gmail.com> Tue, 02 March 2021 17:45 UTC

Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 17C3C3A07FC for <dnsop@ietfa.amsl.com>; Tue, 2 Mar 2021 09:45:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZRiVn92iPite for <dnsop@ietfa.amsl.com>; Tue, 2 Mar 2021 09:45:23 -0800 (PST)
Received: from mail-oi1-x231.google.com (mail-oi1-x231.google.com [IPv6:2607:f8b0:4864:20::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C91F3A07DD for <dnsop@ietf.org>; Tue, 2 Mar 2021 09:45:02 -0800 (PST)
Received: by mail-oi1-x231.google.com with SMTP id l64so22807087oig.9 for <dnsop@ietf.org>; Tue, 02 Mar 2021 09:45:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Xd/zY+L2U47HbMZ5iVrA2T5PAYigBRQNBlRzm2e1fgE=; b=huBjwO4WCq1/30R0bVwRVgPraY9hsWbaIPrjHVeXhQOI73V/W/L3BGao3VDCrMjyVc sjf0Mbp2DiMxCbc7aKNPrGTByAifnoBrLTbUcN7UqH16mqLABIsNUYtubZGX0M/mpnnj YEEVyRYKx3rswcytxmB2onF+C/ytCLjQeGA6P2rsUq6y5HAcoO9a3mdc4161tob+kari qJbjm2n0jxxM6u/fUgWA5FoKzxDm3PlqmgnQmVEtCIaiBtfujDFDSJK/NhL+ymDjYuz7 ssdg3L364LVgasjiTLlFYDEFqLCa8z76KwPL86hgq/qo4V7LZHm/bSuHjTP7yF/kpVfk WJTQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Xd/zY+L2U47HbMZ5iVrA2T5PAYigBRQNBlRzm2e1fgE=; b=atJGaA7tJvlMvR1YIzeqIFKaTGHHv0q3GmgJztR1Imy5TUKKs3hD6a4zWG0RpI7erG ju5XCY/GZLKMnuyeXBWchLOdPpbjHUFGLP9OT0PUwCwXOasx3sEFRA5owa6SA/MR8HBh JCFJ8ZK6C3Ah+05FRoC7E5NTVRasyxAbY7rwEoxUMIYewBz7rF/nFfdrqzfs0IBqYEil mu5JfHyOERHHx9KuSOgysOB9AaUf2dZZnl0ZSKWuIsvPi+7ZxEb1Xw6Mv6scbL2tfOEE VMcL1uQepV51HriwXwdpbAycEM18cmU2s/L23bAKaoXYtLOWQryiyHv3sVV1dX7EvPrX pA7Q==
X-Gm-Message-State: AOAM530FHMgwyyZwVBjs6YUNVS4dALBak7IE4Zm7deyDaI97Q2webL1t jwZWgLxFcgDNPLia0ekWsVc9kKU1lI8L60sDRN4=
X-Google-Smtp-Source: ABdhPJziUU43/g4Ff+11LHq6N+kaLQw9ADUIQsHn1+OKfNzjuwEDhoOsu5fHeCay9+mtZjnqqGPeQUchxmYTtVWw/qc=
X-Received: by 2002:aca:5fd4:: with SMTP id t203mr4017632oib.121.1614707100779; Tue, 02 Mar 2021 09:45:00 -0800 (PST)
MIME-Version: 1.0
References: <20210301.205459.413147497474184552.he@uninett.no> <DE24E067-C0D3-4E26-B7FB-EF8311AE5E0A@isc.org> <5D1D786F-216A-4AD3-840E-CAFE5CA49B6C@wisser.se> <4577DCF6-9D72-4D46-90DD-F289F112E639@isc.org> <0FD37A06-9DD4-46EB-BBB9-C480155CC9F1@wisser.se> <430E9927-D129-4872-BC1D-BF1F8E924B63@isc.org> <CAH1iCirdEXZUsXRvr+623vk5v10WevmYjRsY_inJPd_j2P+Atg@mail.gmail.com>
In-Reply-To: <CAH1iCirdEXZUsXRvr+623vk5v10WevmYjRsY_inJPd_j2P+Atg@mail.gmail.com>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Tue, 02 Mar 2021 09:44:49 -0800
Message-ID: <CAH1iCipjjwnMEcYbLCdrriCjFapkAg-WM+-qm0BD2vkcGbO0QA@mail.gmail.com>
To: Mark Andrews <marka@isc.org>
Cc: Ulrich Wisser <ulrich@wisser.se>, "dnsop@ietf.org WG" <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000028b86c05bc914b37"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/MYjEKYLdUfEmvtRc7GzLCONSDlY>
Subject: Re: [DNSOP] signalling mandatory DNSSEC in the parent zone
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Mar 2021 17:45:26 -0000

Okay, it's a "top reply to myself" kind of day...

I think the work on cooperative cross signing being done by Shumon will be
necessary to solve this problem.
The TL;DR: is, it is tricky
I think the following captures the requirements:

For the period of time where cached entries signed by the previous ZSK
might exist, starting with when the delegation NS is changed to point at
the new provider:

   - The DNSKEY set would need to contain both ZSKs and both KSKs,
   - The DNSKEY set would need to be signed by both KSKs
   - Both DS records would be necessary.
   - The new version of the zone would need to be served with both sets of
   signatures (that's going to be challenging)

Only then can the old DS record be removed, at which point the Algorithm 8
validator will consider the zone to be insecure, without going bogus.

Ick.

Brian

On Tue, Mar 2, 2021 at 9:25 AM Brian Dickson <brian.peter.dickson@gmail.com>
wrote:

>
>
> On Tue, Mar 2, 2021 at 4:47 AM Mark Andrews <marka@isc.org> wrote:
>
>>
>> > On 2 Mar 2021, at 23:06, Ulrich Wisser <ulrich@wisser.se> wrote:
>> >
>> >
>> >
>> >> On 2 Mar 2021, at 12:55, Mark Andrews <marka@isc.org> wrote:
>> >>
>> >>
>> >>
>> >>> On 2 Mar 2021, at 22:52, Ulrich Wisser <ulrich@wisser.se> wrote:
>> >>>
>> >>> @Håvard No, that isn’t sufficient. A resolver could have the old
>> DNSKEY set in cache but get signatures from the new servers. This can be
>> solved by cross signing the ZSK -> put the ZSK of the other provider in the
>> respective DNSKEY set, no need to exchange private keys, only the DNSKEY
>> records. Then you will always have a validation path.
>> >>>
>> >>> @Mark, that is exactly what I am talking about, a forced algorithm
>> change can only work, when both operators cooperate and if we insist on
>> lax-validation. We need both!
>> >>
>> >> It doesn’t even work then as there the signatures of the non DNSKEY
>> records are of the wrong algorithm.
>> >
>> > Why would the signatures of the non DNSKEY RRset need to be of the same
>> algorithm as the KSK?
>> > Lax-validation says that “any validation path” should be accepted.
>> >
>> > example.com. DS 123 8 2 xxx
>> >
>> > example.com. DNSKEY 257 3 8 xxx
>> > Example.com. DNSKEY 256 3 8 yyy
>> > example.com. DNSKEY 256 3 13 zzz
>> > example.com. RRSIG DNSKEY 8 …
>> >
>> > www.example.com. TXT “example”
>> > www.example.com. RRSIG TXT 13 …
>> >
>> > In my eyes there is a clear validation path to the www rr.
>>
>> It leads to bogus in a server that *only* support algorithm 8 because
>> THERE IS NOT AN RRSIG OF WITH ALGORITHM 8
>>
>
> Rather than argue about this example (which may be incomplete and/or
> erroneous), let's try to "fix" the example, and clarify which algorithm is
> new, and which algorithm is old, including what is on each of the two
> servers in terms signatures and keys?
>
> (Clearly this cannot be valid to be on one server, given the DS and
> RRSIG(TXT) are not the same algorithm).
>
> I think the requirement for considering the addition, is the inclusion of
> both ZSKs in both instances of the zone, AND the publication of both DS
> records in the parent.
>
> If this happens well in advance of the change of NS record in the parent,
> what else needs to happen?
> And how is this handled by validators that handle algorithm 8 but not
> algorithm 13?
>
> If the example is expanded and corrected, I believe the answer should be,
> the algorithm 13 only zone is either insecure, or bogus, depending on the
> absence or presence of the algorithm 8 DS.
>
> I don't see a clean way to avoid a race condition between the NS records
> in the parent, and the DS records in the parent, given caching.
>
> This is likely why Joe Abley was suggesting going insecure for a brief
> period is the only way to avoid anyone getting "bogus" as a validation
> state.
>
> Algorithm 8 would go insecure permanently, while Algorithm 13 would go
> insecure for a brief period then go secure again.
>
> Perhaps the brief bogus for Algorithm 8 is acceptable, in which case the
> decision is really one to be made by the zone owner.
>
> Brian
>

v2.23.0 | Report a Bug | By Email