Re: [DNSOP] Empty Non-Terminal sentinel for Black Lies
Shumon Huque <shuque@gmail.com> Wed, 28 July 2021 11:30 UTC
Return-Path: <shuque@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5AB683A09C3 for <dnsop@ietfa.amsl.com>; Wed, 28 Jul 2021 04:30:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wiFCfnJbaE5v for <dnsop@ietfa.amsl.com>; Wed, 28 Jul 2021 04:30:16 -0700 (PDT)
Received: from mail-ed1-x52f.google.com (mail-ed1-x52f.google.com [IPv6:2a00:1450:4864:20::52f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 131F33A09B8 for <dnsop@ietf.org>; Wed, 28 Jul 2021 04:30:15 -0700 (PDT)
Received: by mail-ed1-x52f.google.com with SMTP id j2so2669271edp.11 for <dnsop@ietf.org>; Wed, 28 Jul 2021 04:30:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=jxp22Ntzsd3xK3EkJTwaCEzTXvovpYIgrDhJhQhoOus=; b=svy+22nTf/lY2Pps1vep1+K2mO1Aja7lNf1Ic9kwyS6Bey7sL9wEI3XAKaPVpW362I Soyop55kOuCmrn/TFvy9qKgOfLeiqu2DvB9upSIbQgjMUxKdLRy+maW+zjk78Kcp6Q33 IJtBruu917H2JpoxoadeeEyksLvL+u1Ri+vidNVqcUhkm/QAz4IWEB0HF9UezuORknjh EY1ef/LN4wTq6I7pHm+VaIK+fVIlnR46/Y3KXLGcseKVbad353QTdStkBOmDWhQt8Rq6 tEOf57Rw+I5Zm4W6SqFGny/PPYhTN7Z7OHH/XUKMirJtJyxShPXVq7c6qutsP9eebdnJ y1Wg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=jxp22Ntzsd3xK3EkJTwaCEzTXvovpYIgrDhJhQhoOus=; b=Y0a8uLdHxqb2EteN1p25xw3LEfq6su944T60llM0XS517ixhV4TGqRLGrs0j6gHmzV xn/ZV3Nx1fG6hp0KvKCS6fLrAt4z4hfioVeLkLVNLK+BRMgbEfHXBDx8mLJMLpjY9wdx vhc3scov9tbDl1XVvC82mChunvgA2Bl/wKFx5jihx38zEqSZ5sVfLikxObrxHf4UH0ty LcurhHEfaaY2fefi+AggOaiY3IeGz3l/pvAQJfJxOZFkSl3pJxnYI/t1NcBRcg+jOaSw Ae9KeOeOrQgXu/apVSZh6qCq4sJ0pT0KtU+aLf15mavZiTbr+rCU4I+OqdZICR2BxOGb HT5A==
X-Gm-Message-State: AOAM532v4czdjKsc/FJIm8LTw9U+4/iPQfb0Nsa8JmE1KBmr4EDYb7b0 OF9uq5Le0RYBc3NaDBpnEQrrO9g7dNwbSvIBQ28=
X-Google-Smtp-Source: ABdhPJxx5Ug+dxdv7xumjgSIUES8J8786loVh2A0ZGPl9qmPD0XcwpIRJHdsUrHGP1FQfLbLmFh25GlXNmQM4XKlgBw=
X-Received: by 2002:aa7:d841:: with SMTP id f1mr3088845eds.196.1627471813699; Wed, 28 Jul 2021 04:30:13 -0700 (PDT)
MIME-Version: 1.0
References: <CAHPuVdV6s1wM6Qc3uAhRQurVg2mMocRCTPmpVHHkBHW9FWV5Cg@mail.gmail.com> <CAH1iCir=tRduY26=FCe=V1xvaDAD4CFOY7B6LQpaEPpSmk8b-w@mail.gmail.com>
In-Reply-To: <CAH1iCir=tRduY26=FCe=V1xvaDAD4CFOY7B6LQpaEPpSmk8b-w@mail.gmail.com>
From: Shumon Huque <shuque@gmail.com>
Date: Wed, 28 Jul 2021 07:30:02 -0400
Message-ID: <CAHPuVdWNmqSnTYGQqQO_nWAb946X2MjfLDLeWeqv+Ujh-igrCg@mail.gmail.com>
To: Brian Dickson <brian.peter.dickson@gmail.com>
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000566c4805c82d4f92"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Ml06q_3mdqCsa0LjOD7BC_kTtrk>
Subject: Re: [DNSOP] Empty Non-Terminal sentinel for Black Lies
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Jul 2021 11:30:21 -0000
On Tue, Jul 27, 2021 at 8:46 PM Brian Dickson <brian.peter.dickson@gmail.com> wrote: > On Tue, Jul 27, 2021 at 4:35 PM Shumon Huque <shuque@gmail.com> wrote: > >> Folks, >> >> While we have the attention of DNSOP folks this week, I'd like to ask for >> review of this draft (I meant to send it earlier in time for f2f discussion >> on Tuesday, but better late than never). >> >> >> https://datatracker.ietf.org/doc/html/draft-huque-dnsop-blacklies-ent-01 >> >> > That's interesting, and I'm definitely in favor of continuing this work. > > A couple of quick questions: > > - Are there distinctions between NSEC and NSEC3, where ENTs and/or > negative proofs result in different response sets? > > I'm not sure I entirely understood your question, but for a specific authenticated denial of existence mechanism (NSEC, NSEC3, NSEC/3 White Lies, Black Lies) the response set should be the same. They will differ between those mechanisms though. In NSEC, an ENT response would contain 1 NSEC record that covers the ENT. In NSEC3, the ENT response would contain 1 NSEC3 record that matches the hash of the ENT. In Blacklies, the ENT response contains 1 NSEC record that matches the ENT. > - Would it make sense to include the synthetic ENT RR as an actual RR > in the unsigned zones for such names (i.e. which, absent this record, would > be ENTs)? > > So that you can easily distinguish ENTs in unsigned zones? I guess that could be of possible use, but I'm not sure how compelling that would be. For me, the goal of this draft is not necessarily to be able to detect ENTs, but to precisely distinguish non-existent names from existing names (of which ENTs are a subset). > - Does it make sense to harmonize the resulting answers across both > "black lies" and pre-signed zones? > - That harmonizing might be advisable and/or necessary in a > multi-signer universe where one provider is statically signing, and the > other is dynamically signing > > Harmonizing the negative answers? Despite their differences, mixing different denial of existence mechanisms in a multi-signer configuration shouldn't cause any issues. We describe why in RFC 8901, Section 5, although mixing online and pre-computed signing will reduce the efficiency of mechanisms like aggressive negative caching. Presumably this would get added to the set of types that must not co-exist > with any other type, and must be singletons. > Yes, but this is really a pseudo type that is only conveyed in a type bitmap, and ENTs by definition have no record types associated with them otherwise - the answer section is always empty. If you query the synthetic type itself, it returns a response without itself in the type bitmap (so it looks like a NODATA). That may seem mildly paradoxical in that it denies its own existence. But we already have a precedent for such behavior in DNSSEC - recall the famed "NSEC3 paradox" :) Shumon.
- [DNSOP] Empty Non-Terminal sentinel for Black Lies Shumon Huque
- Re: [DNSOP] Empty Non-Terminal sentinel for Black… Brian Dickson
- Re: [DNSOP] Empty Non-Terminal sentinel for Black… Shumon Huque
- Re: [DNSOP] Empty Non-Terminal sentinel for Black… Ralf Weber
- Re: [DNSOP] Empty Non-Terminal sentinel for Black… Shumon Huque
- Re: [DNSOP] Empty Non-Terminal sentinel for Black… Hollenbeck, Scott
- Re: [DNSOP] Empty Non-Terminal sentinel for Black… Shumon Huque
- Re: [DNSOP] Empty Non-Terminal sentinel for Black… Peter van Dijk
- Re: [DNSOP] Empty Non-Terminal sentinel for Black… Shumon Huque