Re: [DNSOP] Benjamin Kaduk's No Objection on draft-ietf-dnsop-multi-provider-dnssec-04: (with COMMENT)
Shumon Huque <shuque@gmail.com> Thu, 09 April 2020 15:45 UTC
Return-Path: <shuque@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D0A683A0A9A; Thu, 9 Apr 2020 08:45:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RwGh8qoCFrOZ; Thu, 9 Apr 2020 08:45:18 -0700 (PDT)
Received: from mail-oi1-x234.google.com (mail-oi1-x234.google.com [IPv6:2607:f8b0:4864:20::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7A9253A0D24; Thu, 9 Apr 2020 08:44:43 -0700 (PDT)
Received: by mail-oi1-x234.google.com with SMTP id d63so246053oig.6; Thu, 09 Apr 2020 08:44:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ADH3OOyNVoHN8hz/mhN0q2fgZESuOciP741/B4prhBA=; b=ERbhOo1KfQr1ZGknRoIi4trWNI3cxtxiKG1C4peJW7AfMyjCfrxHMckcBBO1cWl7ka MssBGTxJUkDahvmf9Etwo+k9c43IQexMTuQv9qk37SEni1JdPN6wghhui3c+D7VGBp4f vb8pmxZdWtIerglTpeB95JAIJVqB1OO/twM5ymCxReehjPdNNDMHwv/ujfCBs6h0JdXf ykhoAnchumlX0EAYxK5oSGI/KqWFARGMelOOefImjjSGrcUIw5EnVuCtdznMcg1rx210 ZeaQYvzSVuYefU8CXdMiMhfynGEwTMTSFsV5Y5/Y2lsv2ZaG270z7/fxzMcSrkS/cMmV qNDg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ADH3OOyNVoHN8hz/mhN0q2fgZESuOciP741/B4prhBA=; b=rTjFhYr1KTGb8QVaLck7o3kKcYYDAiDOj2gHFNcuPJs6e0WoTX0CMw+YTaeueRpvyH VatFtXm+Sj1YgHKYtBIBj0tY9PLoNEPwZc55X1AbiuRcKrB5bIUv0njZdz36jpcXPht2 aiQGfIVs3+xAmMAuL5R2/FfONjJKzP9l+1ywB0oYug7RS/ZjcSCxJON3vm4HGemyeIZF VqzdUZmbap6/3DlRVtRlcPLvJSmdjPoFFdKX/+FywZ9r3E3yX+8/WK5LoxjAZwdC6qVO 4/bvCMo9gR2WNtqCAKP1ddIV/Jb5wZYuvPpnJ/vFCdpWoiF1xGcSKWrukdGselKaE3RI kI3w==
X-Gm-Message-State: AGi0PuYggioaLsCAxuH/9qRzpjz3Z/64mfch4uCDvRpYgN5KqS0fGDmi 2wxCF4fNplFA2CwQcDvFnLI7UTsoivkSP1SyiN0=
X-Google-Smtp-Source: APiQypL4J/Q3vDzeYGZ/DQTYr4MbFuumysY87Zssi1UTks6P03jgoW7HsR2O2i08dIPrewnQodXXS2MXGU2RvU4nQ3M=
X-Received: by 2002:a05:6808:2d9:: with SMTP id a25mr6763117oid.125.1586447082570; Thu, 09 Apr 2020 08:44:42 -0700 (PDT)
MIME-Version: 1.0
References: <158640898724.3293.17093328253615706681@ietfa.amsl.com>
In-Reply-To: <158640898724.3293.17093328253615706681@ietfa.amsl.com>
From: Shumon Huque <shuque@gmail.com>
Date: Thu, 09 Apr 2020 11:44:30 -0400
Message-ID: <CAHPuVdV8APgYx2PnPE7N1sYCDKd_oETTqHLaBaNvLCGuPzigwQ@mail.gmail.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: The IESG <iesg@ietf.org>, draft-ietf-dnsop-multi-provider-dnssec@ietf.org, dnsop-chairs <dnsop-chairs@ietf.org>, "dnsop@ietf.org WG" <dnsop@ietf.org>, Benno Overeinder <benno@nlnetlabs.nl>
Content-Type: multipart/alternative; boundary="000000000000cfca5805a2dd7e94"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/MnVEwk6pgcJk0dQvCFGzGJbOtRw>
Subject: Re: [DNSOP] Benjamin Kaduk's No Objection on draft-ietf-dnsop-multi-provider-dnssec-04: (with COMMENT)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Apr 2020 15:45:22 -0000
On Thu, Apr 9, 2020 at 1:09 AM Benjamin Kaduk via Datatracker < noreply@ietf.org> wrote: > > Thanks for this document; it's pretty clear and it's good to have these > procedures written down in a well-thought-out manner. > Thank you for your review Ben. Section 3 > > o It may also be the case that a resolver is unable to provide an > authenticated response because it gave up after a certain number > of retries or a certain amount of delay. Or that downstream > clients of the resolver that originated the query timed out > waiting for a response. > > nit: sentence fragment. > Ok, will fix. > > Section 5 > > Since authenticated denial responses are self-contained, NSEC and > NSEC3 can be used by different providers to serve the same zone. > Doing so however defeats the protection against zone enumeration > provided by NSEC3. A better configuration involves multiple > > It might be worth a few more words about why this defeats the protection > against zone enumeration. > Sure (the short summary is that the adversary can just trivially enumerate the zone by querying the provider that employs NSEC). Will add some text. Section 6.1, 6.2 > > Should we say anything about when it's safe for a new ZSK to be used to > sign responses? > I think we were largely leaving these timing details to other documents like RFC 6781, which we assume readers will be familiar with. But since we describe pre-publish ZSK rollovers in some detail, we can probably say something. Per 6781, you need to wait (1) propagation delay of the ZSK update to all authoritative servers, plus (2) the TTL of the DNSKEY RRset. The only aspect that _may_ need to be highlighted, is that for multi provider, propagation delay now includes the time to propagate to authority servers of _all_ the providers (which now necessarily includes the associated ZSK import operations). Section 8 > > nit: s/CDNS/CDS/ > Yup, thanks for catching that. There's actually an additional typo there. So, we need to replace "CDNS/DNSKEY" with "CDS/CDNSKEY". Also, this section feels a bit sparse compared to 6.1 and 6.2. > Okay, let me ponder what might be useful to elaborate on here .. Section 9 > > In model 2, once initially bootstrapped with each others zone signing > keys via these API mechanisms, providers could, if desired, > periodically query each others DNSKEY RRsets and automatically import > or withdraw ZSKs in the keyset as key rollover events happen. > > What kind of authentication would be needed for this > provider-to-provider API access? > Post bootstrapping (i.e. after the providers were already deployed in a multi-signer configuration), I don't think there any new authentication mechanisms needed, since the DNSKEY RRset is already signed and can be verified by anyone to confirm updated ZSK elements. So, they could securely discover this using the DNS protocol (rather than vendor proprietary APIs). Section 10 > > Shouldn't we have references for DoT and DoH? > Hmm, okay. This was almost a parenthetical comment about a possible future state of the DNS ecosystem, so it didn't immediately occur to me add references. But sure, we can add them. Section 12 > > I think both import and export need to be strongly authenticated, though > the DNSSEC itself can provide for authentication of export in most > (all?) cases. If (e.g.) the zone owner fetches bad data and then > strongly authenticates to shove that bad data into the other services, > you still end up with bad data in use. > > (Also, integrity protection, though I expect this is implicit.) Yes, DNSSEC could be used in many cases, post bootstrapping. But I expect the zone owner will be using provider API for both export and import. These are almost always REST/HTTPS so they are strongly authenticated, and yes integrity protected (and confidentiality protected). So maybe the easiest thing to do is to mention "import and export" here. If using DNS UPDATE, then that is typically strongly authenticated (e.g. TSIG with HMAC-SHA256 etc) and integrity protected (but not confidentiality protected, unless using DNS over TLS, which isn't yet common for UPDATE). This is the sort of operation that I'd want to have multi-factor > authentication for, too. > I can see some more security conscious enterprises doing that, yes. We can mention that. Section 14.1 > > RFCs 2136, 5731 don't currently seem to be cited in a manner that > requires a normative reference. > Yes, ok. I will promote those references. Thanks! Shumon Huque
- [DNSOP] Benjamin Kaduk's No Objection on draft-ie… Benjamin Kaduk via Datatracker
- Re: [DNSOP] Benjamin Kaduk's No Objection on draf… Shumon Huque
- Re: [DNSOP] Benjamin Kaduk's No Objection on draf… Brian Dickson
- Re: [DNSOP] Benjamin Kaduk's No Objection on draf… Shumon Huque
- Re: [DNSOP] Benjamin Kaduk's No Objection on draf… Benjamin Kaduk
- Re: [DNSOP] Benjamin Kaduk's No Objection on draf… Shumon Huque