Re: [DNSOP] More comments on draft-wessels-edns-key-tag-00

Edward Lewis <edward.lewis@icann.org> Wed, 25 November 2015 20:17 UTC

Return-Path: <edward.lewis@icann.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 85B891B2F53 for <dnsop@ietfa.amsl.com>; Wed, 25 Nov 2015 12:17:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.006
X-Spam-Level:
X-Spam-Status: No, score=-4.006 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.585, SPF_NEUTRAL=0.779] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rcc5wz_rLV30 for <dnsop@ietfa.amsl.com>; Wed, 25 Nov 2015 12:17:13 -0800 (PST)
Received: from out.west.pexch112.icann.org (pfe112-ca-1.pexch112.icann.org [64.78.40.7]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 35DD31B2F4E for <dnsop@ietf.org>; Wed, 25 Nov 2015 12:17:13 -0800 (PST)
Received: from PMBX112-W1-CA-1.pexch112.icann.org (64.78.40.21) by PMBX112-W1-CA-1.pexch112.icann.org (64.78.40.21) with Microsoft SMTP Server (TLS) id 15.0.1044.25; Wed, 25 Nov 2015 12:17:11 -0800
Received: from PMBX112-W1-CA-1.pexch112.icann.org ([64.78.40.21]) by PMBX112-W1-CA-1.PEXCH112.ICANN.ORG ([64.78.40.21]) with mapi id 15.00.1044.021; Wed, 25 Nov 2015 12:17:11 -0800
From: Edward Lewis <edward.lewis@icann.org>
To: "Wessels, Duane" <dwessels@verisign.com>
Thread-Topic: More comments on draft-wessels-edns-key-tag-00
Thread-Index: AQHRJtmPXkdjXahmsEiTn01cYVzaVZ6sNYcAgADLrwCAAI7hgP//0QOA
Date: Wed, 25 Nov 2015 20:17:10 +0000
Message-ID: <D27B7E9D.118A0%edward.lewis@icann.org>
References: <D279FE55.117EB%edward.lewis@icann.org> <CD88ACBF-9E78-4D9D-920B-381694059BDA@verisign.com> <D27B2BCC.11857%edward.lewis@icann.org> <6B70A96A-9E75-465F-9A91-0C1A656F2F4E@verisign.com>
In-Reply-To: <6B70A96A-9E75-465F-9A91-0C1A656F2F4E@verisign.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.5.8.151023
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [192.0.47.234]
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="B_3531309427_12004695"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/PDYPqeovmma08Js4SmOuIqMmfqc>
Cc: "dnsop@ietf.org" <dnsop@ietf.org>
Subject: Re: [DNSOP] More comments on draft-wessels-edns-key-tag-00
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Nov 2015 20:17:17 -0000

On 11/25/15, 13:05, "Wessels, Duane" <dwessels@verisign.com> wrote:

>Can you say more about how limited you think it should be?  Never?

(Probably) as much as possible.  I can't see the benefit of telling a
third party this.  (First party being the validator/querier, second party
being the authority of the trust anchor set, third party including the
upstream.)

>In what I'm proposing the stub also would send the option only for DNSKEY
>queries
>and only for trust anchor zones (i.e. root).  Is that limited enough?

And to the IP addresses for the zone's advertised name servers.

>Do you have particular concerns about who knows about the stub's trust
>anchors?  
>Are you thinking of on-path attackers or the recursive operator or
>something else?

Nothing in particular.  I'm not even clear if it's attackers I am worried
about, it's just general leakage.   I don't see damage in leaking, per se,
outside of the "if someone knows trust anchor #4 was reverse engineered,
then the verifier using it is vulnerable."  It's more that I don't see a
benefit in allowing leakage.

>Is it okay for a recursive to expose old trust anchors, but not okay for
>a stub?

Hmmm, I don't think the two (stub and recursive) are different for this
option.  (In the sense that EDNS is hop-by-hop and not end-to-end, and the
only query handler that can make any use of this information is the
authority.)

>I actually like the suggestion I heard from someone (sorry, can't remember
>exactly who right now) that instead of intersection or union, the
>recursive
>could just forward a second instance of the option.

Not commenting directly on that, but, I'm leaning towards this never being
an issue - that is - there should be no middlebox of any kind that would
forward/relay the option.

>I'd say there is a benefit to the zone operator in knowing what trust
>anchors
>are in use by stubs.

Zone operator would be the one plowing through the packets seen at the
authoritative addresses, I think.  (Me being fully aware that zone
operators aren't always DNS operators.)

>> (If there's a conflict between the two (which could
>> also be sever clock skew), use 'CD' in queries.)
>
>Sorry I didn't follow that.

I was thinking - if a validator is forwarding all traffic to a recursive
server that is also DNSSEC validating, and there is a conflict because the
"upstream" is SERVFAIL'ing some data because of, say, the trust anchor not
right, the "downstream" ought to revert to "+CD" to avoid the buggy
in-validation.


>Forgive me for saying, but it sounds to me like you might've misunderstood
>a little about what I proposed.  I'm saying the edns-key-tag option rides
>along with a DNSKEY query.  So the response is a normal DNSKEY response.
>
>The draft currently says:
>
>  A responder MUST NOT include the edns-key-tag option in any DNS
>response.

Missed that.  (Yes, I did read the draft, twice,...still missed it. ;))

>So what I've proposed is one-way, passive data collection only.  Note I
>modeled this
>after RFC 6975, which works the same way.