Re: [DNSOP] More comments on draft-wessels-edns-key-tag-00
Edward Lewis <edward.lewis@icann.org> Wed, 25 November 2015 20:17 UTC
Return-Path: <edward.lewis@icann.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 85B891B2F53 for <dnsop@ietfa.amsl.com>; Wed, 25 Nov 2015 12:17:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.006
X-Spam-Level:
X-Spam-Status: No, score=-4.006 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.585, SPF_NEUTRAL=0.779] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rcc5wz_rLV30 for <dnsop@ietfa.amsl.com>; Wed, 25 Nov 2015 12:17:13 -0800 (PST)
Received: from out.west.pexch112.icann.org (pfe112-ca-1.pexch112.icann.org [64.78.40.7]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 35DD31B2F4E for <dnsop@ietf.org>; Wed, 25 Nov 2015 12:17:13 -0800 (PST)
Received: from PMBX112-W1-CA-1.pexch112.icann.org (64.78.40.21) by PMBX112-W1-CA-1.pexch112.icann.org (64.78.40.21) with Microsoft SMTP Server (TLS) id 15.0.1044.25; Wed, 25 Nov 2015 12:17:11 -0800
Received: from PMBX112-W1-CA-1.pexch112.icann.org ([64.78.40.21]) by PMBX112-W1-CA-1.PEXCH112.ICANN.ORG ([64.78.40.21]) with mapi id 15.00.1044.021; Wed, 25 Nov 2015 12:17:11 -0800
From: Edward Lewis <edward.lewis@icann.org>
To: "Wessels, Duane" <dwessels@verisign.com>
Thread-Topic: More comments on draft-wessels-edns-key-tag-00
Thread-Index: AQHRJtmPXkdjXahmsEiTn01cYVzaVZ6sNYcAgADLrwCAAI7hgP//0QOA
Date: Wed, 25 Nov 2015 20:17:10 +0000
Message-ID: <D27B7E9D.118A0%edward.lewis@icann.org>
References: <D279FE55.117EB%edward.lewis@icann.org> <CD88ACBF-9E78-4D9D-920B-381694059BDA@verisign.com> <D27B2BCC.11857%edward.lewis@icann.org> <6B70A96A-9E75-465F-9A91-0C1A656F2F4E@verisign.com>
In-Reply-To: <6B70A96A-9E75-465F-9A91-0C1A656F2F4E@verisign.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.5.8.151023
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [192.0.47.234]
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="B_3531309427_12004695"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/PDYPqeovmma08Js4SmOuIqMmfqc>
Cc: "dnsop@ietf.org" <dnsop@ietf.org>
Subject: Re: [DNSOP] More comments on draft-wessels-edns-key-tag-00
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Nov 2015 20:17:17 -0000
On 11/25/15, 13:05, "Wessels, Duane" <dwessels@verisign.com> wrote: >Can you say more about how limited you think it should be? Never? (Probably) as much as possible. I can't see the benefit of telling a third party this. (First party being the validator/querier, second party being the authority of the trust anchor set, third party including the upstream.) >In what I'm proposing the stub also would send the option only for DNSKEY >queries >and only for trust anchor zones (i.e. root). Is that limited enough? And to the IP addresses for the zone's advertised name servers. >Do you have particular concerns about who knows about the stub's trust >anchors? >Are you thinking of on-path attackers or the recursive operator or >something else? Nothing in particular. I'm not even clear if it's attackers I am worried about, it's just general leakage. I don't see damage in leaking, per se, outside of the "if someone knows trust anchor #4 was reverse engineered, then the verifier using it is vulnerable." It's more that I don't see a benefit in allowing leakage. >Is it okay for a recursive to expose old trust anchors, but not okay for >a stub? Hmmm, I don't think the two (stub and recursive) are different for this option. (In the sense that EDNS is hop-by-hop and not end-to-end, and the only query handler that can make any use of this information is the authority.) >I actually like the suggestion I heard from someone (sorry, can't remember >exactly who right now) that instead of intersection or union, the >recursive >could just forward a second instance of the option. Not commenting directly on that, but, I'm leaning towards this never being an issue - that is - there should be no middlebox of any kind that would forward/relay the option. >I'd say there is a benefit to the zone operator in knowing what trust >anchors >are in use by stubs. Zone operator would be the one plowing through the packets seen at the authoritative addresses, I think. (Me being fully aware that zone operators aren't always DNS operators.) >> (If there's a conflict between the two (which could >> also be sever clock skew), use 'CD' in queries.) > >Sorry I didn't follow that. I was thinking - if a validator is forwarding all traffic to a recursive server that is also DNSSEC validating, and there is a conflict because the "upstream" is SERVFAIL'ing some data because of, say, the trust anchor not right, the "downstream" ought to revert to "+CD" to avoid the buggy in-validation. >Forgive me for saying, but it sounds to me like you might've misunderstood >a little about what I proposed. I'm saying the edns-key-tag option rides >along with a DNSKEY query. So the response is a normal DNSKEY response. > >The draft currently says: > > A responder MUST NOT include the edns-key-tag option in any DNS >response. Missed that. (Yes, I did read the draft, twice,...still missed it. ;)) >So what I've proposed is one-way, passive data collection only. Note I >modeled this >after RFC 6975, which works the same way.
- [DNSOP] More comments on draft-wessels-edns-key-t… Edward Lewis
- Re: [DNSOP] More comments on draft-wessels-edns-k… Wessels, Duane
- Re: [DNSOP] More comments on draft-wessels-edns-k… Edward Lewis
- Re: [DNSOP] More comments on draft-wessels-edns-k… Wessels, Duane
- Re: [DNSOP] More comments on draft-wessels-edns-k… Edward Lewis
- Re: [DNSOP] More comments on draft-wessels-edns-k… Wessels, Duane