Re: [DNSOP] More comments on draft-wessels-edns-key-tag-00

[Edward Lewis <edward.lewis@icann.org>]

On 11/25/15, 13:05, "Wessels, Duane" <dwessels@verisign.com> wrote:

>Can you say more about how limited you think it should be?  Never?

(Probably) as much as possible.  I can't see the benefit of telling a
third party this.  (First party being the validator/querier, second party
being the authority of the trust anchor set, third party including the
upstream.)

>In what I'm proposing the stub also would send the option only for DNSKEY
>queries
>and only for trust anchor zones (i.e. root).  Is that limited enough?

And to the IP addresses for the zone's advertised name servers.

>Do you have particular concerns about who knows about the stub's trust
>anchors?  
>Are you thinking of on-path attackers or the recursive operator or
>something else?

Nothing in particular.  I'm not even clear if it's attackers I am worried
about, it's just general leakage.   I don't see damage in leaking, per se,
outside of the "if someone knows trust anchor #4 was reverse engineered,
then the verifier using it is vulnerable."  It's more that I don't see a
benefit in allowing leakage.

>Is it okay for a recursive to expose old trust anchors, but not okay for
>a stub?

Hmmm, I don't think the two (stub and recursive) are different for this
option.  (In the sense that EDNS is hop-by-hop and not end-to-end, and the
only query handler that can make any use of this information is the
authority.)

>I actually like the suggestion I heard from someone (sorry, can't remember
>exactly who right now) that instead of intersection or union, the
>recursive
>could just forward a second instance of the option.

Not commenting directly on that, but, I'm leaning towards this never being
an issue - that is - there should be no middlebox of any kind that would
forward/relay the option.

>I'd say there is a benefit to the zone operator in knowing what trust
>anchors
>are in use by stubs.

Zone operator would be the one plowing through the packets seen at the
authoritative addresses, I think.  (Me being fully aware that zone
operators aren't always DNS operators.)

>> (If there's a conflict between the two (which could
>> also be sever clock skew), use 'CD' in queries.)
>
>Sorry I didn't follow that.

I was thinking - if a validator is forwarding all traffic to a recursive
server that is also DNSSEC validating, and there is a conflict because the
"upstream" is SERVFAIL'ing some data because of, say, the trust anchor not
right, the "downstream" ought to revert to "+CD" to avoid the buggy
in-validation.


>Forgive me for saying, but it sounds to me like you might've misunderstood
>a little about what I proposed.  I'm saying the edns-key-tag option rides
>along with a DNSKEY query.  So the response is a normal DNSKEY response.
>
>The draft currently says:
>
>  A responder MUST NOT include the edns-key-tag option in any DNS
>response.

Missed that.  (Yes, I did read the draft, twice,...still missed it. ;))

>So what I've proposed is one-way, passive data collection only.  Note I
>modeled this
>after RFC 6975, which works the same way.