[DNSOP] Re: [Ext] [DNSOP]Requesting final comments on draft-ietf-dnsop-rfc8109bis
jabley@strandkip.nl Fri, 07 June 2024 08:33 UTC
Return-Path: <jabley@strandkip.nl>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C8F5CC151717 for <dnsop@ietfa.amsl.com>; Fri, 7 Jun 2024 01:33:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=strandkip.nl
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1YhPvOmB5Jfr for <dnsop@ietfa.amsl.com>; Fri, 7 Jun 2024 01:33:45 -0700 (PDT)
Received: from st43p00im-ztfb10073301.me.com (st43p00im-ztfb10073301.me.com [17.58.63.186]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EFDADC151069 for <dnsop@ietf.org>; Fri, 7 Jun 2024 01:33:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=strandkip.nl; s=sig1; t=1717749224; bh=UqvPEF3MAiSHKLmSMGlBz+C5tZmaIoOsHKq0yE6C87c=; h=Content-Type:Mime-Version:Subject:From:Date:Message-Id:To; b=eXWUDCIAhhBwe3kjgAUp8to5gCaNSBvZl4j0U2ALEp3N5R+4OoLz5vTNOM+fZ2/CW okAI5ypmHO985q3DYA/HxXUa+rHmr/67akYwI8e5Adl7pTOMDT76jtJMmFcYESrF5w OKnkKFIAZ8dXbsoqBfrWffF0oZeCL98cNayQyNFZ+RpvfGMF3FqMMdZFacOpGYregh TwbfqfZpW0sXAzZ5lF0EK/RKx7ZnI5vFoRr2YDLwsfXUi0IDo4UDnhHghH35S51Q0I RLl+mLdZsSJB2vvuw3AfnEu2kl07n5/4AJ5vBQM+xnCuwmuD94t3U5g0JAsb0CwOUD yyetCzuOWWHeQ==
Received: from smtpclient.apple (st43p00im-dlb-asmtp-mailmevip.me.com [17.42.251.41]) by st43p00im-ztfb10073301.me.com (Postfix) with ESMTPSA id 79D9B80026C; Fri, 7 Jun 2024 08:33:40 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.600.62\))
From: jabley@strandkip.nl
In-Reply-To: <CADyWQ+HzeoSZqZh9WCCY6ZfLnmRziFOeUyX7ZdSQmqBw_w1WFA@mail.gmail.com>
Date: Fri, 07 Jun 2024 10:33:27 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <6B191946-D3AB-46D4-B2CF-599ECC642B26@strandkip.nl>
References: <CADyWQ+HLxyAkhdYsOEQz09ByF5EtuvDMh2oAWb_tt_c7YN+59A@mail.gmail.com> <3B172CF5-F76C-4B21-984D-F19CF5B40F48@icann.org> <CADyWQ+HzeoSZqZh9WCCY6ZfLnmRziFOeUyX7ZdSQmqBw_w1WFA@mail.gmail.com>
To: Tim Wicinski <tjw.ietf@gmail.com>
X-Mailer: Apple Mail (2.3774.600.62)
X-Proofpoint-GUID: wWvV2tjCMreAe4cdbE9BgL0o-38t2T7Z
X-Proofpoint-ORIG-GUID: wWvV2tjCMreAe4cdbE9BgL0o-38t2T7Z
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.28.16 definitions=2024-06-07_01,2024-06-06_02,2024-05-17_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 clxscore=1030 mlxlogscore=999 suspectscore=0 spamscore=0 bulkscore=0 phishscore=0 adultscore=0 malwarescore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2308100000 definitions=main-2406070048
Message-ID-Hash: KKVEVYS7VPW6S5AG4YMGFB3DIARK7VIH
X-Message-ID-Hash: KKVEVYS7VPW6S5AG4YMGFB3DIARK7VIH
X-MailFrom: jabley@strandkip.nl
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Paul Hoffman <paul.hoffman@icann.org>, dnsop <dnsop@ietf.org>, dnsop-chairs <dnsop-chairs@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: [Ext] [DNSOP]Requesting final comments on draft-ietf-dnsop-rfc8109bis
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/QL311lDvO-Z2pddEGPjCtMn9jhM>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>
Hi Tim, all, On Jun 7, 2024, at 01:11, Tim Wicinski <tjw.ietf@gmail.com> wrote: > On Wed, Jun 5, 2024 at 12:28 PM Paul Hoffman <paul.hoffman@icann.org> wrote: > >> Tim jumped the gun by about an hour: we just submitted the -05. It incorporates the suggested text from below; you can see the diff at: >> https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-rfc8109bis-05 > > I am guilty as charged. But our comment on we would like people to review the changes. 3.3 DNSSEC with Priming Queries I know perfectly well what "the root NS RRset" is, but it seems like it could be made a little more clear with only a small change as "the apex NS RRset in the root zone", "root zone" being a well-defined term of art whereas "root" as adjective being a bit vague. More substantially, this section describes a series of vulnerabilities that would be mitigated by signing the ROOT-SERVERS.NET <http://root-servers.net/> zone. However, it does not mention that a validating resolver that received a rogue response from an imposter root server has the eventual opportunity to discard signed RRSets whose signatures do not validate; by not mentioning this there is perhaps some danger that a casual reader would infer a greater overall vulnerability resulting from an unsigned ROOT-SERVERS.NET <http://root-servers.net/> zone than in fact exists. Including signed RRSets from the ROOT-SERVERS.NET <http://root-servers.net/> zone in the priming response would result in larger responses, to which in the past there has been some sensitivity. Since a priming query with DO=1 definitely has EDNS(0) as an option this is not a show stopper, but if the previous sensitivites around all of this are no longer a concern I think it would make sense to say so explicitly when speculating about future signatures in that zone. The chain of trust from a root zone trust anchor through a signed delegation to NET and thence to ROOT-SERVERS.NET <http://root-servers.net/> would also deserve some scrutiny from the perspective of a priming response which is presumably often landing on an empty cache; the ability to validate those signatures requires queries to be sent to as-yet untrusted root servers. It seems odd not to mention this as something that would need work, given the depth of the other text that is included. The final paragraph makes a reference to a naming scheme, presumably referring to the names chosen for root servers (but that could be more clear). The RSSAC wrote quite a large document about this stuff and I certainly don't have all of their conclusions swapped in, but thanks to the late Bill Manning's flash of insight the current scheme features a high degree of name compression already and reducing the single label "ROOT-SERVERS.NET <http://root-servers.net/>" to something smaller is not going to substantially reduce the size of the priming response. It feels like part of the solution space here is to consider root-server names that live in the root zone and not in a child zone, which is a different consderation from the naming scheme. Mainly this paragraph reads like a throwaway comment that doesn't include enough depth to be useful. It should at least say something along the lines of "this is complicated". I realise that at the time of writing it is not before June 14. Happy to contribute text if other people think that in this particular case I am not completely insane. Joe
- [DNSOP] Re: [DNSOP]Re: [Ext] Requesting final com… Paul Hoffman
- [DNSOP]Requesting final comments on draft-ietf-dn… Tim Wicinski
- [DNSOP]Re: [Ext] Requesting final comments on dra… Paul Hoffman
- [DNSOP] Re: [DNSOP]Re: [Ext] Requesting final com… A. Schulze
- [DNSOP] Re: [Ext] [DNSOP]Requesting final comment… Tim Wicinski
- [DNSOP] Re: [Ext] [DNSOP]Requesting final comment… jabley
- [DNSOP] Re: [Ext] [DNSOP]Requesting final comment… jabley
- [DNSOP] Re: [Ext] [DNSOP]Requesting final comment… Willem Toorop
- [DNSOP] Re: [Ext] [DNSOP]Requesting final comment… Willem Toorop
- [DNSOP] To sign root-servers.net or not? Geoff Huston
- [DNSOP] Re: [DNSOP]Re: [Ext] Requesting final com… Paul Hoffman
- [DNSOP] Re: [Ext] To sign root-servers.net or not? Paul Hoffman
- [DNSOP] Re: [DNSOP]Re: [Ext] Requesting final com… Tim Wicinski
- [DNSOP] Re: [DNSOP]Re: [Ext] Requesting final com… Joe Abley
- [DNSOP] Re: [DNSOP]Re: [Ext] Requesting final com… Tim Wicinski
- [DNSOP] Re: [DNSOP]Re: [Ext] Requesting final com… Joe Abley
- [DNSOP] Re: [DNSOP]Re: [Ext] Requesting final com… Tim Wicinski
- [DNSOP] Re: [DNSOP]Re: [Ext] Requesting final com… Paul Hoffman
- [DNSOP] Re: [DNSOP]Re: [Ext] Requesting final com… Joe Abley
- [DNSOP] Re: [Ext] To sign root-servers.net or not? Geoff Huston
- [DNSOP] Re: [Ext] To sign root-servers.net or not? Tim Wicinski
- [DNSOP] Re: [DNSOP]Re: [Ext] Requesting final com… Tim Wicinski