Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveuse-01.txt

神明達哉 <jinmei@wide.ad.jp> Fri, 10 July 2015 18:53 UTC

Return-Path: <jinmei.tatuya@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 848911A1AE3 for <dnsop@ietfa.amsl.com>; Fri, 10 Jul 2015 11:53:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.978
X-Spam-Level:
X-Spam-Status: No, score=-0.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Je2VP0iuQBht for <dnsop@ietfa.amsl.com>; Fri, 10 Jul 2015 11:53:31 -0700 (PDT)
Received: from mail-yk0-x232.google.com (mail-yk0-x232.google.com [IPv6:2607:f8b0:4002:c07::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0BCE61A1ADF for <dnsop@ietf.org>; Fri, 10 Jul 2015 11:53:31 -0700 (PDT)
Received: by ykee186 with SMTP id e186so70273556yke.2 for <dnsop@ietf.org>; Fri, 10 Jul 2015 11:53:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=aTbYARatxv+C/6NFmleLxde/y1lMH5sVD23yJAxZRrM=; b=t2kzu2wZ86mLtcA36sLQTpVlpOEE9nosTGOm7OvjVfiEcYFo5v6ea6dtuY9jyyFmgM 7Fcw0nPh4FqVLKpgXNq9dXA+0vKxVu3g5vTvyEy+/wyp+6adN4m690qVDe+9P6WhcJW9 NH29fAPZZVoapPsAQEa0extj2IfWozy1l8f4+FgryO93x14ahVDOSjFJHSAjv3NQ7sSi n//b69KBzPiNdyIqx5DcfrXhI69boKCFAtEBb6pHs6QuhcG946ZvSXrLwsQgZcRHyQDy gSWR7mUT20Xi1oWBE3bwiV9Ao3g3BZ6lS2bhFHGWV/mepc4NyoLccbuF1EqN6Y6JVc1Q 2WlA==
MIME-Version: 1.0
X-Received: by 10.170.50.19 with SMTP id 19mr24890287yks.61.1436554410461; Fri, 10 Jul 2015 11:53:30 -0700 (PDT)
Sender: jinmei.tatuya@gmail.com
Received: by 10.37.48.131 with HTTP; Fri, 10 Jul 2015 11:53:30 -0700 (PDT)
In-Reply-To: <20150707.182043.193693838.fujiwara@jprs.co.jp>
References: <20150310.191541.52184726.fujiwara@jprs.co.jp> <20150707.182043.193693838.fujiwara@jprs.co.jp>
Date: Fri, 10 Jul 2015 11:53:30 -0700
X-Google-Sender-Auth: pRxU3VP-xAIokBH0QjdZAxSo8l0
Message-ID: <CAJE_bqcRQH0WGTaLqtMSuiOty4KHe9nN6T-wmqf3x_ohuA6TcA@mail.gmail.com>
From: 神明達哉 <jinmei@wide.ad.jp>
To: fujiwara@jprs.co.jp
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/QPlQfCYMo-ce7oQQglbTnedD9kg>
Cc: dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveuse-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jul 2015 18:53:32 -0000

On Tue, Jul 7, 2015 at 2:20 AM,  <fujiwara@jprs.co.jp> wrote:
> Akira Kato and I submitted draft-fujiwara-dnsop-nsec-aggressiveuse-01.
>
>   https://datatracker.ietf.org/doc/draft-fujiwara-dnsop-nsec-aggressiveuse/
>
> * Added reference to DLV {{RFC5074}} and imported some sentences.
> * Added Aggressive Negative Caching Flag idea.
> * Added detailed algorithms in Appendix.
>
> Please check and comment.

The primarily intended benefit of this approach seems to mitigate a
DoS attack on a resolver (e.g., according to Section 3).  But I'm
skeptical about the effectiveness in that context: for this mitigation
to work the zone in question needs to be DNSSEC-signed.  But an
attacker would be easily able to find unsigned zone to use for the
attack, and they could even set up an unsigned zone they can control.
Also, an equally effective attack is possible without relying
non-existent names: an attacker would only find some wildcard name and
send random queries that match the wildcard.  So, if the proposed
approach is really effective to "random (non-existent) sub-domain
attacks", attackers would simply move to a variant of it that would
still work.  So, in the end, a resolver would still employ counter
measures like rate limiting (which will work for both types of random
name attacks, and will work for unsigned zones), and, if it's
reasonably effective, the defense using "nsec-aggressiveuse" won't be
that promising.

That said, I wouldn't necessarily be opposed to the idea itself.  It
might still be some nice-to-have optimization for resolver
performance, and if so, it's probably worth pursing.

In Introduction it states:

   While negative (non-existence) information of DNS caching mechanism
   has been known as DNS negative cache [RFC2308], it requires exact
   matching in most cases.  [...]
   This was because the NXDOMAIN response just says
   there is no such name "a.example.com" and it doesn't tell anything
   for "b.example.com".

While I see what it tries to say and don't disagree with it, I think
this is not very accurate.  In fact, NXDOMAIN for "a.example.com" says
there is no such name *or any subdomain of it*.  So it would still be
usable to suppress unnecessary external query for, e.g.,
foo.a.example.com.

Regarding Section 5 (possible side effect on root servers), I wonder
about the implication of qname-minimization (which I expect will be
deployed much sooner than this proposal).  A resolver that supports
qname-minimization would first send a query to "local." to the root
server upon receiving a "foo.local" query, and cache the result of
NXDOMAIN for "local.".  It will suppress subsequent external queries
for any subdomain of it.

--
JINMEI, Tatuya