Re: [DNSOP] Practical issues deploying DNSSEC into the home.
Joe Abley <jabley@hopcount.ca> Wed, 11 September 2013 15:49 UTC
Return-Path: <jabley@hopcount.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D8A8B21E812E for <dnsop@ietfa.amsl.com>; Wed, 11 Sep 2013 08:49:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.6
X-Spam-Level:
X-Spam-Status: No, score=-102.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rjLVJcfgB3DK for <dnsop@ietfa.amsl.com>; Wed, 11 Sep 2013 08:49:09 -0700 (PDT)
Received: from mail-ie0-x22a.google.com (mail-ie0-x22a.google.com [IPv6:2607:f8b0:4001:c03::22a]) by ietfa.amsl.com (Postfix) with ESMTP id 79A1E11E8220 for <dnsop@ietf.org>; Wed, 11 Sep 2013 08:49:09 -0700 (PDT)
Received: by mail-ie0-f170.google.com with SMTP id 17so10758962iea.15 for <dnsop@ietf.org>; Wed, 11 Sep 2013 08:49:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hopcount.ca; s=google; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=lt3LicLCD1JpG4tjJMCitiF3f6x5Utij0v/7Ko6YjkA=; b=MTguZiNjqsw9CVRDVCgO6RZwVKpEHz5rwHwbyKVeCPoXbdi2f0gVqZCxU9czj2xtC4 EfZUHtPp2eUp/cIZ4c01ow/vrti5H9NcehKwW4aLsj0c9pzmCLzs203STruv/aqfmVbW gH42ROwlh9+7kRXGNtbzK7snsSEROB6vpWBuY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=lt3LicLCD1JpG4tjJMCitiF3f6x5Utij0v/7Ko6YjkA=; b=aMyTGH1ivQx757Vtxjje18UQ34Bm6xtjuRFgH1q7d4w2DoPPfUAB5rT+vhAKNCex2d Iy/IqckMrEB+lFTGoVrm5Suuco7S4Dy8HdraFRHymbnLW39T2Ic5EBKIdffS+DyMz0Yd puHQK0H+IJRwrfukpgDKRWVHDK7gTVEl+87eiXkKjIDPzTY3mDFsY3NIjXct+3zu+II3 PNdjgrhqbdeKHANs/tX8c1kN/TgjOZQU/aOdov6R9hFfvoi9sFBncqS/xHyO/5PpBAoP xCjdjBz92KlbJjQ2L6+uH1lQRbFuZ7S6PczZnQqZ4nLH2IEiooVfcpz80+lE6D8OOyCo y3yQ==
X-Gm-Message-State: ALoCoQmGX0Ot6y6lxQVyf7qD0ApWQ1UYp/QPuAuBJ4YuuvPuQOVWjZ1Y8n0qdK7QqOzwN0nuYc5o
X-Received: by 10.50.45.73 with SMTP id k9mr12425658igm.38.1378914549017; Wed, 11 Sep 2013 08:49:09 -0700 (PDT)
Received: from ?IPv6:2001:4900:1042:1:38ef:fc0f:73eb:dccf? ([2001:4900:1042:1:38ef:fc0f:73eb:dccf]) by mx.google.com with ESMTPSA id p7sm3470720iga.3.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 11 Sep 2013 08:49:08 -0700 (PDT)
Content-Type: text/plain; charset="iso-8859-1"
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: Joe Abley <jabley@hopcount.ca>
In-Reply-To: <CAMm+LwjkOEO6t5v6qMjc036JGaoFi=3jFPNDp=xM=zK5R8_k7A@mail.gmail.com>
Date: Wed, 11 Sep 2013 11:49:05 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <D9B745AC-8FCE-4742-AAE1-CC1AC4293F0E@hopcount.ca>
References: <CAGhGL2APj-XfuMUHgLsELnZRbRNCLrjMBxFBtcg4zx+5SG7Bag@mail.gmail.com> <3C96E4A9-7E78-421F-A437-7091AEBEB5AA@ogud.com> <20130910224518.GA99190@isc.org> <91AFF488-A3F6-4E30-B542-B5C107DB6114@ogud.com> <CAMm+LwjkOEO6t5v6qMjc036JGaoFi=3jFPNDp=xM=zK5R8_k7A@mail.gmail.com>
To: Phillip Hallam-Baker <hallam@gmail.com>
X-Mailer: Apple Mail (2.1508)
Cc: Evan Hunt <each@isc.org>, "dnsop@ietf.org WG" <dnsop@ietf.org>, "ietf@ietf.org TF" <ietf@ietf.org>
Subject: Re: [DNSOP] Practical issues deploying DNSSEC into the home.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Sep 2013 15:49:11 -0000
On 2013-09-11, at 11:43, Phillip Hallam-Baker <hallam@gmail.com> wrote: > OK lets consider the trust requirements here. > > 1. We only need to know the current time to an accuracy of 1 hour. [RRSIG expiration times are specified with a granularity of a second, right? I appreciate that most people are generous with signature inception and expiration times in order to facilitate clock skew on validators, but I think "1 hour" needs some qualification.] > 2. The current time is a matter of convention rather than a natural property. It is therefore impossible to determine the time without reference to at least one trusted party. > > 2a) A trusted party that asserts that the current time is set to a date in the future can perform a denial of service attack on a relying party but one that is easily detected. > > 2b) It is a simple matter for the trusted party to provide a signed assertion that the current time is after the Date-Time X. The hard part is ensuring that the relying party can access an up to date version of the current time assertion. > > 2c) DNSSEC already provides an abundance of such assertions. If the signatures on the .com zone are claiming a date in the future then the whole viability of DNSSEC collapses. > > 3) A relying party thus requires a demonstration that is secure against a replay attack from one or more trusted parties to be assured that the time assertion presented is current but this need not necessarily be the same as the source of the signed time assertion itself. > > 4) In the case of DNSSEC the window of vulnerability is actually fairly small since rewinding the time to a date in the past only helps an attacker if they had compromised the system on that date. [or if they had intercepted, stored and replayed a signed response at a later time when the current response would be different] > The real design decision is who you decide you are going to rely on for (3). TLS is proof against replay attack due to the exchange of nonces. I think that's deeper than where we are right now. Before we consider mechanisms for gauging the accuracy of a local clock, we need consensus on the general approach, e.g. the state machine implied by draft-jabley-dnsop-validator-bootstrap or something different but analogous. Joe
- Re: [DNSOP] Practical issues deploying DNSSEC int… Olafur Gudmundsson
- Re: [DNSOP] Practical issues deploying DNSSEC int… Dickson, Brian
- Re: [DNSOP] Practical issues deploying DNSSEC int… Joe Abley
- Re: [DNSOP] Practical issues deploying DNSSEC int… Evan Hunt
- Re: [DNSOP] Practical issues deploying DNSSEC int… Brian E Carpenter
- Re: [DNSOP] Practical issues deploying DNSSEC int… Masataka Ohta
- Re: [DNSOP] Practical issues deploying DNSSEC int… David Morris
- Re: [DNSOP] Practical issues deploying DNSSEC int… Olafur Gudmundsson
- Re: [DNSOP] Practical issues deploying DNSSEC int… Olafur Gudmundsson
- Re: [DNSOP] Practical issues deploying DNSSEC int… Olafur Gudmundsson
- Re: [DNSOP] Practical issues deploying DNSSEC int… Nicholas Weaver
- Re: [DNSOP] Practical issues deploying DNSSEC int… Paul Wouters
- Re: [DNSOP] Practical issues deploying DNSSEC int… Phillip Hallam-Baker
- Re: [DNSOP] Practical issues deploying DNSSEC int… Ted Lemon
- Re: [DNSOP] Practical issues deploying DNSSEC int… Joe Abley
- Re: [DNSOP] Practical issues deploying DNSSEC int… Paul Wouters
- Re: [DNSOP] Practical issues deploying DNSSEC int… Phillip Hallam-Baker
- Re: [DNSOP] Practical issues deploying DNSSEC int… Nicholas Weaver
- Re: [DNSOP] Practical issues deploying DNSSEC int… Phillip Hallam-Baker
- Re: [DNSOP] Practical issues deploying DNSSEC int… Nicholas Weaver
- Re: [DNSOP] Practical issues deploying DNSSEC int… Tony Finch
- Re: [DNSOP] Practical issues deploying DNSSEC int… Ted Lemon
- Re: [DNSOP] Practical issues deploying DNSSEC int… Tony Finch
- Re: [DNSOP] Practical issues deploying DNSSEC int… Paul Wouters
- Re: [DNSOP] Practical issues deploying DNSSEC int… Ted Lemon
- Re: [DNSOP] Practical issues deploying DNSSEC int… Paul Wouters
- Re: [DNSOP] Practical issues deploying DNSSEC int… Theodore Ts'o
- Re: [DNSOP] Practical issues deploying DNSSEC int… Theodore Ts'o
- Re: [DNSOP] Practical issues deploying DNSSEC int… Nicholas Weaver
- Re: [DNSOP] Practical issues deploying DNSSEC int… Theodore Ts'o
- Re: [DNSOP] Practical issues deploying DNSSEC int… Ted Lemon
- Re: [DNSOP] Practical issues deploying DNSSEC int… Dickson, Brian
- Re: [DNSOP] Practical issues deploying DNSSEC int… Ted Lemon
- Re: [DNSOP] Practical issues deploying DNSSEC int… robert bownes
- Re: [DNSOP] Practical issues deploying DNSSEC int… Phillip Hallam-Baker
- Re: [DNSOP] Practical issues deploying DNSSEC int… Phillip Hallam-Baker
- Re: [DNSOP] Practical issues deploying DNSSEC int… Ted Lemon
- Re: [DNSOP] Practical issues deploying DNSSEC int… Dickson, Brian
- Re: [DNSOP] Practical issues deploying DNSSEC int… Masataka Ohta
- Re: [DNSOP] Practical issues deploying DNSSEC int… Masataka Ohta
- Re: [DNSOP] Practical issues deploying DNSSEC int… David Morris
- Re: [DNSOP] Practical issues deploying DNSSEC int… Eliot Lear
- Re: [DNSOP] Practical issues deploying DNSSEC int… Glen Wiley
- Re: [DNSOP] Practical issues deploying DNSSEC int… Masataka Ohta
- Re: [DNSOP] Practical issues deploying DNSSEC int… SM
- Re: [DNSOP] Practical issues deploying DNSSEC int… SM
- Re: [DNSOP] Practical issues deploying DNSSEC int… Paul Wouters
- Re: [DNSOP] Practical issues deploying DNSSEC int… Jim Gettys
- Re: [DNSOP] Practical issues deploying DNSSEC int… Masataka Ohta