IETF Logo Mail Archive

Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-dnssec-validator-requirements

Daniel Migault <mglt.ietf@gmail.com> Tue, 22 November 2022 20:57 UTC

Return-Path: <mglt.ietf@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1704DC14CF0C for <dnsop@ietfa.amsl.com>; Tue, 22 Nov 2022 12:57:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aH51EcIqFcr0 for <dnsop@ietfa.amsl.com>; Tue, 22 Nov 2022 12:57:55 -0800 (PST)
Received: from mail-oa1-x34.google.com (mail-oa1-x34.google.com [IPv6:2001:4860:4864:20::34]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 661DFC14F73D for <dnsop@ietf.org>; Tue, 22 Nov 2022 12:57:55 -0800 (PST)
Received: by mail-oa1-x34.google.com with SMTP id 586e51a60fabf-12c8312131fso18682507fac.4 for <dnsop@ietf.org>; Tue, 22 Nov 2022 12:57:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=HJG8WOFyKkFTcAkSN65zelQKiM7dKsTbYSfiMGOGyvE=; b=Kll1YBtFlnoHUUvdXa4RVZEBadCm0Jo4U2h3XA7GpkarqUQE0R1A+0hLQV6b17xEGM u3Oe0qRh7w7AVMrkTWRL1wvnO2w1kv0dC4OGfyQIHsJDQB0XVU6SY7u1jW1J+MbL+JP0 4OXMKZmvOU6N6oEw6VPoRHLeBYhvRf4Aai0FiMJC0J8Rkk+Nvf+9NgmFwY+SAzUBrlwZ KjJ5zjePi4wDCuPapIfPaGdILLbAttCUrPuf0I5xxOw46XoeZxiHwron7sJRvOzJ3lWq U0ScK6k21CYUe8xw5wjTDjVM9vhWhJHdqRhQSzpTMjdETB2lgpmj0I1ww3LyxylHMASp KfVA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=HJG8WOFyKkFTcAkSN65zelQKiM7dKsTbYSfiMGOGyvE=; b=FtqXNLf4gSB+I0HgkUlhDzztZ3gqEB9+FpB/Ur7Py7DBI59laVQcgkPyJS1pOmUxEA vWGnIMXisNMHmE7SEoaZulPKJ253Aq+5Xj5J8oIWqapK9Osc79z4ILLn3uD0HJN3Q/yv C+NGDgIxvaT6InFWMZWRo43aMUsLri63aGZiSNyWmsfJJVWaV7oGYmRODFwNyPtNrPvj tesFZjTEg4zGv9AUDik4fP1ZgAr55iwiE/Basc7btRVoo/b7aLRG+azIX/44m2sIcHiX I4iabJPcEuAp/Co6Fp7lUXBFcyJvPgXGBiZ8uBi4AL5B16LIEUGKgqol/GJEJHoa04Vu gm3g==
X-Gm-Message-State: ANoB5pmYoRUBMFxFdJVov2AzvaCc69kDvS/6PS/ZiipLpr0aNdxkaWsS oHQyn2GNlEohvXn5lfke5Dp0f/WVayKasYfr4ULkue16NBQ=
X-Google-Smtp-Source: AA0mqf6Wj2QQink/+v9XGyaid9PMVaAUJWof67Wq42Ujt5duJSQAdmF4bvceH7Qje4lP/kmhYBXekgZK7saM3Mbklvo=
X-Received: by 2002:a05:6870:591:b0:13b:bbbb:1623 with SMTP id m17-20020a056870059100b0013bbbbb1623mr6698888oap.115.1669150673924; Tue, 22 Nov 2022 12:57:53 -0800 (PST)
MIME-Version: 1.0
References: <CADyWQ+FwRaSdpSWXBDqCG9ZPNPiG4pGUx37PVtExbqVPr5ZfmA@mail.gmail.com> <65d26b98-e0d6-e69b-10d4-17632451cab6@nic.cz>
In-Reply-To: <65d26b98-e0d6-e69b-10d4-17632451cab6@nic.cz>
From: Daniel Migault <mglt.ietf@gmail.com>
Date: Tue, 22 Nov 2022 15:57:38 -0500
Message-ID: <CADZyTk=wUydEv4X8KgHe3Mj0cZTmiaR3mjn_Z2n73U-eST-HPA@mail.gmail.com>
To: Vladimír Čunát <vladimir.cunat=2Bietf=40nic.cz@dmarc.ietf.org>
Cc: dnsop@ietf.org
Content-Type: multipart/alternative; boundary="000000000000fef4c605ee156cd0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/QqCNsJOSKarvhWdB5XZShsEYMVI>
Subject: Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-dnssec-validator-requirements
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Nov 2022 20:57:59 -0000

Hi Vladimir,

Thanks for the feedback and see inline my comments.

You can also find teh changes made on the PR below:
https://github.com/mglt/draft-mglt-dnsop-dnssec-validator-requirements/commit/8238c76899bc5a40b1c5234b623ea44fd3f31c77

Yours,
Daniel

On Wed, Nov 16, 2022 at 3:51 PM Vladimír Čunát <vladimir.cunat=2Bietf=
40nic.cz@dmarc.ietf.org> wrote:

> Hello.
>
> I don't know... my opinions often differ from recommendations of this
> draft, but ultimately it's subjective to some degree.  As feedback was
> requested on IETF 115, let me highlight more significant differences in
> this e-mail, though I dislike arguing about (mostly) opinions.
>
>
>
> Nit: the following part doesn't make sense to me, as signature validity
> period is normally way over the TTL anyway (and it's really a bug if it got
> shorter):
>
> Section 8.1 of [RFC4033
> <https://www.ietf.org/archive/id/draft-ietf-dnsop-dnssec-validator-requirements-01.html#RFC4033>
> ] mention the ability by the resolver to set the upper bound of the TTL
> to the remaining signature validity period. This would at least reduce
> inconsistencies during regular KSK roll over.
>
> Perhaps I'm really misunderstanding the other parts of the recommendation
> that follows afterwards.  (Also, operator RFC seems a weird place to define
> new algorithms for TTL handling.)  I thought the usual issues from bad
> rollovers aren't about records using bad (initial) TTL values but rather
> doing some steps too fast (or other mistakes).  Though yes, reduction of
> TTLs will reduce duration of transient mistakes.  And my understanding is
> that the referred-to (unfinished) revalidation draft won't change anything
> during key rollovers (e.g. clear cached records), even though key rollovers
> seem to be the focus in this section.
>
>
>  The section is mostly intended to provide recommendations in order to
ensure the data being cached are consistent. 4033 indicates it does not
make much sense to keep a RRSIG whose validity period has expired ( TTL >
Validity period).  When the validity period of the key has expired, we
wanted to highlighted that new signatures may have been generated using a
new key and this is why we indicated a key roll over - as the mechanism to
change the key. I agree with you that we do not fix broken key roll over. I
considered adding some text but I came to the conclusion that this would be
providing maybe too much description of a zone owner that cumulates
mistakes. I prefer to remove the sentence: This would at least reduce
inconsistencies during regular KSK roll over.

The intention was not to have such a mechanism as a mechanism to address/
correct emergency key roll over. I agree with you this is out of scope.
This section does not aim at going further than providing sufficient
confidence that the cached data are coherent. One motivation we had also to
put this section is to prevent DRO to implement their own mechanism to
ensure coherence.

*  A DRO MUST be able to flush the cached data associated to a DNSKEY
>
> From practical implementation perspective, I'd rather recommend flushing a
> subtree than additionally tracking which sets got validated by which keys.
> (Or maybe that's considered to also satisfy the bullet?)  It's a nit
> basically, but let me post it, as the rule is with MUST in here.  Note that
> the rogue DNSKEY could sign delegations or other DNSKEYs, thereby in both
> cases populating (parts of) that subtree with data signed by *other*
> DNSKEYs.
>
>
>  Correct, we had subtree in mind and the full cache. While we could
potentially remove only the RRsets that are being validated by a given
DNSKEY, I was not aware of any implementation doing it. Again, we want the
management capabilities to be quite simple as to not prevent introducing
side effects that are even harder to understand.

We changed the text to:
A DRO MUST be able to flush the cached data subtree associated to a DNSKEY

>
> Section 11. (Cryptography Deprecation Recommendations) seems to imply that
> *validator operator* would manage the set of supported DNSSEC algorithms.
> I don't think that would be good advice.
>
> RFC 6975 and the associated bullet serve as a red herring here - it's
> standardized but I haven't heard of anyone using it in practice, as it's
> just more convenient on signer side to use one good algorithm than to
> somehow serve different things to different resolvers (and I'm not even
> starting on multiple layers of DNS servers/caches).  RFC 8624 is the
> (missing) reference there, but I believe it's more for the IETF to
> choose/update and for vendors to implement.  Validator operators should
> just update their SW to get future updates of that, though this can be
> expected not to change for years.  We recently saw that the set of
> supported algorithms often isn't easy to configure and we reiterated other
> down-sides, when Red Hat tried hard to avoid SHA-1.
>
>
> I agree we need to ensure good practice with 8624.
I do agree this might not be very very useful today, but the reason we
recommended this is also to ease communication between the resolvers and
authorities. My impression is that it is hard to change the signature
scheme on the authoritative side as we do not know what resolver will
support it. Similarly, it is also hard to remove deprecated schemes on the
resolvers as we do not know if an authoritative zone is not
still supporting it.
The question seems whether we should use such recommendations to improve
communication between authoritative and resolvers or favor a more
centralized approach where all software is more sticking to one
document 8624. That latter approach seems to me to have too long cycles and
I wished that we could benefit from new crypto ed25519 earlier than when
all resolvers are updated.

I currently update the section as follows:

As mentioned in {{!RFC8247}} and {{!RFC8221}} cryptography used one day is
expected over the time to be replaced by new and more robust cryptographic
mechanisms.
In the case of DNSSEC signature protocols are likely to be updated over
time.
In order to anticipate the sunset of one of the signature scheme, a DNSSEC
validator may be willing to estimate the impact of deprecating one
signature scheme.

Currently, interoperability and security are enforced via cryptographic
recommendations {{!RFC8624}} that are followed by both resolvers and
authoritative servers.
The implementation of such guidance is ensured by the software vendors and
the compliance of their releases.

To safely deprecate one signature scheme, the DNSSEC validator operator is
expected to follow the recommendation below:

STARTUP:
* DRO MUST ensure recent software releases that comply with the most recent
cryptographic guidances are being used

RUNTIME:

* A DRO SHOULD regularly request and monitor the signature scheme supported
by  an authoritative server.
* A DRO SHOULD report a "Unsupported DNSKEY Algorithm" as defined in
{{!RFC8914}}  when a deprecated algorithm is used for validation.


One inconvenient such strategy does not let one DRO to take advantage of
more recent cryptographic.
While currently not being widely used, a DRO MAY share information with
authoritative server in the hope that future deployment of authoritative
servers will be able to leverage it.
{{!RFC6975}} provides the ability for a DNSSEC validator to announce an
authoritative server the supported signature schemes.
However, a DNSSEC validator is not able to determine other than by
requesting and monitoring DNSKEY RRsets as well as RRSIG.
These RRsets are received by enabling DNSSEC validation by default which is
obviously the case for DNSSEC validator.

Nit: I wouldn't recommend RFC 5011, as I think it's more trouble than worth
> in practice.  Similarly with some of (root) TA bootstrapping mechanisms,
> but this draft is vague about recommending those anyway.
>
>
> I am surprised  you would not recommend RFC 5011 but also agree that this
could be implemented with a series of software releases. I have the
impression that in general MNO tend to prefer a stand alone mechanism as
they are constantly deploying releases, but I am happy to hear more on that.

--Vladimir | knot-resolver.cz
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>


-- 
Daniel Migault
Ericsson

v2.23.0 | Report a Bug | By Email