Re: [DNSOP] DNSOPI-D Action: draft-ietf-dnsop-nsec3-guidance-02.txt

Petr Špaček <pspacek@isc.org> Thu, 25 November 2021 12:00 UTC

Return-Path: <pspacek@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A48DF3A07AB for <dnsop@ietfa.amsl.com>; Thu, 25 Nov 2021 04:00:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.951
X-Spam-Level:
X-Spam-Status: No, score=-3.951 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-1.852, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isc.org header.b=BRubQAyb; dkim=pass (1024-bit key) header.d=isc.org header.b=FFUlaRPH
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oDIKJ9rDjwuv for <dnsop@ietfa.amsl.com>; Thu, 25 Nov 2021 04:00:38 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ED8903A07A9 for <dnsop@ietf.org>; Thu, 25 Nov 2021 04:00:38 -0800 (PST)
Received: from zimbrang.isc.org (zimbrang.isc.org [149.20.1.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id 47D86433F3B for <dnsop@ietf.org>; Thu, 25 Nov 2021 12:00:36 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=isc.org; s=ostpay; t=1637841636; bh=JqhupGiD4c9h/xEEJTO82Nh/5qDcxBDym+XLfsliCVU=; h=Date:To:References:From:Subject:In-Reply-To; b=BRubQAybBEUiO3w7YqL9LvlFm4lBj/EXlHTNOtHx3TS0J2niWet9g76QvlNvwGs4s pQ1C768v15wJfxikaoyiIamuGVgSFWsF4mFBr/GiwWrjXwZ+uxtuIfUAiOJRAN1Qdx QrNhWfMNfQc1Qf0DSD9+dFktDyFDQHVMk/qCJd6I=
Received: from zimbrang.isc.org (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTPS id 37627F02247 for <dnsop@ietf.org>; Thu, 25 Nov 2021 12:00:36 +0000 (UTC)
Received: from localhost (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTP id 0C782F0302E for <dnsop@ietf.org>; Thu, 25 Nov 2021 12:00:36 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.10.3 zimbrang.isc.org 0C782F0302E
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=05DFB016-56A2-11EB-AEC0-15368D323330; t=1637841636; bh=aNXu0UNyQWAVpuYtlJqU3+uyEC85GEQ1w4MVWuuUxP8=; h=Message-ID:Date:MIME-Version:To:From; b=FFUlaRPH1l9UxcBRIJvqnxnpqC7voLEz31CbjgTHmzOFbDhperOIRrC5x7BnxUvkv cvphH5sUNdOW8EeXFK82sOhw0A1tMis+xWMe5tDVhWi7LWmhptgSVVj5VfZORDl/ze RFnp0ehVAkUvx0bigpp0UI8912I/8F3EZuNOrFeA=
Received: from zimbrang.isc.org ([127.0.0.1]) by localhost (zimbrang.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id m1yu1msiiPeN for <dnsop@ietf.org>; Thu, 25 Nov 2021 12:00:35 +0000 (UTC)
Received: from [192.168.0.157] (ip-86-49-254-49.net.upcbroadband.cz [86.49.254.49]) by zimbrang.isc.org (Postfix) with ESMTPSA id 8F572F02247 for <dnsop@ietf.org>; Thu, 25 Nov 2021 12:00:35 +0000 (UTC)
Message-ID: <6153c0ed-523a-5225-40ac-5be9fd5e6ed5@isc.org>
Date: Thu, 25 Nov 2021 13:00:33 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.3.2
Content-Language: en-US
To: dnsop@ietf.org
References: <163777315136.16773.10633006296842101587@ietfa.amsl.com> <yblh7c1fpwf.fsf@w7.hardakers.net> <914ced6b-52c7-9354-4b91-87f80cd26037@pletterpet.nl>
From: Petr Špaček <pspacek@isc.org>
In-Reply-To: <914ced6b-52c7-9354-4b91-87f80cd26037@pletterpet.nl>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/QuEBocn1DG0Z-uJZnnPW7QgbTdw>
Subject: Re: [DNSOP] DNSOPI-D Action: draft-ietf-dnsop-nsec3-guidance-02.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Nov 2021 12:00:44 -0000

On 25. 11. 21 9:33, Matthijs Mekking wrote:
> Hi Wes,
> 
> I think the changes are moving the document in the right direction.
> 
> Some comments:
> 
> 
> 3.1.  Best-practice for zone publishers
> 
> I wonder if we can make the requirement even stronger by saying "If 
> NSEC3 must be used, then an iterations count of 0 MUST be used to 
> alleviate computational burdens." (MUST instead of SHOULD).
> 
> Or is there a valid reason for zone publishers to set iterations to a 
> non-zero value?

This section is IMHO missing a scary warning to explain the reasons. Let 
add one couple sentences (+ "extra" keyword to differentiate it from the 
implicit single iteration):

----------
If NSEC3 must be used, then an extra iterations count of 0 SHOULD be 
used to alleviate computational burdens.

Please note that extra iteration counts other than 0 increase impact of 
resource CPU-exhausting DoS attacks, and also increase risk of 
interoperability problems.
----------


> 3.2.  Recommendation for validating resolvers
> 
> I understand why the new text is here, but I think this now actually 
> gives too little advice for operators and vendors.
> 
> I know, this is a vague comment, I need to think about it a bit more.

Honestly I can't see anything more specific which will not get out of 
date quickly.


> On 24-11-2021 18:02, Wes Hardaker wrote:
>> internet-drafts@ietf.org writes:
>>
>>>          Title           : Guidance for NSEC3 parameter settings
>>>          Authors         : Wes Hardaker
>>>                            Viktor Dukhovni
>>>     Filename        : draft-ietf-dnsop-nsec3-guidance-02.txt
>>>     Pages           : 10
>>>     Date            : 2021-11-24
>>
>> This version attempts to take into account the discussion from the WG
>> meeting at IETF 112.  Concrete text proposals appreciated so we can
>> finish this work and publish it.

I have an additional comment for section 2.4:


 > 2.4.  Salt
 >    Salts add yet another layer of protection against offline, stored
 >    dictionary attacks by combining the value to be hashed (in our case,
 >    a DNS domainname) with a randomly generated value.  This prevents
 >    adversaries from building up and remembering a dictionary of values
 >    that can translate a hash output back to the value that it derived
 >    from.
It seems to me that this into paragraph basically contradicts rest of 
the section which goes on and explains why extra salting is not 
necessary... but see below.

IMHO in the context of NSEC3 the salt would make sense _only_ if it were 
rotated faster than attacker was able to walk the zone. Once attacker 
has list of hashes available for offline cracking the salt does not do 
anything useful anymore.

Even relatively big zones with say 1M names can be walked within a 
single day without raising alarms because nobody would notice 12 queries 
per second (1000000/86400 qps), and I seriously doubt anyone with 1M 
names is rotating salt faster than within one day.

I believe that this property renders salt practically useless, so let me 
propose a modified section 2.4:

------------
    NSEC3 records provide an an additional salt value, which can be 
combined with FQDN to influence the resulting hash, but properties of 
this extra salt are complicated.

    In the cryptography field, salts generally add a layer of protection 
against offline, stored dictionary attacks by combining the value to be 
hashed with a unique "salt" value. This prevents adversaries from 
building up and remembering a single dictionary of values that can 
translate a hash output back to the value that it derived from.

    In the case of DNS, the situation is different because the hashed 
names placed in NSEC3 records are always implicitly "salted" by hashing 
the fully-qualified domain name from each zone. Thus, no single 
pre-computed table works to speed up dictionary attacks against multiple 
target zones. An attacker is always required to compute a complete 
dictionary per zone, which is expensive in both storage and CPU time.

    To understand role of the additional NSEC3 salt field, we have to 
consider how a typical zone walking attack works. Typically the attack 
has two phases - online and offline. In the online phase, an attacker 
"walks the zone" by enumerating (almost) all hashes listed in NSEC3 
records and storing them for offline cracking. Then in the offline 
phase, the attacker attempts to crack the underlying hash. In this case, 
the additional salt value can raise cost of the attack only if the salt 
value changes during the online phase of the attack. In other words, a 
additional salt value which is constant during the online phase of the 
attack does not change cost of the attack.

    Changing a zone's salt value requires the construction of a complete 
new NSEC3 chain.  This is true both when resigning the entire zone at 
once, or incrementally signing it in the background where the new salt 
is only activated once every name in the chain has been completed. As a 
result, re-salting a is very complex operation, with significant CPU 
time, memory, and bandwidth consumption. This makes very frequent 
re-salting unpractical, and renders the additional salt field almost 
useless.

    Operators are encouraged to forget the salt entirely by using a 
zero-length salt value instead (represented as a "-" in the presentation 
format).
------------

I'm tempted to put the last paragraph first, because all the rest is 
justification and I don't want to drown the important piece of 
information in it.

-- 
Petr Špaček