Re: [DNSOP] Fwd: New Version Notification for draft-mglt-dnsop-dnssec-validator-requirements-02.txt
Edward Lewis <edward.lewis@icann.org> Wed, 18 February 2015 17:29 UTC
Return-Path: <edward.lewis@icann.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 198E71A8A28 for <dnsop@ietfa.amsl.com>; Wed, 18 Feb 2015 09:29:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.909
X-Spam-Level:
X-Spam-Status: No, score=-0.909 tagged_above=-999 required=5 tests=[BAYES_50=0.8, J_CHICKENPOX_44=0.6, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EXFq67GQQRIj for <dnsop@ietfa.amsl.com>; Wed, 18 Feb 2015 09:29:40 -0800 (PST)
Received: from out.west.pexch112.icann.org (pfe112-ca-1.pexch112.icann.org [64.78.40.7]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4190D1A8A1F for <dnsop@ietf.org>; Wed, 18 Feb 2015 09:29:40 -0800 (PST)
Received: from PMBX112-W1-CA-1.pexch112.icann.org (64.78.40.21) by PMBX112-W1-CA-2.pexch112.icann.org (64.78.40.23) with Microsoft SMTP Server (TLS) id 15.0.847.32; Wed, 18 Feb 2015 09:29:38 -0800
Received: from PMBX112-W1-CA-1.pexch112.icann.org ([64.78.40.21]) by PMBX112-W1-CA-1.PEXCH112.ICANN.ORG ([64.78.40.21]) with mapi id 15.00.0847.030; Wed, 18 Feb 2015 09:29:37 -0800
From: Edward Lewis <edward.lewis@icann.org>
To: Daniel Migault <mglt.ietf@gmail.com>, dnsop <dnsop@ietf.org>
Thread-Topic: [DNSOP] Fwd: New Version Notification for draft-mglt-dnsop-dnssec-validator-requirements-02.txt
Thread-Index: AQHQSuzi8mcqs7Yv1ECFKSpobRGP8Zz23V2A
Date: Wed, 18 Feb 2015 17:29:37 +0000
Message-ID: <D10A2516.9089%edward.lewis@icann.org>
References: <20150217193653.29261.36732.idtracker@ietfa.amsl.com> <CADZyTknP7kim87FyR=Qn=TeqrxsF5bLqn9GwJwit-_dfH3uYQw@mail.gmail.com>
In-Reply-To: <CADZyTknP7kim87FyR=Qn=TeqrxsF5bLqn9GwJwit-_dfH3uYQw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.4.7.141117
x-originating-ip: [192.0.47.235]
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="B_3507107375_5002626"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/SB0S9eci_GUiY2qCgKM9Py7_dW8>
Subject: Re: [DNSOP] Fwd: New Version Notification for draft-mglt-dnsop-dnssec-validator-requirements-02.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Feb 2015 17:29:43 -0000
I wasn’t aware this was in progress, I’m glad to see it. DNSOP D. Migault (Ed) Internet-Draft Ericsson Intended status: Standards Track February 16, 2015 Expires: August 20, 2015 DNSSEC Validators Requirements draft-mglt-dnsop-dnssec-validator-requirements-02.txt I was going to insert detailed comments, but they got too long.IMHO, a manageable DNSSEC validator must do this: 1) Implement RFC 5011 2) Accommodate remote authorized management (get, set) of Trust Anchors 3) Accommodate remote authorized management of its validator clock 4) Accommodate remote authorized management of Negative Trust Anchors 5) Accommodate remote authorized management of data in any cache Looking at section 9 of the document to compare the requirements I’ve put above: Requirement 1: DNSSEC validator MUST be provided means to appropriately update their time. That I agree with (my #3) Requirement 2: DNSSEC Validator MUST be able to check the validity of their Trust Anchor KSKs. The problem here is that the validator can verify that their Trust Anchors are sane but the validator can’t reliably make a conclusion if there’s a problem. Requirement 3: DNSSEC Validator MUST be able to retrieve their Trust Anchor KSKs. This sounds like a bad idea, unless “retrieve” means go get it via an appropriate “software update.” And, this will come up - trust anchors are not KSKs and ZSKs, they are SEPs and there’s no protocol distinction between KSK and ZSK in validation. This point will be come more of an issue with the next bunch of requirements. Requirement 4: DNSSEC Validator MUST be able to be informed a ZSK MUST be flushed from cache. Requirement 5: DNSSEC Validator MUST be able to be informed a KSK MUST be flushed from cache. Cache flushing is not specific to DNSSEC. Worse yet, in my mind, once a validator passes judgement on a set of data and the data is entered in the good cache or bad cache, the validator’s job is done. Getting the validator into the business of managing the cache leads to these issues: What if a key in the chain expires or TTL’s out of the cache? I believe that should not cause the validated data set to be discarded too. (Or the SSH session tunnel that resulted from an address record lookup torn down.) What if the request to flush is unauthorized, resulting in a denial of service on the validator (having to relearn the keys) or just an unavailability of the data tossed needlessly. A lot of what ifs involved. The net recommendation is to separate cache management from validation. Requirement 6: DNSSEC Validator MUST be able to be informed a KSK SHOULD be trusted as a Trust Anchor KSK. Has to be done out of band. Requirement 7: DNSSEC Validator MUST be able to be informed that a KSK or a ZSK MUST NOT be used for RRSIG validation. Once upon a time we tried to make up a authorization model for DNSSEC - who was allowed to sign for what. It’s a hard problem and we never solved it. (We being some DARPA sponsored researchers.) Designating a key to not be used - the closest is a negative trust anchor but that doesn’t delete a key. Perhaps an authorized flushing of a domain (name) and then having to learn the data authenticated by the new key set is the way out. This would be acceptable since the authority “is facing bigger problems”. Requirement 8: The DNSSEC Validator MUST be able to be informed that a KSK or a ZSK is known "back to secure". Out of band, has to be. Requirement 9: DNSSEC Validator MUST be able to be provided KSK for private use. Requirement 10: DNSSEC Validator MUST be able to be provided ZSK for private use. These would be trust anchors - SEP’s. There’s only so much you can do in terms of managing security of a system from within the system. It’s more likely that general screw ups will cause problems than over attacks on the keys themselves. With the recommendation that DNSSEC validation be done closer to the application (I’ll not qualify that recommendation other than to say I’ve heard it), it’s ever more necessary to manage the validators in a scaleable and obvious way. On the one hand there’s a desire to decrease central authority. On the other hand, most users don’t want to take on the responsibility (that includes me) of managing the minutia of their security. I don’t seen an easy compromise between the two. ############### Below was my first attempt to comment, leaving it for whatever it’s worth. Internet-Draft DNSSEC Validator Requirements February 2015 2. Introduction … Currently few efforts have been made to describe mechanisms that guarantee how a DNSSEC validator can be provisioned with the appropriated KSKs and time so that DNSSEC validation can always be Ed: SEPs, not KSKs. Secure Entry Points is the proper term.… Migault (Ed) Expires August 20, 2015 [Page 2] Internet-Draft DNSSEC Validator Requirements February 2015 3. Terminology This document uses the following terminology: - DNSSEC Validator: the entity that performs DNSSEC resolution and performs signature validation. Ed: It’s more than “signature" validation. I’d just drop the adjective. As one example, you also have to show that the NSEC(3) records prove the right point, and another example, show that the signature is generated by an appropriate authority.4. Time derivation and absence of Real Time Clock 5. Unplugged devices during Trust Anchor KSKs roll over Ed: SEPs! Not KSKs Migault (Ed) Expires August 20, 2015 [Page 3] Internet-Draft DNSSEC Validator Requirements February 2015 Requirement 2: DNSSEC Validator MUST be able to check the validity of their Trust Anchor KSKs. Ed: I firmly believe that compliance with RFC 5011 is needed as a MUST. It’s a Full Standard, for one thing. And when it comes time to roll the root zone SEP (KSK), validators that don’t have 5011 will require manual intervention. I single out the root zone because there’s no DS record for it.A device booted from cold storage can check to see if the DS records correspond to the SEPs it holds, but not for the root zone. Of course, if the DS records do not correspond, you can’t draw any conclusions, but if they do the device knows it’s initial state is secure (or somewhat).If there’s disagreement, then there’s no fool-proof way to update the trust anchors. So for this requirement, the result is “yep, check” or “we may have a problem.” Requirement 3: DNSSEC Validator MUST be able to retrieve their Trust Anchor KSKs. I’m not sure how to interpret that requirement. Do you mean that it should be possible to query a validator for it’s trust anchor set? Or do you mean that the validator can retrieve trust anchors over the network?6. Emergency Key rollover Requirement 4: DNSSEC Validator MUST be able to be informed a ZSK MUST be flushed from cache. Ed: This can backfire. The signal has to be authenticated and pass an authorization test, lest this just be a massive DOS vector. (My explanation below applies to Req 5 too.)IMHO, there only difference between an emergency key rollover and a regular key rollover is simply that the former is unscheduled while the latter is. Given that the average validator won’t know the schedule for key rollovers, there’s no difference between emergency and not. So I’d discard the distinction.There’s a need to remove bad data from the cache, and it’s not restricted to DNSKEYs or RRSIGs. It’s anytime an zone loads bad data - bad NS set, bad address records, etc. While a zone administrator will know to signal when this happens, they can’t enumerate the validators that have the bad information. (No, no you can’t - even if think you can scour the query packet IP addresses you don’t know what forwarding had happened or what source address forgery happened.)I can’t think of any in-band way to fix this. Out-of-band, sure, but not in-band. Requirement 6: DNSSEC Validator MUST be able to be informed a KSK SHOULD be trusted as a Trust Anchor KSK. Ed: I suppose I should ask “informed” by whom? The zone administrator - no. The validator administrator - yes. (As in local policy rulz.) Problem is - who’s the validator admin?7. Invalid RRSIG Requirement 7: DNSSEC Validator MUST be able to be informed that a KSK or a ZSK MUST NOT be used for RRSIG validation. Unlike "flushing", "MUST NOT be used" means the issue is not a synchronization issue, but that legitimate keys are invalid. Such Keys are known as Negative Trust Anchors [I-D.livingood-negative-trust-anchors]. Ed: “legitimate keys are invalid” doesn’t read well. What if I scrape keys from last year’s zone file and try to reply them. The keys will not be valid (assuming a rollover schedule on a monthly or quarterly basis). But are they legitimate? At this point I gave up on trying to pick points...
- [DNSOP] Fwd: New Version Notification for draft-m… Daniel Migault
- Re: [DNSOP] Fwd: New Version Notification for dra… Edward Lewis