IETF Logo Mail Archive

Re: [DNSOP] AD review of draft-ietf-dnsop-multi-provider-dnssec

Shumon Huque <shuque@gmail.com> Mon, 27 January 2020 19:35 UTC

Return-Path: <shuque@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A40663A0A5B; Mon, 27 Jan 2020 11:35:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.085
X-Spam-Level:
X-Spam-Status: No, score=-2.085 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, T_SPF_TEMPERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LNgt16o52hnm; Mon, 27 Jan 2020 11:35:10 -0800 (PST)
Received: from mail-oi1-x22a.google.com (mail-oi1-x22a.google.com [IPv6:2607:f8b0:4864:20::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 092D33A09EE; Mon, 27 Jan 2020 11:34:59 -0800 (PST)
Received: by mail-oi1-x22a.google.com with SMTP id z64so7847089oia.4; Mon, 27 Jan 2020 11:34:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=iA1xvGmGDTVDMlq0h7+Kzj39Z9EedFrXVo2JTR0lRdM=; b=Xs1K4Bq5546/hpNXwgSjMQbYXO8L/4V9G3m6ZD7u4HzGhUX3UBARbqB960sZtEemvU qGlklxnDXTHpNEBXGecdNrzS0uFJBKUX0zKEA/1niUwnHfVR07abUYbC1IdQn5HBoUGk 07EYuFG5XYMFAQIzUNjCWRSrPPGNKkePqHMtTFJuA2v1AbzWl7z8UMEpOVryl91YGW3v hvRzFab00qcPrep428IpNNuT8/rrHF82z79ThAmVPnE1Nck2s+f9DFNMOwZKbGThwRrC dAQUFe6fm8qcMx054iDItmcei1V4KvEabRP2tmhYpaC3snF3U2D3RwQoPMwQ4IUS8TZR rp3A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=iA1xvGmGDTVDMlq0h7+Kzj39Z9EedFrXVo2JTR0lRdM=; b=hoMzvkOjUruJy28if/9fj+JriQMutjClqkCrH/4Z/O80PBabPIQ//V8BAtbjLxhYxk Ibpjjc6UGY+3wsIJLpfSxJ2tFXo+BTqRA6zy3ZIupeFDiNuMDB6TGyaN6bHMe6INXS84 BqCxa3d1fA087faQzIiA8FuHlcgU+u0Foo/FJnRN2jtqqjoJe1MD2pB5wmVVN0MYRHoe 7LG3z47wa18pFW87OwSPicpTmuQluJwT+h3bSKCp52gObzatU23nOJYRX14zoEahrH/R 1RKqEGcz/482D+r6OiQzuFDwAWbkcuWDPRb2HYOehJGKRPsVPTQkguTGslIFZDYOPz/p Qyvw==
X-Gm-Message-State: APjAAAUvHv65hqgo0pIx94JMshr+bU3fVF2ciXjtzj4s2jy3BSuYyCmZ ofjgUMIE7I4h+j1x3IHk78FSCAVjNQrGp5oUZNUaSgeb
X-Google-Smtp-Source: APXvYqx0KAAGQBiZmmRo8v26t7WuOUilFMqCSr5pVvx0bdAAdFeTNiAsmFTXPw6rOlmT8VxZcSUVAN2p8O66dcuj3Gg=
X-Received: by 2002:aca:bb41:: with SMTP id l62mr451335oif.96.1580153698416; Mon, 27 Jan 2020 11:34:58 -0800 (PST)
MIME-Version: 1.0
References: <CAHw9_iLFuSbdA2TFS4Qd2dAzDFJyJgfQGY1+T2c2JQZ3WTat_A@mail.gmail.com> <CAHPuVdUUeLx59B0SrzmFazd_rqUm1kU-ARG-LBEYa4jFQyaH3Q@mail.gmail.com> <3fb01cba-9558-531c-5764-9c34b111545b@pletterpet.nl> <CAHPuVdWNAJbGm=j96149Sb9gig1QuAyCXyVbsZY0BzhpP_DV3g@mail.gmail.com> <8af57aeb-66c5-fbb8-b62f-890a82c9d94e@pletterpet.nl>
In-Reply-To: <8af57aeb-66c5-fbb8-b62f-890a82c9d94e@pletterpet.nl>
From: Shumon Huque <shuque@gmail.com>
Date: Mon, 27 Jan 2020 14:34:47 -0500
Message-ID: <CAHPuVdXFQfpR__mxkJsCC9Fq3xtSaZHPuN-6VM=ZE4KmoGFhNA@mail.gmail.com>
To: Matthijs Mekking <matthijs@pletterpet.nl>
Cc: draft-ietf-dnsop-multi-provider-dnssec@ietf.org, "dnsop@ietf.org WG" <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e27f73059d243378"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/BTvY1CDWOO1o5JFPGDXoCXkHGc8>
Subject: Re: [DNSOP] AD review of draft-ietf-dnsop-multi-provider-dnssec
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Jan 2020 19:35:17 -0000

On Tue, Jan 21, 2020 at 11:41 AM Matthijs Mekking <matthijs@pletterpet.nl>
wrote:

> Shumon,
> On 1/21/20 4:05 PM, Shumon Huque wrote:
> >
> > This also begs the question: should we (in another document) update RFC
> > 4035, Section 2.2 (last paragraph) to relax or eliminate the rule, if in
> > fact it is being ignored?
> >
> > Frankly, I've always been a bit perplexed by this text, since it has no
> > accompanying rationale. The only compelling rationale I see is downgrade
> > protection - to detect that someone hasn't stripped away the signatures
> > of a stronger algorithm and forced a validator to authenticate only the
> > weaker signatures. But that implies that validators have a documented
> > procedure to rank algorithms, which I haven't yet seen. Is a 3072-bit
> > RSASHA256 key stronger or weaker than an ECDSAP256SHA256 key for
> > example, or Ed25519 vs ECDSAP256SHA256?
>
> Yes, this is exactly the rationale, and it is a valid one. And this is
> how unbound works, see
> https://nlnetlabs.nl/documentation/unbound/info-algo/ for more
> information.


Thanks for that pointer.

The downgrade protection rationale is in contradiction with the spec
though. Unbound is going significantly beyond the spec, although the
stated rationale is to require all algorithm paths to authenticate,
rather than the strongest available path.

To quote https://tools.ietf.org/html/rfc6840#section-5.11 (last
paragraph):

   This requirement applies to servers, not validators.  Validators
   SHOULD accept any single valid path.  They SHOULD NOT insist that all
   algorithms signaled in the DS RRset work, and they MUST NOT insist
   that all algorithms signaled in the DNSKEY RRset work.

Furthermore, the above paragraph appears to me to be at odds with the
requirements about signatures being present for every algorithm in
the DNSKEY/DS RRsets. Given the above rule for validators (which
incidentally precludes downgrade protection), the only requirement for
interoperability on the part of authority servers is to ensure that
one valid authentication path always exists (and not to require signing
by every algorithm present).

I'm disregarding for the moment the somewhat outdated wording in the
specs about algorithms required to "sign the entire zone" - which doesn't
contemplate the existence of online signers, which only generate signatures
on demand for queried names. The authority server requirement also causes
a problem for the case that Steve Crocker raises, about moving a signed
zone from one operator to another, where the operators support disjoint
algorithms.

I agree in principle, that absent other information, algorithm downgrade
protection is probably a good thing. But in the general case, a validator
cannot know the intentions of the zone owner's use of multiple algorithms.
And the distinct-algorithm + multi-provider DNSSEC case is one where this
can pose a deployment problem.

In any case, I don't think we can quickly resolve this issue in favor
of an approach that works reliably for our draft. So I will take your
suggestion and and put in the "must" language about same algorithms.

If we encounter real deployments in the field that require a solution
to this problem, we can revisit it in a future revision.

-- 
Shumon.

v2.23.0 | Report a Bug | By Email