[DNSOP] Re: Secdir early review of draft-ietf-dnsop-compact-denial-of-existence-04

Shumon Huque <shuque@gmail.com> Wed, 31 July 2024 02:22 UTC

Return-Path: <shuque@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AEBA7C18DB93 for <dnsop@ietfa.amsl.com>; Tue, 30 Jul 2024 19:22:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id plq1chrEaFVA for <dnsop@ietfa.amsl.com>; Tue, 30 Jul 2024 19:22:56 -0700 (PDT)
Received: from mail-io1-xd34.google.com (mail-io1-xd34.google.com [IPv6:2607:f8b0:4864:20::d34]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DF512C18DBB7 for <dnsop@ietf.org>; Tue, 30 Jul 2024 19:22:54 -0700 (PDT)
Received: by mail-io1-xd34.google.com with SMTP id ca18e2360f4ac-81f94ce22f2so191907839f.1 for <dnsop@ietf.org>; Tue, 30 Jul 2024 19:22:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1722392574; x=1722997374; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=UkH4///S80elXYPotrxGp5WFcPXOXRXe8Ux8S2slKIo=; b=FfvagXiBtyfVJzgnkl+z8zNqqu1icoHcuPLWs1CU6hX0qC2zjX3aEw0Atq0dZysPzQ z6ndg6BESbyJqBRshUYOL+L7v9AvSyKRwkToHBmb4mYjjZASn3fQ1n6N+mbBgE1Wf3Fm bKW0W9Z62PnJ4tySeUGQqq8YKuC/SGVQROnMsqmFddXPmzVncFleBIfYzRarFFhtqs7O c87CoDgnJBsim2g1tuJv3YpCzPr33lQjyvqmoxYMEH+VePKCjM4IzSogJz12BoXzuGB7 TguPC9xXWQkHz6DQXCWyTjkC6BpcPML/o2Dcrefj7IU4a+zxFTI4Y41z04xudeAmpDcK 5F/Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1722392574; x=1722997374; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=UkH4///S80elXYPotrxGp5WFcPXOXRXe8Ux8S2slKIo=; b=hCKT7aslNkGg6UKYZQYUWTCDTRhjrtiEvyTn7A6ZJdeHttCCecEltmYmkxHkibqSTb oZjNsJcS2mog1PehbBO1EQuoQA7auLPR2z/ekHfj9m7u9+ZDvCQg9ouMu5FAtjrpjsDm b+hhqDYuXy+trc/9IrwSi9xCeS71ttGqTbfnRu/csSyoWB/3xnsgscczZGKBLbrNBoTP Z8jcpr+WfcofuAP95wMC5VQkSMvxWhYNpd5VEWtlUeKJ4PUz3Y+Kz2OzJ9FJOGUY8m/c 7ifcZABaGuzzPqFuBG0ZssCO/eex+1VaFKY71noeHuY2vMwcj+bd7dnpMaeDdWmMNIFE mZiw==
X-Gm-Message-State: AOJu0Yx7wOVZBCfwsYZS0XSVnX+OdVIhHjH7d4veY5Y1MdjvvPgr/oD2 7CLlTr7eJ9yOx/87v06hMFdr5GSzTK76KzFBy4cNXlYgVa/5MpYxTQco6zKEAmciHDtQLxt0TWe yXOypOElZhXd75s5VMyf8e6mdzpg=
X-Google-Smtp-Source: AGHT+IE2y9DHLjQFT9quWF+1OYKktF4oyShPIEaLGAo5qOuC7qQo2IXyGNjWIBedCkswZhlL/qEOm47wnXIeS4AH3U4=
X-Received: by 2002:a05:6602:2dcf:b0:806:f495:3b34 with SMTP id ca18e2360f4ac-81f95a411f7mr1468804039f.2.1722392573943; Tue, 30 Jul 2024 19:22:53 -0700 (PDT)
MIME-Version: 1.0
References: <172238346320.1988233.11549951810315868557@dt-datatracker-659f84ff76-9wqgv> <d62f53f0-fe73-4e35-84cb-ddda704a73eb@brokendns.net>
In-Reply-To: <d62f53f0-fe73-4e35-84cb-ddda704a73eb@brokendns.net>
From: Shumon Huque <shuque@gmail.com>
Date: Tue, 30 Jul 2024 22:22:43 -0400
Message-ID: <CAHPuVdXYqoKjeO18kXoud2YO6KO_FL=m2xSjqQ7QdwV2mLi8Qg@mail.gmail.com>
To: Michael Sinatra <michael@brokendns.net>
Content-Type: multipart/alternative; boundary="00000000000088ac1a061e81c5f6"
Message-ID-Hash: IFPN6BFEYJY7AJJKPDWYSTQKUICP6XV6
X-Message-ID-Hash: IFPN6BFEYJY7AJJKPDWYSTQKUICP6XV6
X-MailFrom: shuque@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: dnsop@ietf.org, bew.stds@gmail.com
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: Secdir early review of draft-ietf-dnsop-compact-denial-of-existence-04
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/SLc35pz2Ay41sutrUW4FiM_cd94>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

Thank you Michael,

Your observation is certainly true. However, I want to point out that
inability to
synthesize NXDOMAIN via aggressive negative caching applies to any online
signing scheme that uses minimally covering NSEC, not just Compact DoE.

Your suggestion to explicitly mention the impact on mitigation of certain
classes
of attacks sounds reasonable to me. We'll review the proposed text in your
PR.

Are there good references we can cite for water torture and random subdomain
attacks?

Shumon

On Tue, Jul 30, 2024 at 8:59 PM Michael Sinatra <michael@brokendns.net>
wrote:

> I have also added a nit (as an Issue) to the github repo for this doc,
> as I'd like the authors consider explicitly stating that the inability
> for resolvers to synthesize NXDOMAIN responses for zones using this CDoE
> mechanism can make certain DOS attacks (e.g. Water Torture) more
> effective than with plain NSEC.
>
> https://github.com/shuque/id-dnssec-compact-lies/issues/6
>
> I realize that a close read of Section 5 of the draft makes it clear
> that RFC 8198 aggressive ncaching won't work, but it might be useful to
> also call that out as a security consideration (i.e. the effectiveness
> of Water Torture relies on the *lack* of negative caching).  Happy to
> discuss further if the authors desire.
>
> michael
>
>