IETF Logo Mail Archive

[DNSOP] Comments on draft-wessels-dns-zone-digest-02

Edward Lewis <edward.lewis@icann.org> Thu, 09 August 2018 14:19 UTC

Return-Path: <edward.lewis@icann.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D65B7130E2E for <dnsop@ietfa.amsl.com>; Thu, 9 Aug 2018 07:19:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id czOo4rWZihPl for <dnsop@ietfa.amsl.com>; Thu, 9 Aug 2018 07:19:11 -0700 (PDT)
Received: from out.west.pexch112.icann.org (out.west.pexch112.icann.org [64.78.40.7]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1C5D9130E41 for <dnsop@ietf.org>; Thu, 9 Aug 2018 07:19:11 -0700 (PDT)
Received: from PMBX112-W1-CA-1.pexch112.icann.org (64.78.40.21) by PMBX112-W1-CA-2.pexch112.icann.org (64.78.40.23) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Thu, 9 Aug 2018 07:19:09 -0700
Received: from PMBX112-W1-CA-1.pexch112.icann.org ([64.78.40.21]) by PMBX112-W1-CA-1.PEXCH112.ICANN.ORG ([64.78.40.21]) with mapi id 15.00.1367.000; Thu, 9 Aug 2018 07:19:09 -0700
From: Edward Lewis <edward.lewis@icann.org>
To: "dnsop@ietf.org" <dnsop@ietf.org>
Thread-Topic: Comments on draft-wessels-dns-zone-digest-02
Thread-Index: AQHUL+vvqpBp9iR+tEaWUlJrtzK1fA==
Date: Thu, 09 Aug 2018 14:19:08 +0000
Message-ID: <6D6060CF-FD20-4D79-BF98-A4BE77011741@icann.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.d.0.180513
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [192.0.47.234]
Content-Type: text/plain; charset="utf-8"
Content-ID: <AA8859606DCF9A4385896D3B298BE213@pexch112.icann.org>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Tg6uuEuW167kIf3QlaHbaNphwj8>
Subject: [DNSOP] Comments on draft-wessels-dns-zone-digest-02
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Aug 2018 14:19:14 -0000

FWIW, this message was spurred by this comic strip [yes, today as I write]: http://dilbert.com/strip/2018-08-09.

"Will the time taken to generate and verify this record add to the security of a zone transfer?"

I understand that there is no protection for cut point or glue records now, nor any guarantee for the occluded records and there's a desire to cover them.  It would be great to have the whole zone (as a data structure) be subject to source integrity and authenticity protections.

But there are already mechanisms for this at the data set level.  (This is a "belts and suspenders" style argument.)  What if -err- when, in a zone's distribution, the glue records are either forged or simply fat-fingered?  That's covered, in a way that is more efficient - in a lazy evaluation way.  Mangled glue never referenced needs not be checked, when it is needed there's backup in the authoritative version.  If all else fails, DNSSEC will flag whatever response as suspect.

I don't know if this is documented, but at one time, prototype authoritative servers would validate all the signatures in a zone upon load (before setting the AD bit).  This was discarded as it made zone loading (and reloading) take f-o-r-e-v-e-r.  (I recall this mostly because I was on the losing end of the argument.)  Today, we assume the server can set the AD as it can trust what it gets from disk or from AXFR {which had better be done with channel security!}.

One concern is what or who makes the decision to enable ZONEMD for a zone.  We are marching toward more automation in NOCs, so this will be a buried parameter.  What happens if a zone grows astronomically over time, in the beginning the ZONEMD is on?  (Similarly, zone have had to transition from NSEC to NSEC3 with optout.)  File this under "fear, uncertainty or doubt" but it stems from how I see the operations of the DNS evolving.

In general, the proposal is more or less fine.  I don't know if it is feasible (speed of execution).  I don't know that it adds to the safety of the system (DNSSEC already protects at the data set level in the same manner this protects at zone load time).  I don't know if the added configuration knob is justified by the benefit (forgotten settings, "trusted-keys"-mania ?).

And ... returning to the comic strip ... "Your plan is dumb because it reminds me of something different that didn't work out." ;)  "History repeats."  And today I am wearing a blue shirt (but it's a Knot DNS shirt!).

v2.23.0 | Report a Bug | By Email