IETF Logo Mail Archive

Re: [DNSOP] Working Group Last Call for: Message Digest for DNS Zones

Michael StJohns <msj@nthpermutation.com> Mon, 06 January 2020 23:03 UTC

Return-Path: <msj@nthpermutation.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF05912007C for <dnsop@ietfa.amsl.com>; Mon, 6 Jan 2020 15:03:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nthpermutation-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RKhOqN7aHQ58 for <dnsop@ietfa.amsl.com>; Mon, 6 Jan 2020 15:03:14 -0800 (PST)
Received: from mail-qt1-x841.google.com (mail-qt1-x841.google.com [IPv6:2607:f8b0:4864:20::841]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0A2AD120041 for <dnsop@ietf.org>; Mon, 6 Jan 2020 15:03:14 -0800 (PST)
Received: by mail-qt1-x841.google.com with SMTP id w47so43845537qtk.4 for <dnsop@ietf.org>; Mon, 06 Jan 2020 15:03:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nthpermutation-com.20150623.gappssmtp.com; s=20150623; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding:content-language; bh=Y0DtkUdR7lUsKiv/LmbgxJSOkOINikkyOtlYJVCBvv0=; b=tvzNguLKp9sVLB0lIMvYcYu5cI+878/s/2C7RJ18pR4iFBVQMzF6MIKOrbRRfs5suC 8riQ2jv6cfk8Lsh1Cb49EjWkZokN9akN8p/OOoeI6Af1Fm/OnMxVlA1MB+p0ootQtaev 6i5aXbcHsbvRMad/vqSndALMKKzTuUnmHt88nDNhm5NelpUXG07js7yC3qgR77q1TEjn hN//Ijrf6UxZZfvHTJwmmBo7Oyry9bRCH2otyIrFDYMHbhhbr5MkgIGR73mPz1KER6TF X1ktupBtqNDSxaj++vrV7XsH3T8bN+f0J6ZiVTojZs+9fFVO4aFJ19+l7X+8LMOvZfy6 FIFA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=Y0DtkUdR7lUsKiv/LmbgxJSOkOINikkyOtlYJVCBvv0=; b=PFIKrnDzbOv0mAt3Zvr+n7vzOo5vKDQe1hjWV9HycDw180MGrvR2PbDvSfypSyx/HJ otaBtgF6xwxA19FOKr70YJLzz/plqRAuMRyWLKb8BKjmIP4bA8Vo90lLM6N0oRcZi+MX sBxJYZRYho4NcFxaCeuKveT5qnTDBzYhpHI2OdonYS8GrLG5++C95wsWP8xWHb4l5i11 Kp5QPxdcWpM5y34E/rjblVn9OCEg5jB4qUerbPao3XYVJKZBCpFQwlHy5zhmMBo1WUIc 9/9AFKSGtPKKdOyrTGjvVeSMwVuj5GTGYFznY/wrrNOgImmj7TJ3gcLuoqagw/iS9p2q YyMg==
X-Gm-Message-State: APjAAAVWnS9nlR2/+jgpVrVa8gNfbRXga01g3rcBFf254Naz3DCsy3D7 7+RywHoCr2jy72BIh0Oyt3f1K0Mfm70=
X-Google-Smtp-Source: APXvYqzuQgd6jqIvhEcdjgX0Q5gYnLgBTl4n83BRHFA9NnPDN3MRXE5inWCN5z3821/8bqEqWbDyYQ==
X-Received: by 2002:ac8:709a:: with SMTP id y26mr77143622qto.304.1578351792630; Mon, 06 Jan 2020 15:03:12 -0800 (PST)
Received: from ?IPv6:2601:152:4400:437c:60c9:c159:93da:c173? ([2601:152:4400:437c:60c9:c159:93da:c173]) by smtp.gmail.com with ESMTPSA id 124sm13527156qko.11.2020.01.06.15.03.11 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 06 Jan 2020 15:03:12 -0800 (PST)
To: John R Levine <johnl@taugh.com>
Cc: dnsop@ietf.org
References: <20200106171326.E0E1E120301E@ary.qy> <54ddbdea-50c5-42eb-aa0c-bff4bb2d3bcc@nthpermutation.com> <alpine.OSX.2.21.99999.374.2001061311150.74676@ary.qy>
From: Michael StJohns <msj@nthpermutation.com>
Message-ID: <535932c3-dbc6-ee2a-4804-ffdb691981da@nthpermutation.com>
Date: Mon, 06 Jan 2020 18:03:10 -0500
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.9.1
MIME-Version: 1.0
In-Reply-To: <alpine.OSX.2.21.99999.374.2001061311150.74676@ary.qy>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/TnNhJUflOETd_jmOOiCYz2IPHg8>
Subject: Re: [DNSOP] Working Group Last Call for: Message Digest for DNS Zones
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Jan 2020 23:03:17 -0000

On 1/6/2020 1:48 PM, John R Levine wrote:
>>> Well, OK, here's a concrete example.  I download the COM zone every
>>> day from Verisign, and also a separate file with an MD5 hash of the
>>> main file.  Using RFC 2119 language, what do I do if the hash I get
>>> doesn't match their hash? ...
>
>> Ok - you've described half of this - the download and the 
>> validation.   Let's move on to the use.   E.g. you now have a zone 
>> with a good ZONEMD - you throw it into what application?   Or you now 
>> have a zone with a bad (unable to validate) ZONEMD, do you still 
>> throw it into the application. Does the application check the ZONEMD 
>> or did you do that manually?   If you throw the zone into the 
>> application without validation then what?   Do you retry to download 
>> it?  How often and how long between tries?
>
> No matter how many times you ask, the answer is the same: it depends 
> on the application.

*Sigh* Not exactly.  If you have no automated applications that will use 
this, then it depends on the human and I think that's what you mean by 
"application".  Otherwise, I think you'll find that most automated 
applications will want to (or probably should want to) use the same logic.

>
> If it's an AXFR to a secondary authoritative server you might do one 
> thing, if it's someone collecting stats on TLD zone files, they might 
> do something else.
>
> I don't see any benefit to anyone to try to guess how people we don't 
> know will use this in applications we don't know about at unknown 
> times in the future.  Not only are we not the DNS Police, we're not 
> the Omniscient DNS Experts either.
>
>> Please provide a general rule for automated handling of failed 
>> validations.
>

> "Do the same thing you do now when a zone is invalid."

Given that there's no fixed definition of when a "zone" is invalid, I 
don't think I can do the "same thing"?     See below for a screed on 
data protocol vs transport protocol.


The all of these are transport protocol violations and each and every 
one (except possibly the AXFR one?)  of them results in "reject the 
message as being invalidly encoded".     And I'm pretty sure that each 
and every one of these has specific language that says what to do in 
some RFC.

>
> Do the same thing you do now when a name is more than 255 octets.
>
> Do the same thing you do now when a RR has an RRTYPE of 252 or 255.
>
> Do the same thing you do now when an SOA isn't long enough to include 
> all seven fields, or the SOAs at the beginning and end of an AXFR 
> don't match.
>
> Do the same thing you do now when a TXT character string is longer 
> than the RR's RDLENGTH.
>
> Do the same thing you do now when the offset in a compressed name 
> points past tne end of the packet, or the pointers create a loop.
>
> I'm sure you can come up with others.


DNS is both a transport protocol and a data protocol.  In the beginning, 
the data protocol was pretty simple:   Change a record in the database 
and change the SOA serial at the same time.   The client data protocol 
was mostly "did the name resolve after following the NS records from the 
root?".  The primary to secondary protocol was "did the SOA change, if 
so download the zone again".  There were optimizations here, but that's 
really all there was.   Even then you could find things like lame 
delegations that were violations of the data protocol, but mostly those 
were readily identifiable even from the client side.

Then came DNSSEC.  Which had the effect of turning the zone database 
from a completely incoherent set of data (e.g. records except within 
RRSets were mostly not related to other records and changes to one did 
not require changes to others - exceptions such as CNAME with their 
special handling excepted, and of course SOA serial which provided a 
hint to the secondaries), to a partially coherent database (e.g. 
additions and deletions of names required changes to NSEC/NSEC3, 
additions or changes to an RR within an RRSet required updates to the 
signature records, changes to the DNSKEYs required changes to the DS 
records in the parent zone etc).   DNSSEC still can have data protocol 
errors that can creep in that aren't trivially identified by normal 
query validation failure (e.g. old signatures, names where NSEC says 
there aren't supposed to be names, missing names  or records where NSEC 
says there are supposed to be names), and we still don't actually know 
what to do - automatically - when DNSSEC validation fails.  E.g. what 
action does your home MTA take when DNSSEC validation fails on an 
outbound message server name lookup?   How about for IOT clients phoning 
home?   Yes, the last two may be per-application treatment of validation 
failure, but I don't think ZONEMD falls into the same category.   Note 
that there are a number of other interesting corner cases (E.g. CNAME 
reference from a secured zone to an unknown or untrusted zone generally 
gets reported as secure rather than unknown or untrusted).

Now comes ZONEMD which wants to make a zone database wholly coherent - 
ANY change in the contents of the zone will result in changes to the 
ZONEMD record and to verify it, you MUST download exactly the same data 
as was digested previously.  Unlike changes to the SOA serial, this 
record binds the entire zone to be a very specific set of bits.

AFAICT, ZONEMD verification will output one of "valid" (hash matched), 
"secure valid" (hash matched and ZONEMD chained), "unknown" (no ZONEMD) 
or "invalid" (hash did not match or ZONEMD did not chain when it was 
supposed to), or "???"  (I was told there was an ZONEMD - but its not 
here - where's my ZONEMD?  or Why are there 6 ZONEMD records and why are 
3 duplicates?? or other failures of the data protocol that a well 
meaning human might introduce).

Are you telling me that making a recommendation to a receiver covering, 
even skimpily,  those 4 cases at the front of the RFC for what it should 
do for each of these outputs is out of scope for the document?   OK - 
then I say this is no better than an EXPERIMENTAL RFC.

Later, Mike


>
> Regards,
> John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY
> Please consider the environment before reading this e-mail. https://jl.ly

v2.23.0 | Report a Bug | By Email