Re: [DNSOP] Empty Non-Terminal vs NXDOMAIN in draft-ietf-dnsop-nsec-aggressiveuse

Mark Andrews <marka@isc.org> Mon, 10 October 2016 22:15 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 980F2129401 for <dnsop@ietfa.amsl.com>; Mon, 10 Oct 2016 15:15:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.897
X-Spam-Level:
X-Spam-Status: No, score=-9.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-2.996, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nt-MR0Kqegb0 for <dnsop@ietfa.amsl.com>; Mon, 10 Oct 2016 15:15:18 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B2F95127735 for <dnsop@ietf.org>; Mon, 10 Oct 2016 15:15:18 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 108F43493F3; Mon, 10 Oct 2016 22:15:16 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id D872E16004C; Mon, 10 Oct 2016 22:15:15 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id C98AB160069; Mon, 10 Oct 2016 22:15:15 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id pa9OUPg3cwrj; Mon, 10 Oct 2016 22:15:15 +0000 (UTC)
Received: from rock.dv.isc.org (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id 2BFD616004C; Mon, 10 Oct 2016 22:15:15 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 7C7735628F23; Tue, 11 Oct 2016 09:15:11 +1100 (EST)
To: Roy Arends <roy@dnss.ec>
From: Mark Andrews <marka@isc.org>
References: <EA312F37-2E4C-45E0-AF0A-B0A0663B73E8@dnss.ec> <20161010203908.EE0225626F0A@rock.dv.isc.org> <0BE787CD-3877-48C0-8BF9-3E15F605D314@dnss.ec>
In-reply-to: Your message of "Mon, 10 Oct 2016 22:24:40 +0100." <0BE787CD-3877-48C0-8BF9-3E15F605D314@dnss.ec>
Date: Tue, 11 Oct 2016 09:15:11 +1100
Message-Id: <20161010221511.7C7735628F23@rock.dv.isc.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/UGURqrXndZWiyhwdzLFK0oG0nk0>
Cc: dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] Empty Non-Terminal vs NXDOMAIN in draft-ietf-dnsop-nsec-aggressiveuse
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Oct 2016 22:15:20 -0000

In message <0BE787CD-3877-48C0-8BF9-3E15F605D314@dnss.ec>ec>, Roy Arends writes:
> On 10 Oct 2016, at 21:39, Mark Andrews <marka@isc.org> wrote:
> >=20
> >=20
> > In message <EA312F37-2E4C-45E0-AF0A-B0A0663B73E8@dnss.ec>ec>, Roy Arends =
> writes:
> >> Having read the draft
> >>=20
> >> How does one distinguish a Empty Non-Terminal NODATA response from an
> >> NXDOMAIN response, solely by looking at the NSEC or NSEC3 records.
> >=20
> > NSEC:  Find the NSEC record that proves that there are no records
> > at the given name (note all of the owner, the next domain name and
> > the bit map need to be examined to do this).  It either the owner
> > name or the next domain name of that record are a subdomain of the
> > given name then it is a ENT otherwise it is a NXDOMAIN.
> 
> Thanks Mark.
> 
> There should be some guidance to this in the draft.
> 
> To be complete, for NSEC3: each empty non-terminal has an NSEC3 record =
> associated with it, so there is always a matching NSEC3 record.
> 
> The issue remains with NSEC. It is possible to determine the difference. =
> It is important to determine the difference. This method is not =
> specified in the draft that encourages this local optimisation.
> 
> Warmly
> 
> Roy

If the NSEC record has not been verified as secure discard it.

If the given name sorts before or matches the NSEC owner name discard
it as it does not prove the NXDOMAIN or ENT.

If the given name is a subdomain of the NSEC owner name and the NS
bit is present and the SOA bit is absent then discard the NSEC as
it is from a parent zone.

If the next domain name sorts after the NSEC owner name and the
given name sorts after or matches next domain name then discard the
NSEC record as it does not prove the NXDOMAIN or ENT.

If the next domain name sorts before or matches the NSEC owner name
and the given name is not a subdomain of the next domain name then
discard the NSEC as it does not prove the NXDOMAIN or ENT.

You now have a NSEC record that proves the NXDOMAIN or ENT.

If the next domain name is a subdomain of the given name you have
a ENT otherwise you have a NXDOMAIN.

> >=20
> >> There is an attack vector where an RCODE0 can be replaced by RCODE3 =
> while
> >> keeping the rest of the response completely intact, causing an =
> aggressive
> >> use enabled cache to deny existing records.
> >>=20
> >> These kind of subtleties arent described in the draft, as far as I =
> can
> >> tell.
> >>=20
> >> Roy
> >> _______________________________________________
> >> DNSOP mailing list
> >> DNSOP@ietf.org
> >> https://www.ietf.org/mailman/listinfo/dnsop
> >=20
> > --=20
> > Mark Andrews, ISC
> > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org