Re: [DNSOP] new dnsop related draft: RFC5011 security considerations

Wes Hardaker <wjhns1@hardakers.net> Wed, 03 August 2016 17:38 UTC

Return-Path: <wjhns1@hardakers.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C6A9112B01E for <dnsop@ietfa.amsl.com>; Wed, 3 Aug 2016 10:38:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.488
X-Spam-Level:
X-Spam-Status: No, score=-5.488 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Rgwyfh6THuZG for <dnsop@ietfa.amsl.com>; Wed, 3 Aug 2016 10:38:10 -0700 (PDT)
Received: from mail.hardakers.net (mail.hardakers.net [168.150.236.43]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4557012D798 for <dnsop@ietf.org>; Wed, 3 Aug 2016 10:38:10 -0700 (PDT)
Received: from localhost (50-1-20-198.dsl.static.fusionbroadband.com [50.1.20.198]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.hardakers.net (Postfix) with ESMTPSA id 15713261A0; Wed, 3 Aug 2016 10:38:06 -0700 (PDT)
From: Wes Hardaker <wjhns1@hardakers.net>
To: Matthijs Mekking <matthijs@pletterpet.nl>
References: <0lfuqoqhd7.fsf@wjh.hardakers.net> <99f615b9-15e6-d034-3926-83e273df6870@pletterpet.nl>
Date: Wed, 03 Aug 2016 10:38:05 -0700
In-Reply-To: <99f615b9-15e6-d034-3926-83e273df6870@pletterpet.nl> (Matthijs Mekking's message of "Wed, 3 Aug 2016 14:44:31 +0200")
Message-ID: <0lvazhhhxe.fsf@wjh.hardakers.net>
User-Agent: Gnus/5.130014 (Ma Gnus v0.14) Emacs/24.5 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/UQH-GPOcpUVEfsgY0j_X0gYZqdc>
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] new dnsop related draft: RFC5011 security considerations
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Aug 2016 17:38:17 -0000

Matthijs Mekking <matthijs@pletterpet.nl> writes:

> 1. In the introduction you mention there is no guidance to how long a
> DNSKEY must be published before it can be considered accepted. Perhaps
> there is no implicit guidance in RFC 5011, you should be able to derive
> it from the timing parameters defined in that document.

I believe one can derive it, hence the reason we titled the draft
"security considerations".  IE, it's not the intent of the draft to
create anything new, just to more clearly document what is already true
(but misunderstood by most).

> In fact, it has been done before and RFC 7583 (DNSSEC Key Rollover
> Timing Considerations) gives guidance on exactly this in Section
> 3.3.4.

I need to study that document again (it's been a while) in order to
fully respond to your note, but I agree there is information in there
that is certainly relevant.  And we should certainly add a reference to
it as well, if this document needs to go forward.

In 3.3.4.1, we have:

    modifiedQueryInterval = MAX(1hr, MIN(15 days, TTLkey / 2))
    Itrp >= AddHoldDownTime + 2 * modifiedQueryInterval

And in our document, I just realized, fails to define the "safe"
equation that we came up with.  But our safe value came out to be:

    Itrp >= AddHoldDownTime + 3 * SignatureLife / 2 + 2 * TTLkey

We'll go add that equation into our document (which I was sure we had
put in, but apparently not) and republish shortly.

> 2. The outlined attack is possible because the defined queryInterval is
> approximately done at the half of the RRSIG expiration interval. If the
> queryInterval was to be increased that it would be at most the full
> expiration interval, the replay attack cannot be successfully executed.
> While this makes the DNSKEY rollover duration even longer, it is now
> secured against the outlined attack.

I don't think we need to modify 5011 itself.  Just how to use it.

-- 
Wes Hardaker
Parsons