Re: [DNSOP] [Ext] Working Group Last Call for draft-ietf-dnsop-rfc8109bis
Bob Harold <rharolde@umich.edu> Fri, 06 October 2023 12:20 UTC
Return-Path: <rharolde@umich.edu>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D444C137362 for <dnsop@ietfa.amsl.com>; Fri, 6 Oct 2023 05:20:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.104
X-Spam-Level:
X-Spam-Status: No, score=-7.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=umich.edu
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tCtkv1y2bsbD for <dnsop@ietfa.amsl.com>; Fri, 6 Oct 2023 05:20:29 -0700 (PDT)
Received: from mail-wr1-x433.google.com (mail-wr1-x433.google.com [IPv6:2a00:1450:4864:20::433]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C8192C1526E9 for <dnsop@ietf.org>; Fri, 6 Oct 2023 05:20:29 -0700 (PDT)
Received: by mail-wr1-x433.google.com with SMTP id ffacd0b85a97d-3247d69ed2cso1977432f8f.0 for <dnsop@ietf.org>; Fri, 06 Oct 2023 05:20:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umich.edu; s=google-2016-06-03; t=1696594827; x=1697199627; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=IY1zfNJ9IaRUF+OIXV62kDpTJlO+Li4dgshusMygPl0=; b=sQhO7Gy7MtdvwQIuiOWNUALC3zICpcjjQD2LM6H3TdYXKG7C45KCVa8UvkpCrGPpj3 VVVMYgOo0l3MPK3tzuHPUKFv0FqTdCJWXKwL3orWY/9TdcNBq5+csQ2hhxgMBNXWlT4o d63QgPvCLDrM/AE5P30Vi4yycBVrmqEXR35UlRNqQsqlTKLzlrmJQVByu/kAtmeOvqOp yg6erKHLM0H84vFGzwoKb2PNiyB1XqvVaqo8iyQ4iCxHarsfIsdqtV9wYyEGkNWzfiCN qjUK6qMZ3nBCrgZvwjQyVdgGKLpbuN1cdJrQ6LfsDgDZS4A2nWDAhPwuBXzmtAFpqUpD V/7Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696594827; x=1697199627; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=IY1zfNJ9IaRUF+OIXV62kDpTJlO+Li4dgshusMygPl0=; b=pqYxqTBlDJ/8wjPvY2NYTCoVILHaCwGPCPmoAqYpiM/zxOc/1xSbIQxaB0nPlqzYJs pDItZkD2cEQp/OhnD/0lgzLATgC5SjuqvTXwbi11TlIVzoeyDI94E8LQhBh9DiBsR2A+ PwyDFa67PWVUvfgcxNxp/vtDKQ7cnCD55nagAA105YAs8w3ZYD09pMQIrVH/w5sld0He 5xWQbvilIz1qsqvRr+J/TtzsakFe8pKt+yyyCKeeNOR0rilZvJtfTz8z2WB9ONbxU6+g j2o3oxZ6awxIBA+RN1+v8bN9qdVqcY7w3TANpzgu1hry/bD80SfkPZHW2LZSxqfKbTcD oGNA==
X-Gm-Message-State: AOJu0Yzg1H8CPRqRtQY0olCAHieAHyOmQULfDaoyE/SF0tIIPTm40Adj kTJ+NQFgPKVD+uBoUNHSahuC2u1EOODTIjg7G4DI1A==
X-Google-Smtp-Source: AGHT+IF4gmzZfqHaXPV38c01Jdqnkx0kHXvaa/yOTkxP2/zAkcFSiKRFvGC23BKhsobQnvVbYT9ag1X1QpV9/BNmVvw=
X-Received: by 2002:a5d:4b11:0:b0:31a:e772:ddf6 with SMTP id v17-20020a5d4b11000000b0031ae772ddf6mr7738797wrq.39.1696594827500; Fri, 06 Oct 2023 05:20:27 -0700 (PDT)
MIME-Version: 1.0
References: <CADyWQ+EwQrGVrBXzxnO2=UiXPYks+q0cjDN7YmWVCPwG=Ai0iA@mail.gmail.com> <46b9c5d8-821d-ea1e-61b4-da5754be020e@desec.io> <3b56f445-cc96-0db1-3b89-05f803c53820@NLnetLabs.nl> <ca9b3a06-9dc5-db2a-753e-68cb8a225235@desec.io> <CADyWQ+HdY0a8XZequboCqWh7-AaiOK7Wk_8aOTzZwp+T1tMaCQ@mail.gmail.com> <8AA90E43-3D69-4E6A-AF5B-688FB1554DA2@icann.org>
In-Reply-To: <8AA90E43-3D69-4E6A-AF5B-688FB1554DA2@icann.org>
From: Bob Harold <rharolde@umich.edu>
Date: Fri, 06 Oct 2023 08:20:15 -0400
Message-ID: <CA+nkc8BQAG2vcZjonz8iHzXd-bZ392bL4VPfKGjzFpZpdd5TUA@mail.gmail.com>
To: Paul Hoffman <paul.hoffman@icann.org>
Cc: Tim Wicinski <tjw.ietf@gmail.com>, Peter Thomassen <peter@desec.io>, Benno Overeinder <benno@nlnetlabs.nl>, DNSOP Working Group <dnsop@ietf.org>, DNSOP Chairs <dnsop-chairs@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000057dfe06070b4496"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/V20RgZuaxrQh0-K7csjwA3uFpFs>
Subject: Re: [DNSOP] [Ext] Working Group Last Call for draft-ietf-dnsop-rfc8109bis
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Oct 2023 12:20:34 -0000
On Thu, Oct 5, 2023 at 6:16 PM Paul Hoffman <paul.hoffman@icann.org> wrote: > On Sep 14, 2023, at 18:46, Tim Wicinski <tjw.ietf@gmail.com> wrote: > > > We chairs heard back from the authors and we're pulling this working > group last call. > > We have turned in a -01 that addresses the initial comments in the WG Last > Call that the document had obvious labeled holes in it. One of those holes > had an old label on it, but the others needed filling, and we have done > that now. Whenever the chairs have another slot to start a WG Last Call, we > think this is now ready for it. > > --Paul Hoffman > https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-rfc8109bis-01 3.3. DNSSEC with Priming Queries The second paragraph confused me: "A machine-in-the-middle attack on the priming query could direct a resolver to a rogue root name server. Note, however, that a validating resolver will not accept responses from rogue root servers if they are different from the real responses because the resolver has a trust anchor for the root and the answers from the root are signed. Thus, if there is a machine-in-the-middle attack on the priming query, the results for a validating resolver could be a denial of service, or the attacker seeing queries while returning good answers, but not the resolver's accepting the bad responses." I took me a while to understand, but something like this is what I think it means, a little more clearly to me: A rogue server could return the proper NS RRset and signature, but fake A and AAAA records, since they are not signed, which would effectively block access to the root zone. But when a request is made for other records in the root zone (like delegation NS records for a TLD, its normal role in DNS resolution), those records are DNSSEC signed and can be validated, so a rogue server can only block service, not give wrong answers that pass validation. Could something like that be included? -- Bob Harold
- [DNSOP] Working Group Last Call for draft-ietf-dn… Tim Wicinski
- Re: [DNSOP] Working Group Last Call for draft-iet… Joe Abley
- Re: [DNSOP] Working Group Last Call for draft-iet… Tim Wicinski
- Re: [DNSOP] Working Group Last Call for draft-iet… Geoff Huston
- Re: [DNSOP] Working Group Last Call for draft-iet… Geoff Huston
- Re: [DNSOP] Working Group Last Call for draft-iet… Tim Wicinski
- Re: [DNSOP] Working Group Last Call for draft-iet… Geoff Huston
- Re: [DNSOP] Working Group Last Call for draft-iet… Peter Thomassen
- Re: [DNSOP] Working Group Last Call for draft-iet… Peter Thomassen
- Re: [DNSOP] Working Group Last Call for draft-iet… Benno Overeinder
- Re: [DNSOP] Working Group Last Call for draft-iet… Peter Thomassen
- Re: [DNSOP] Working Group Last Call for draft-iet… Tim Wicinski
- Re: [DNSOP] [Ext] Working Group Last Call for dra… Paul Hoffman
- Re: [DNSOP] [Ext] Working Group Last Call for dra… Bob Harold
- Re: [DNSOP] [Ext] Working Group Last Call for dra… Shumon Huque
- Re: [DNSOP] [Ext] Working Group Last Call for dra… Bob Harold
- Re: [DNSOP] [Ext] Working Group Last Call for dra… Tim Wicinski