Re: [DNSOP] Comments on DS Publication draft
"George Barwood" <george.barwood@blueyonder.co.uk> Thu, 11 November 2010 22:20 UTC
Return-Path: <george.barwood@blueyonder.co.uk>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1BFF63A67C3 for <dnsop@core3.amsl.com>; Thu, 11 Nov 2010 14:20:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.554
X-Spam-Level:
X-Spam-Status: No, score=0.554 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_BLUEYON=1.4, MIME_BASE64_TEXT=1.753]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5YJZNpt6V9Zm for <dnsop@core3.amsl.com>; Thu, 11 Nov 2010 14:20:16 -0800 (PST)
Received: from smtp-out4.blueyonder.co.uk (smtp-out4.blueyonder.co.uk [195.188.213.7]) by core3.amsl.com (Postfix) with ESMTP id 6CC643A68AD for <dnsop@ietf.org>; Thu, 11 Nov 2010 14:20:16 -0800 (PST)
Received: from [172.23.144.250] (helo=asmtp-out6.blueyonder.co.uk) by smtp-out4.blueyonder.co.uk with esmtp (Exim 4.52) id 1PGfVX-0002Op-UA; Thu, 11 Nov 2010 22:20:40 +0000
Received: from [92.238.99.235] (helo=GeorgeLaptop) by asmtp-out6.blueyonder.co.uk with smtp (Exim 4.52) id 1PGfQG-0001wu-Na; Thu, 11 Nov 2010 22:15:12 +0000
Message-ID: <5D4DF4FC312644CE96DA636906C34DA3@local>
From: George Barwood <george.barwood@blueyonder.co.uk>
To: Rickard Bellgrim <rickard.bellgrim@iis.se>, dnsop@ietf.org
References: <F27EDA31-5A71-42F8-B7BF-D5B1E8ACBCA1@iis.se>
Date: Thu, 11 Nov 2010 22:15:20 -0000
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: base64
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5994
Subject: Re: [DNSOP] Comments on DS Publication draft
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Nov 2010 22:20:18 -0000
----- Original Message ----- From: "Rickard Bellgrim" <rickard.bellgrim@iis.se> To: <dnsop@ietf.org> Sent: Wednesday, November 10, 2010 3:53 PM Subject: [DNSOP] Comments on DS Publication draft > Hi > > I have some comments on the document draft-barwood-dnsop-ds-publish-01: > > 1. Introduction (3rd paragraph) > It is not always the case that the child is the one defining the DS RRset. Some parents wants (for some reason) to create the DS RRset based on their own policy (choice of hash) and based on what DNSKEY RR the child send in. I'll take your word for this, but this practice seems a "very bad idea" to me. I cannot see any justification, it just creates future inter-operability barriers and obstacles for the introduction of new hash algorithms in future. It seems incompatible with the CDS concept ( or at least implies some complication ). As the draft states, the ability to publish an arbitrary DS record in the parent may be valuable in future, so it seems wise to retain that option. > 1. Introduction (5th paragraph) > The CDS RR would not be used for automation of rollovers but rather the automated key exchange from child to parent. (Key exchange is one step in the rollover process) Well yes, it enables automation (and this is the main motivation for the draft), it clearly is not the complete process. I will amend the language in the next version. > 3. Resource Record Format (3rd paragraph) > I do not think you should limit what key type can be used for creating the signature for this RRset. As long as the parent can verify it using the previous DS RRset via the child's DNSKEY RRset. In fact, forcing the use of KSK for this RRset's signature will break some assumptions in the key timing draft. Can you be more explicit about how it conflicts with the key timing draft? The logic for restricting the key type is that where a ZSK private key is kept online, a breach of security would not allow the parent DS to be disrupted ( and such disruption could be difficult to reverse ). This seems a solid advantage, and I don't see any disadvantage. > 3. Usage (1st paragraph) > How do you know what name server to send the NOTIFY to? SOA MNAME? Configurable option? Service discovery? etc The draft says "a name server for the parent zone". Is that not clear? It means any one of the servers defined by the parent NS RRset. I don't see any need for a more complex mechanism, but suggest a more complex mechanism if you think that is an improvement. > 3. Usage (2nd paragraph) > I think you should change the SHOULD to a MUST: "The parent zone MUST attempt to authenticate" Ok. > 3. Usage (2nd paragraph) > "If the authentication succeeds or yields Insecure, extra security checks are not normally necessary" > This statement makes it possible to do a DoS on this zone. An attacker could send a DS to the parent in the name of the unsigned child. This means that this draft should only be used after that the first initial key exchange has been done, where the parent can actually use DNSSEC to verify the changes. > I suggest it's up to the policy of the parent zone ( and policy is not best dealt with here). An insecure zone is clearly insecure until it is signed. This possibility would encourage owners of child zones to sign the zone, as once signed this vulnerability disappears. In practice most parent zones would probably require some manual step in addition ( using the same access as is currently used to maintain the NS RRset in the parent ). But the alternate policy has an incentive effect, so should be permitted I think. > 3. Usage (3rd paragraph) > Nothing prevents you from having a DS RR pointing to a zone signing key. Thus no need to do this check. > 3. Usage (7th paragraph) > And since I am trying to remove the constraint on only using a KSK to create a signature for this RRset, you should also change: > "where a key signing key has been compromised" > to > "where a key has been compromised" Thanks for your comments. Would you support the adoption of this draft by the WG? - George > // Rickard > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop
- [DNSOP] Comments on DS Publication draft Rickard Bellgrim
- Re: [DNSOP] Comments on DS Publication draft George Barwood
- Re: [DNSOP] Comments on DS Publication draft Stephan Lagerholm
- Re: [DNSOP] Comments on DS Publication draft Rickard Bellgrim
- Re: [DNSOP] Comments on DS Publication draft Stephan Lagerholm
- Re: [DNSOP] Comments on DS Publication draft Olafur Gudmundsson