[DNSOP] Re: [Ext] Request: Review changes - draft-ietf-dnsop-rfc7958bis-03 → 04.
Michael StJohns <msj@nthpermutation.com> Thu, 15 August 2024 16:21 UTC
Return-Path: <msj@nthpermutation.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BB079C1E0D86 for <dnsop@ietfa.amsl.com>; Thu, 15 Aug 2024 09:21:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.906
X-Spam-Level:
X-Spam-Status: No, score=-6.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nthpermutation-com.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JfkFFCAX2YbP for <dnsop@ietfa.amsl.com>; Thu, 15 Aug 2024 09:21:34 -0700 (PDT)
Received: from mail-qv1-xf2b.google.com (mail-qv1-xf2b.google.com [IPv6:2607:f8b0:4864:20::f2b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3488CC1E0D9F for <dnsop@ietf.org>; Thu, 15 Aug 2024 09:21:27 -0700 (PDT)
Received: by mail-qv1-xf2b.google.com with SMTP id 6a1803df08f44-6bf6606363fso6003796d6.3 for <dnsop@ietf.org>; Thu, 15 Aug 2024 09:21:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nthpermutation-com.20230601.gappssmtp.com; s=20230601; t=1723738887; x=1724343687; darn=ietf.org; h=in-reply-to:from:references:cc:to:content-language:subject :user-agent:mime-version:date:message-id:from:to:cc:subject:date :message-id:reply-to; bh=UgYS/NCwslAtLWCA45MdDjN9DcmBq7lLRXYu97P0ZDE=; b=Wdw97lqzvYDU14AZg2pLfchdPjtAAYK1C2yYxjIxxi3QPMfQZc/lJ0Bf3M4BsDgBpf Sw58L7ZdKVqRw+XS2XZjwj6UN7CEwPJ4nBzV3FMc/QuHORpCkG4Dy35qO/WUCYpxMxDr Am8OGEqHzesU5v0GOZHHkz8TWuJGTIc2T+CoY1/0nOjU/ZlebZM6JwShu5zQF6laeCc0 3dL6ws9t2QYzpPq8qAWoiRuKMaYRw5FHQ9DRu2HvyaWLGD0jrvAB0Ll9caFrXiAlvSev 1ir7JaN2dXUrPe+PNovt+GDnJ5nS8ultJdw5Cbl22JYvCxu7szDeKzkWup47Aw/mF5mO 1chQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1723738887; x=1724343687; h=in-reply-to:from:references:cc:to:content-language:subject :user-agent:mime-version:date:message-id:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=UgYS/NCwslAtLWCA45MdDjN9DcmBq7lLRXYu97P0ZDE=; b=T5Vt2CBEokXudl6SqzG+LKXmS4bFp+HUW3jWme7/mDkXau0NLx8NfQeicp4EEaSrez 4gAJpAYiSNCuMHsbZy8fMKu72ZtMvqb2dTTtZF2aNX9Wtu3uHROxaMuCjBmM/7LYwHEN LlHdi/1K1DP+TI1c7GOn5Uxml/Ym5EyYxs1YUGRYJapivNFwv5eN2nTltWFw/U4uKluC o8m1sC7jJt1Ul8Ygn7OFEX9KZMW8i1pA7qBpDRBBXk2FSK9NnwGkzWiEwnFfjskAe7OD o+40ZBDUCvmcuVYCQnUOhCRLHtLxfXrxBRDvd9Yd/spv6ptLVL4iaj0/TUBGa74c0ora QnBQ==
X-Gm-Message-State: AOJu0Yw/2pRw8vy2emvyaiOGYqkUrCtvAxunskhMS6MJjST8n+6HuhXG Sm/J/5oXyx2tgyoKm2Tok2NWYFBaGOZ1y5uMDI90JyYQxEC0gEzuQYt8h5EGmB7sfDkq02+T7Ql X
X-Google-Smtp-Source: AGHT+IHdNhGuk5pwRhP+bH0UV8lZx+sJriO87A2ufzam/hpAoSs5+2yrljmDi32rDq2CwaNjKcxeSg==
X-Received: by 2002:a05:6214:5347:b0:6b5:7e0b:eafb with SMTP id 6a1803df08f44-6bf5d19b521mr79198056d6.24.1723738886342; Thu, 15 Aug 2024 09:21:26 -0700 (PDT)
Received: from [192.168.1.23] (pool-108-31-156-76.washdc.fios.verizon.net. [108.31.156.76]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-6bf6fdd9072sm7647866d6.15.2024.08.15.09.21.25 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 15 Aug 2024 09:21:25 -0700 (PDT)
Content-Type: multipart/alternative; boundary="------------JD8Yi970l5whHEKRRUheW0qV"
Message-ID: <7c925f33-b393-4fc7-b1ad-70e81a1c3ebc@nthpermutation.com>
Date: Thu, 15 Aug 2024 12:21:23 -0400
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: Petr Špaček <pspacek@isc.org>, Paul Hoffman <paul.hoffman@icann.org>
References: <CAHw9_iL-ZwwA_pckR+=7SndOvqjfcNX9FjZ9Bim24uSYgTxkyw@mail.gmail.com> <98896B9D-259E-4E46-8DC7-E873D8B25F55@icann.org> <d9aed09d-b1c8-4ba1-9d4e-e83d504bfe40@nthpermutation.com> <65A596AD-1A4F-400A-9404-E2D60A54BE66@icann.org> <36118f44-d18d-443b-8aa8-007b8b62db3f@nthpermutation.com> <c77c4c2b-4d6e-4b41-bbc7-3ee634d0321a@isc.org>
From: Michael StJohns <msj@nthpermutation.com>
In-Reply-To: <c77c4c2b-4d6e-4b41-bbc7-3ee634d0321a@isc.org>
Message-ID-Hash: 2OVTV43BWIJHCKLIKJ6LJSA4GEL5H3R3
X-Message-ID-Hash: 2OVTV43BWIJHCKLIKJ6LJSA4GEL5H3R3
X-MailFrom: msj@nthpermutation.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "dnsop@ietf.org" <dnsop@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: [Ext] Request: Review changes - draft-ietf-dnsop-rfc7958bis-03 → 04.
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Wh-H3mN59pijDhvHRsmKqYoxT3o>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>
Sorry - 1-3 new issues and commentary on the previous issue. Expanding: **** Please Clarify: The document does not state if this set of TAs is additive to a relying party's existing TA set or replaces them. **** Please Clarify: What happens if you provide a TA with a "validUntil" in the future (say 2 years) and ICANN does not issue a replacement? Is that TA marked as revoked at the expiration of the validUntil? It appears to be - see both of the next quotes. This feels like a "BAD THING". > The validFrom and validUntil attributes in the KeyDigest element > specify the range of times that the KeyDigest element can be used as > a trust anchor. **** Please clarify: > Note that the validUntil attribute of the KeyDigest element is > optional. If the relying party is using a trust anchor that has a > KeyDigest element that does not have a validUntil attribute, it can > change to a trust anchor with a KeyDigest element that does have a > validUntil attribute, as long as that trust anchor's validUntil > attribute is in the future and the KeyTag, Algorithm, DigestType, and > Digest elements of the KeyDigest are the same as the previous trust > anchor. I don't actually know what to do with this. Right now if you have multiple TAs, ANY TA that is live may be used to provide the base of a chain of trust. "change to a trust anchor..." is a no-op. This section seems to be describing operational behavior past the first read of the TA by a relying party which appears to be a change to how DNSSEC operates. Instead I suggest: "validUntil should be read as the planned last date of signing by ICANN for that specific trust anchor. A relying party may continue to accept validations that chain to this trust anchor past this date unless the trust anchor is manually removed, or it is revoked." If you want to actually revoke the key, use the 5011 scheme and include the signature for the revoked key (by the revoked key over the revoked DNSKEY formed as a singleton RR) in this file. And I think "validFrom" also ought to be read as "validFrom is the planned first date for ICANN to begin signing with this TA. A relying party should not install this TA until the specified validFrom date, but if it does, the relying party should treat validations that chain to this TA that are otherwise valid, as valid regardless of the validFrom date". e.g. We're not requiring a DNS implementation to track date/times outside of the DNSSEC protocol. Trimming... On 8/15/2024 4:58 AM, Petr Špaček wrote: > On 10. 08. 24 17:21, Michael StJohns wrote: >> On 8/9/2024 5:09 PM, Paul Hoffman wrote: >>> On Aug 9, 2024, at 12:16, Michael StJohns<msj@nthpermutation.com> >>> wrote: >> Prior to this there was no check on the correctness of the offered >> digest, except that a smart relying party could have looked at the >> published keys and tried to find a match. After this is published as >> an RFC, the relying part mostly only needs to look at the public key >> data in the file if it exists and not worry about whether it was >> published. This is not "unchanged from RFC 7958" IMO. Finally, >> reading this, why wouldn't you explicitly specify that the hash >> needs to be (e.g. MUST be) verified against either a live >> (published) key or the included public key? Trust anchors require - >> well - trust. I would think that the more verification I can get to >> avoid polluting my personal trust anchor store, the better. >> >>>> Looking at the Security Considerations - I don't think the updates >>>> to this section made this is sufficiently evident. >>> That's because this part of RFC 7958 was not updated in this draft. >> See above. >>>> I'd suggest two things: 1) Talk about the above in the security >>>> considerations, and 2) Place a disclaimer in the TA file with >>>> similar language about the prospective key material. > > From my perspective sect 3.2 last paragraph (quoted above) is > sufficient to catch errors in data representation within the XML and > with that protection we IMHO are in the same state as we were before: > The relying party has to trust content of the file (for some reason). > > Maybe I'm missing something. Do you have a particular attack scenario > which have not been possible before but becomes possible with the new > format? Some preliminary stuff: RFC7958 was an independent submission - a "this is how ICANN does this" document. This version of the document is running through DNSOPS. The former version was discussed, but I don't think it went through as rigorous a vetting. 1) Trust anchors in DNSSEC are the public keys, not DS or DNSKEY records representing the public keys even though those records may be used to carry the public keys. Among other things, the flags and tags of a trust anchor may change (cf "revocation bit") during the lifetime of the key and a naive implementation with only DS like trust anchors could miss those changes. (Yes, we can argue about this and 4035 says that DS's can be trust anchors - but 4035 assumed the flags would never change and 4035 assumed that section 5.2 will also come into play with respect to the DS records). 2) (1) basically implies that the hash you get from the XML may not be comparable to an actual live key. 3) It also implies that the <KeyDigest> element needs a <Flags> element as well - or at least for keys that are not included in the <TrustAnchor> element. (e.g. use the KeyDigest Flags field to calculate the digest over the public key regardless of what the DS or the live key says). To answer your question: The attack scenario is more a "someone screwed up and the key we just published didn't match up with the hash in the TrustAnchor file we published last month". But I guess It could also be a malicious denial of service by an insider - especially if none of the keys have been published or included, and it *could* be an attempt to install a fake public key - harder to detect if all you have is the hash and all you're doing is attacking a few targets between the time the TA file is published and the keys are published. If the party relying on the TA file just accepts it at face value (after verifying the signature), an attacker with the related private keys and ability to cut in between for DNS could do a pretty good job of lying to their target. The security considerations section should actually discuss the various ways a third-party (ICANN) signed version of trust anchors could be used to pollute trust anchor stores if various internal controls aren't maintained. It should also discuss how a relying party can validate the "consistency" of the data not just the signature over the data. And - IMHO - a relying party should not finalize adoption of a given TA until it sees it live. > >> As I said - minor nit. Sometimes when you're reencoding data from >> one scheme to another you need to have these polite conversations and >> actually consider the circumstances. > > As an implementer I say it's easier if the format is the same as in > DNS, i.e. unsigned decimal number. It allows me to simply reformat > elements from the XML into a DNSKEY text representation and _then_ run > existing DNS code to parse the (reformatted) DNSKEY text. > > Bit field represented as sequence of ASCII 0/1 would require > additional code and I don't see any benefit. Common DNS tools display > Flags field as an integer value so even for manual cross-checking by > hand (say XML text vs. dig output) it is better to use the same > representation. > As I said a minor nit and not a hill I want to die on. But your last comment: XML parsers either know how to do all of the xsd: stuff or none of it. Converting from an xml parsed 2 byte field into a UINT16 is a line of code. Later, Mike
- [DNSOP] Request: Review changes - draft-ietf-dnso… Warren Kumari
- [DNSOP] Re: [Ext] Request: Review changes - draft… Paul Hoffman
- [DNSOP] Re: [Ext] Request: Review changes - draft… Michael StJohns
- [DNSOP] Re: [Ext] Request: Review changes - draft… Paul Hoffman
- [DNSOP] Re: [Ext] Re: Request: Review changes - d… Paul Hoffman
- [DNSOP] Re: [Ext] Request: Review changes - draft… Michael StJohns
- [DNSOP] Re: Request: Review changes - draft-ietf-… Andres Pavez
- [DNSOP] Re: [Ext] Request: Review changes - draft… Petr Špaček
- [DNSOP] Re: [Ext] Request: Review changes - draft… Michael StJohns
- [DNSOP] Re: [Ext] Request: Review changes - draft… Petr Špaček
- [DNSOP] Re: [Ext] Request: Review changes - draft… Michael StJohns
- [DNSOP] Re: [Ext] Request: Review changes - draft… Peter Thomassen
- [DNSOP] Re: [Ext] Request: Review changes - draft… Paul Hoffman
- [DNSOP] Re: [Ext] Request: Review changes - draft… Michael StJohns
- [DNSOP] Re: [Ext] Request: Review changes - draft… Edward Lewis
- [DNSOP] Re: [Ext] Request: Review changes - draft… Michael StJohns
- [DNSOP] Re: [Ext] Request: Review changes - draft… Warren Kumari
- [DNSOP] Re: [Ext] Request: Review changes - draft… Michael StJohns
- [DNSOP] Re: [Ext] Request: Review changes - draft… Edward Lewis
- [DNSOP] Re: [Ext] Request: Review changes - draft… Petr Špaček
- [DNSOP] Re: [Ext] Request: Review changes - draft… Warren Kumari
- [DNSOP] Re: [Ext] Request: Review changes - draft… Paul Hoffman
- [DNSOP] Re: [Ext] Request: Review changes - draft… Michael StJohns
- [DNSOP] Re: [Ext] Request: Review changes - draft… Warren Kumari
- [DNSOP] Re: [Ext] Request: Review changes - draft… Michael StJohns