Re: [DNSOP] [Ext] comments on draft-mglt-dnsop-dnssec-validator-requirements-05

Edward Lewis <edward.lewis@icann.org> Wed, 19 July 2017 15:01 UTC

Return-Path: <edward.lewis@icann.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 455C1131D39 for <dnsop@ietfa.amsl.com>; Wed, 19 Jul 2017 08:01:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.202
X-Spam-Level:
X-Spam-Status: No, score=-4.202 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fjxd16il2Knj for <dnsop@ietfa.amsl.com>; Wed, 19 Jul 2017 08:01:18 -0700 (PDT)
Received: from out.west.pexch112.icann.org (pfe112-ca-1.pexch112.icann.org [64.78.40.7]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ABD5D131C18 for <dnsop@ietf.org>; Wed, 19 Jul 2017 08:01:18 -0700 (PDT)
Received: from PMBX112-W1-CA-1.pexch112.icann.org (64.78.40.21) by PMBX112-W1-CA-2.pexch112.icann.org (64.78.40.23) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Wed, 19 Jul 2017 08:01:16 -0700
Received: from PMBX112-W1-CA-1.pexch112.icann.org ([64.78.40.21]) by PMBX112-W1-CA-1.PEXCH112.ICANN.ORG ([64.78.40.21]) with mapi id 15.00.1178.000; Wed, 19 Jul 2017 08:01:15 -0700
From: Edward Lewis <edward.lewis@icann.org>
To: "Rose, Scott (Fed)" <scott.rose@nist.gov>, "dnsop@ietf.org" <dnsop@ietf.org>
Thread-Topic: [Ext] [DNSOP] comments on draft-mglt-dnsop-dnssec-validator-requirements-05
Thread-Index: AQHTAJ/eQLW1DE5jLkuTbY4vbjiirg==
Date: Wed, 19 Jul 2017 15:01:15 +0000
Message-ID: <65A8A166-E4DD-46D8-9CB9-00D2025171D7@icann.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.24.0.170702
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [192.0.47.234]
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="B_3583306875_766213541"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/athlxM8YkyJ87AyHX8yLHcUiyxM>
Subject: Re: [DNSOP] [Ext] comments on draft-mglt-dnsop-dnssec-validator-requirements-05
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Jul 2017 15:01:21 -0000

On 7/19/17, 08:49, "DNSOP on behalf of Rose, Scott (Fed)" <dnsop-bounces@ietf.org on behalf of scott.rose@nist.gov> wrote:

>I think this draft is a good idea and should be adopted, but needs some improvements first. 
>

Thanks for the review, the current version has items needing wider discussion.

I'll pick some items to respond to now:

>2. REQ2: What should happen when there are multiple trust anchors, but only one failed to validate? E.g. a validator has both the root and .exampleTLD in its trust store, but missed the root rollover. The .exampleTLD key still validates, but the root doesn't. Should all validation stop? Or set a warning, but continue to validating (succeeding only for .exampleTLD)?

One of my long-standing opinions has been that it is hard to build a secure chain, so if one exists, accept it in face of alternative broken chains.  If a validator is too "tight" then it would be trivial to do a denial-of-service by throwing out DNSKEYs, RRSIGs, etc., that will not lead to validation.

As far as trust anchors, the level of trust (healthiness in some sense) is individual.  One anchor candidate might be "false" (unauthorized) while another anchor candidate might be "true" (authorized).  Trust is in the eye-of-the-operator, if the operator establishes trust in a candidate it is best to run with it, again, even if there are untrusted candidates.  (Because, if too "tight" it would be trivial to do a denial of service.)

>3. REQ18: I don't think I understand this. Wouldn't the best way to see which algorithm(s) are in use for a given zone would be just to send a query  Authoritative zones really may not "know" any algorithm besides SHA-1, as it is likely not doing online signing, but serving whatever a signing utility chose. 

I'd refrain from "know" and use "use."  The signer (not the zone) may or may not have a library for a particular DNSSEC security algorithm's needed cryptographic algorithm and/or hash.  That's entirely opaque to the other side of the DNS protocol (as DNSSEC assumed an air gap in the most strictly secure use case).

What is in use for a zone is established two ways.  One is from the DS RRset.  The other is via published secure entry points bootstrapped to the satisfaction of the validator operator's "trust" satisfaction.

I.e., I too think that REQ18 needs further review.  It would make more sense if there were on-the-fly signing capabilities (which is not something assumed by DNSSEC, although it's not a ludicrous idea, it would be operationally useful).

>4. Should there be a mention as to which algorithms a validator should support? It may not require a direct reference to whichever RFC is current, but simply listing the IANA maintained registry and say "implement all the MUSTs and probably the SHOULDs too". Something like the following:

For turn-key implementations, I don't think so.  For general-purpose implementations, the producer of the software would make a choice based on their objectives.

Easing the choice for the tool developer would be good, but I question mandating compliance with features.  (I'd leave that to the "purchasing vehicle", which begs a whole'nuther discussion.  There would be a need to educate the consumer, for one.)

>Algorithm Usage in Validators 
>
>DNSSEC signatures can be generated by different digital signatures algorithms. The current list of algorithms defined for use with DNSSEC is published in an IANA maintained registry [insert IANA link here]. Validators have to be able to understand and validate different algorithms that may be in common use with DNSSEC. The DNSSEC digital signature registry table is regularly updated with guidance as to which algorithms are considered MANDATORY and/or RECOMMENDED. In order to be effective, a validator MUST understand all digital signature algorithms marked as MANDATORY and SHOULD understand all digital signature algorithms marked as RECOMMENDED.
>
>REQXX: Validators MUST implement all MANDATORY digital signature algorithms and SHOULD implement all RECOMMENDED digital signature algorithms.
>
>Note: This wording isn't the best, and needs some work. I also don't know if the SHOULD in the REQ should be changed to a MAY, but I would prefer SHOULD. 

Thanks for the suggested text, for the most part I think it is on target.  But to hark back to my comment before it, I'd change (for example):

"Validators have to be able to understand and validate different algorithms that may be in common use with DNSSEC."

to:

"General purpose validators, in order to be widely adopted and accepted, ought to implement as many of the commonly used DNSSEC security algorithms, with "commonly" interpreted, at least on one way, to include the DNSSEC security algorithms in the IANA registry noted."

...again, wording is loose.

My driving concern is that there may be some folks that have a turn-key situation in mind; the IETF famously says it is not the "protocol police."