IETF Logo Mail Archive

Re: [DNSOP] Comments on draft-wessels-dns-zone-digest-02

Paul Wouters <paul@nohats.ca> Fri, 10 August 2018 20:41 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 099D5130ECC for <dnsop@ietfa.amsl.com>; Fri, 10 Aug 2018 13:41:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fyaCtkTtBm_H for <dnsop@ietfa.amsl.com>; Fri, 10 Aug 2018 13:41:24 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 57870130E5E for <dnsop@ietf.org>; Fri, 10 Aug 2018 13:41:24 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 41nH8d0JF7zDm1 for <dnsop@ietf.org>; Fri, 10 Aug 2018 22:41:21 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1533933681; bh=w9+TxwrY4S05J+fnaOSgg18l/2J6CAcBEtefesb/uh0=; h=Date:From:To:Subject:In-Reply-To:References; b=km9zOjjEzdtWkZlW1WqzO6J+BDwwMJybXRjuYuTdiVL53Oz2wgPbclx6B9kWMhsl1 6zgDFqKSGDel+Cq7wfoi7DbRsdK8LWY6zS/CbI4YjORd8Fbvh5r077BpoPsL+r4ty4 chf8NgAAtIqIIO52hWVV/FA9pvzc6MzQrReso054=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id 1VHkgZAGDP1M for <dnsop@ietf.org>; Fri, 10 Aug 2018 22:41:20 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS for <dnsop@ietf.org>; Fri, 10 Aug 2018 22:41:19 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 4009A31C855; Fri, 10 Aug 2018 16:41:18 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca 4009A31C855
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 342D04009E79 for <dnsop@ietf.org>; Fri, 10 Aug 2018 16:41:18 -0400 (EDT)
Date: Fri, 10 Aug 2018 16:41:18 -0400
From: Paul Wouters <paul@nohats.ca>
To: dnsop <dnsop@ietf.org>
In-Reply-To: <BE28C979-797B-4B58-80E7-4B65287B2560@verisign.com>
Message-ID: <alpine.LRH.2.21.1808101636200.18310@bofh.nohats.ca>
References: <6D6060CF-FD20-4D79-BF98-A4BE77011741@icann.org> <BE28C979-797B-4B58-80E7-4B65287B2560@verisign.com>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/av5J9nIdiDIrbXw7YsxCS75DwyU>
Subject: Re: [DNSOP] Comments on draft-wessels-dns-zone-digest-02
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Aug 2018 20:41:27 -0000

On Fri, 10 Aug 2018, Wessels, Duane wrote:

>> But there are already mechanisms for this at the data set level.  (This is a "belts and suspenders" style argument.)  What if -err- when, in a zone's distribution, the glue records are either forged or simply fat-fingered?  That's covered, in a way that is more efficient - in a lazy evaluation way.  Mangled glue never referenced needs not be checked, when it is needed there's backup in the authoritative version.  If all else fails, DNSSEC will flag whatever response as suspect.
>
> Yes, certainly DNSSEC protects from modification of answers.  It generally protects recursives who validate.  But it doesn't protect consumers of zone files.

By design....

> Another limitation I've mentioned before, where DNSSEC doesn't protect you, is that a delegation could be falsified such that traffic goes to an eavesdropper that just records but doesn't modify messages.

but on most networks you connect to that you don't trust, they could
just be monitoring all your port 53 traffic anyway? I don't see this
much as a use case. An attacker that cannot see your traffic, but could
get to see your DNS root queries but only briefly if you cache or
actually use the root zone you just transfered from them. Also query
minimalization makes that use case very uninteresting.

> I'd also argue that maybe applications shouldn't necessarily trust a file just because its "on disk." The application doesn't know how it got there, or what may have been done to it.

Sure but applications should either validate or trust the local
validator loading the zone. So that limits the discussion to
glue/NS only.

> I'm not sure this is what you mean by "speed of execution" but as an example, my implementation (which uses ldns) can calculate and verify a SHA256 signed root zone digest in under 100 msec.
>
> $ sort --random-sort root.zone.signed | ldns-zone-digest -t -p 2 -c -v .
> Loading Zone...22539 records
> Remove existing ZONEMD...
> Add placeholder ZONEMD...
> Calculating Digest...Done
> Calculating Digest...Done
> Found and calculated digests do MATCH.
> TIMINGS: load  142.18 calculate   82.72 verify   52.24 update    0.00

I don't see it validating the ZONEMD RRSIG here ? :P

Paul

v2.23.0 | Report a Bug | By Email