IETF Logo Mail Archive

Re: [DNSOP] Current status of draft-ietf-dnsop-dnssec-validator-requirements

Daniel Migault <mglt.ietf@gmail.com> Wed, 28 June 2023 10:31 UTC

Return-Path: <mglt.ietf@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD126C151071; Wed, 28 Jun 2023 03:31:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pVyxkkun6hVD; Wed, 28 Jun 2023 03:30:57 -0700 (PDT)
Received: from mail-pj1-x1036.google.com (mail-pj1-x1036.google.com [IPv6:2607:f8b0:4864:20::1036]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 59883C15106C; Wed, 28 Jun 2023 03:30:57 -0700 (PDT)
Received: by mail-pj1-x1036.google.com with SMTP id 98e67ed59e1d1-262b213eddfso585935a91.0; Wed, 28 Jun 2023 03:30:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1687948257; x=1690540257; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=TvP/f/sldJTTSuhuK2T/Wy6z+wrjcDB/cN300aKTNSE=; b=aLF32D92b1JMytgN13uCzqwtW6p2CDZTrzb5GTJqboTwqSkP46cDqEKhZrHQC/epFA mWCu4+MDuZO3JK05yj4bcojj5dUXEflfr2VeOOe4b/DfKD+AcS8g1Ml/IDqlVWVKgtHT OKZcdYuvEILoOMj35dBCncwzk2njc4/3n3UwfhONFgx4McvDl0No2rG02t4Ldm75vx4K ERO57RaX9kCO0ByuQC4M0M/Qb78sZa242ceYkbfy+VB4BAgoDz7yvM5sCEMoPPg9LGt/ QEUIii6SYUaQMJEZjdCFQQMLSypK3LoJHin6n/GX/uiQQW9Fh4Fynh7BE6S8RTFvJPtR IBCw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1687948257; x=1690540257; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=TvP/f/sldJTTSuhuK2T/Wy6z+wrjcDB/cN300aKTNSE=; b=dOeh7wkxl/jEQFlpp7HzyA6cqnda3wqbhU4mEdntUK8K3HmEKUKb58ioZB6VrgI7ZG 8HX2Bb+2lkKksjvPsColBP1ft4WWmzHODC1RlugM3TZE2RdJorWNXAlbgiF1BqWgroyp VWRqPS27fix6BKXlLMsQycFNWXp7P+u2ASKnTG5Dxw1Z+oZ1rxdP5mp6/vkpjnMGymwC ssJUjNP4/6owrTeCKjSo7z2u5t1sJeXm8l8oLHlEEzBO9gtkGSsOprZZ55vvac+2Kcv0 Nk1VMFHkgfdAxxfz9MS5zY7PXJJ7U9iuWEhdy+KJ6xWvWosSWRPiQADtYg+CGvT7nwPc H3OA==
X-Gm-Message-State: AC+VfDxmz4naltZ7Ovl6gBK6+VrKSJhqxHbyX8e60irW7fVLXOTCqnVp d7mOX2vaFyfMuaaQnRNy0o6gl9iQn8nNCk0OOgw=
X-Google-Smtp-Source: ACHHUZ5RGLcESgJPzZ5KBfJop5rtzuHeupFQC6d95p2a6qVYJktuQsiLgcxHyCZeLUXXhTpi9cLgtdNxBS0RhhaY2bU=
X-Received: by 2002:a17:90a:1546:b0:263:114c:52fc with SMTP id y6-20020a17090a154600b00263114c52fcmr1226548pja.12.1687948256606; Wed, 28 Jun 2023 03:30:56 -0700 (PDT)
MIME-Version: 1.0
References: <CADyWQ+FBu991wu4ZEwKs9w-hGQfUR0oOGXruQv1BwX63NsNhBw@mail.gmail.com> <CADyWQ+EXXDkw_LfFm6w9OZjWunsgRchE-E3FVh38JO+QSGJ0cw@mail.gmail.com> <m1wn0fp405.fsf@narrans.de> <02c16402-5a4f-16c1-6c9f-9fc2b655fbfd@huitema.net> <CADZyTkmZWUrTgL4z6HWGCu=ysJ5qewMV1RJ2j4EysyBE=DqJEQ@mail.gmail.com> <CADZyTk=xJQ61MVLDNsmW8gMny8HH0vbk0DURxDbA7G=6QXfPhA@mail.gmail.com>
In-Reply-To: <CADZyTk=xJQ61MVLDNsmW8gMny8HH0vbk0DURxDbA7G=6QXfPhA@mail.gmail.com>
From: Daniel Migault <mglt.ietf@gmail.com>
Date: Wed, 28 Jun 2023 06:30:45 -0400
Message-ID: <CADZyTknG11J9E30FATt9ATkSn5saYwqQVE5Kq0=pqL8eOqi_uA@mail.gmail.com>
To: Christian Huitema <huitema@huitema.net>
Cc: Florian Obser <florian+ietf@narrans.de>, Tim Wicinski <tjw.ietf@gmail.com>, dnsop <dnsop@ietf.org>, dnsop-chairs <dnsop-chairs@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000003bff8e05ff2e14db"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/bXoYOwn1Gm3xEyONZGxdtWS_Dz8>
Subject: Re: [DNSOP] Current status of draft-ietf-dnsop-dnssec-validator-requirements
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Jun 2023 10:31:01 -0000

Hi,

Please find the new version that addresses Christina comments. It includes
a secure transport section and the security considerations section has been
consolidated by adding a trust model section.
As always, comments are welcome!

https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-dnssec-validator-requirements-06


Yours,
Daniel


On Thu, Jun 22, 2023 at 4:27 PM Daniel Migault <mglt.ietf@gmail.com> wrote:

> Hi,
>
> I have just drafted a secure transport  and a security considerations
> section, that I believe provide sufficient guidance to a DRO. I expect to
> further review these sections and publish a new version very soon. As
> always, comments are welcome.
>
>
> https://github.com/mglt/draft-mglt-dnsop-dnssec-validator-requirements/blob/master/draft-ietf-dnsop-dnssec-validator-requirements.mkd
>
> Yours,
> Daniel
>
> On Thu, Jun 15, 2023 at 8:00 PM Daniel Migault <mglt.ietf@gmail.com>
> wrote:
>
>> Hi Christina,
>>
>> Thanks for the review and the suggestions. Please see my comments inline.
>>
>> Yours,
>> Daniel
>>
>> On Wed, Jun 14, 2023 at 11:56 AM Christian Huitema <huitema@huitema.net>
>> wrote:
>>
>>> I know that the feedback was due last Sunday, but here comes mine
>>> anyhow, after looking at the latest iteration of the draft.
>>>
>>> The draft makes a number of recommendations, which seem all reasonable,
>>> but what struck me was the weak tie between these recommendations and
>>> the security considerations.
>>
>> I agree that we should reconsider that section. My initial version of the
>> security consideration section was in my opinion too long and I
>> considered it as too repetitive with the main body. I then focused on the
>> security where the DRO is the vector of attacks/vulnerabilities. I suppose
>> I have been a bit too far in that direction and this is too limitative. I
>> will reconsider this, and your comment on the threat model gives a good
>> insight on what could be added. I agree that we should add some text on the
>> threat models current and long term.
>>
>> What also strikes me is the absence of
>>> any consideration relative to secure transports such as DoT or DoQ.
>>>
>> That is correct. This is something that we did not consider and probably
>> have to mention. I think this will be a section on its own - and not a
>> security consideration.
>>
>>>
>>> I would love to see a document that addresses the future target, in
>>> which secure transports are use in most or all transactions between stub
>>> and recursive, or between recursive and authoritative. I think that in
>>> such scenarios, the threat model changes quite a bit.
>>>
>>
>>  I tend to think that future direction might be a bit beyond the scope of
>> the document, but I do tend to think that a threat model discussion can be
>> useful for an operator.
>>
>> In the old model, we are very concerned about third parties spoofing
>>> responses and polluting resolver caches. In a secure transport model,
>>> the only parties that can spoof responses are the resolvers themselves:
>>> authoritative resolvers abusing their authority to add falsehoods in
>>> additional sections, recursive resolvers abusing the client trust to
>>> send false responses.
>>>
>>> I do think that DNSSEC is still useful, even in a secure transport
>>> world. But the focus changes. For example, if we consider that "spoofing
>>> by recursive server" is a threat, then having the recursive set bits to
>>> affirm that the response is verified is not much of a protection -- the
>>> emphasis should move to verification by the client. I would love to see
>>> this discussed.
>>>
>>> I agree that would become useful in giving insight into what threat the
>> DRO is addressing.
>>
>>
>>> -- Christian Huitema
>>>
>>> On 6/7/2023 10:38 AM, Florian Obser wrote:
>>> > On 2023-06-07 13:08 -04, Tim Wicinski <tjw.ietf@gmail.com> wrote:
>>> >> Just a reminder we're looking for any feedback on continuing work on
>>> this
>>> >> document.  The Chairs/OverLord Warren feel significant work on this
>>> >> document is needed, but that may not be relevant.
>>> >
>>> > The document seems to have a rather pessimistic view on running a
>>> > validator. It has this huge list of things that an operator has to do
>>> > and does not assign any importance to them - everything seems to be
>>> > equally important.
>>> >
>>> > If I were to read this as the person responsible for running the
>>> > recursive resolver at an enterprise or at an ISP I'd think: That sounds
>>> > like effort and incredibly fragile, it's probably best to not enable
>>> > validation.
>>> >
>>> > It would be nice to have an informational RFC on the topic, but I'm not
>>> > convinced this is it. Maybe Andrew's suggestion to split this up is the
>>> > way forward. Maybe have one document with minimum requirements (correct
>>> > time, stuff like that) and take it from there.
>>> >
>>> >>
>>> >> We're wrapping this feedback up this Sunday 11 June.
>>> >>
>>> >> (and Thanks Andrew for your comments)
>>> >>
>>> >> tim
>>> >
>>>
>>> _______________________________________________
>>> DNSOP mailing list
>>> DNSOP@ietf.org
>>> https://www.ietf.org/mailman/listinfo/dnsop
>>>
>>
>>
>> --
>> Daniel Migault
>> Ericsson
>>
>
>
> --
> Daniel Migault
> Ericsson
>


-- 
Daniel Migault
Ericsson

v2.23.0 | Report a Bug | By Email