Re: [DNSOP] NSEC/NSEC3 for unsigned zones and aggressive use
Mukund Sivaraman <muks@isc.org> Thu, 20 July 2017 09:07 UTC
Return-Path: <muks@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B08EB127735 for <dnsop@ietfa.amsl.com>; Thu, 20 Jul 2017 02:07:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.235
X-Spam-Level:
X-Spam-Status: No, score=-1.235 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_SOFTFAIL=0.665] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4Wjulp3g8d1y for <dnsop@ietfa.amsl.com>; Thu, 20 Jul 2017 02:07:30 -0700 (PDT)
Received: from mail.banu.com (mail.banu.com [IPv6:2a01:4f8:140:644b::225]) by ietfa.amsl.com (Postfix) with ESMTP id 537EA126B72 for <dnsop@ietf.org>; Thu, 20 Jul 2017 02:07:30 -0700 (PDT)
Received: from jurassic (unknown [115.118.170.116]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.banu.com (Postfix) with ESMTPSA id CCAD656A0134; Thu, 20 Jul 2017 09:07:27 +0000 (GMT)
Date: Thu, 20 Jul 2017 14:37:23 +0530
From: Mukund Sivaraman <muks@isc.org>
To: 神明達哉 <jinmei@wide.ad.jp>
Cc: dnsop <dnsop@ietf.org>
Message-ID: <20170720090723.GA454@jurassic>
References: <20170718094654.GA31988@jurassic> <CAJE_bqcWOLvmbzNrujPZsasLU9JxER60v1_t=qVnG8BxgtJCsQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CAJE_bqcWOLvmbzNrujPZsasLU9JxER60v1_t=qVnG8BxgtJCsQ@mail.gmail.com>
User-Agent: Mutt/1.8.3 (2017-05-23)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/c9Vkl-3oPSs7lOXas9e5w8a4yQw>
Subject: Re: [DNSOP] NSEC/NSEC3 for unsigned zones and aggressive use
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Jul 2017 09:07:32 -0000
Hi Jinmei On Wed, Jul 19, 2017 at 04:14:11PM -0700, 神明達哉 wrote: > At Tue, 18 Jul 2017 18:20:56 +0530, > Mukund Sivaraman <muks@isc.org> wrote: > > > Dealing with water torture and some other attacks have had several > > band-aid approaches that don't always work well in practice. The most > > promising (and what feels correct) is > > draft-ietf-dnsop-nsec-aggressiveuse, but it doesn't work for unsigned > > zones. > > Do you mean it's the most promising measure for authoritative servers? > If so, and if nsec-aggressiveuse is more widely deployed in resolvers, > and if the authoritative operators feel the pain so keenly, I'd rather > imagine they are willing to pay the cost of deploying DNSSEC. > > If you mean it's the most promising measure for recursive servers, I > simply don't buy the argument. (I made that comment while the wg > discussed nsec-aggressiveuse and it toned down quite a lot in that > sense as a result of it, so I believe it's based on a wg rough > consensus). I had meant only one of the benefits that nsec-aggressiveuse brings: * Avoid creating unnecessary fetches from the resolver by being able to answer more queries from cache (... ignoring the wildcard case.) It would help an auth service indirectly (if resolvers don't send it as many queries) but it has to handle the queries it gets. There are different approaches that are being used for handling water torture style attacks (bloom filtering with previously seen queries, fetches-per- controls, BLOOM RR type, etc.) but compared to those methods, NSEC aggressive use is a "correct" absolute method to stop fetches to non-existent names and data that works with minimal implementation changes only. A lot of popular zones are still unsigned. There are different reasons for it. Without advocating against DNSSEC, I want to point out that the all-or-nothing behavior of validation needs absolute correctness end-to-end in all pieces that some zone owners think about when considering whether to sign their zones. There are still implementation bugs. E.g., recently for several weeks/months, .ORG had a problem where it would not allow a DS record to be marked as removed. This meant that a child zone that wanted to go from signed to unsigned state could not do so (my own zones were affected). A zone signer implementation bug (e.g., untimely RRSIG generation causing no new RRSIGs to be added before existing RRSIGs expire) has the capability to take down all internet services at a domain. This still happens today, believe it or not. A zone owner has no control over schemes like using negative trust anchors at each resolver. There is the potential of significant economic loss to a business due to downtime that owners think about. Such frailty in the DNSSEC state of implementation has to improve before advocating DNSSEC as a solution to all problems. The fact that NSEC is a DNSSEC feature, and that it solves handling negative answer queries is a side-effect, but considering things individually, solving water torture style attacks doesn't need the rest of DNSSEC. It needs NSEC. (Please don't think that I'm advocating against DNSSEC. These are problems I come across practically as a programmer for a DNS implementation.) We have several popular unsigned zones today. It is the resolver side that has to answer for random non-existent subdomains under these zones. When talking about taking away the RRSIG of NSEC, it causes people to feel uncomfortable, but unsigned zones are unsigned after all. Whatever modification can be done by an attacker with an unsigned NSEC can be done right now too for individual queries. There should be more thought about benefit vs. risk of using such a scheme. Mukund
- [DNSOP] NSEC/NSEC3 for unsigned zones and aggress… Mukund Sivaraman
- Re: [DNSOP] NSEC/NSEC3 for unsigned zones and agg… Francis Dupont
- Re: [DNSOP] NSEC/NSEC3 for unsigned zones and agg… Tony Finch
- Re: [DNSOP] NSEC/NSEC3 for unsigned zones and agg… Jim Reid
- Re: [DNSOP] NSEC/NSEC3 for unsigned zones and agg… Mukund Sivaraman
- Re: [DNSOP] NSEC/NSEC3 for unsigned zones and agg… Paul Hoffman
- Re: [DNSOP] NSEC/NSEC3 for unsigned zones and agg… Mukund Sivaraman
- Re: [DNSOP] NSEC/NSEC3 for unsigned zones and agg… Petr Špaček
- Re: [DNSOP] NSEC/NSEC3 for unsigned zones and agg… Francis Dupont
- Re: [DNSOP] NSEC/NSEC3 for unsigned zones and agg… 神明達哉
- Re: [DNSOP] NSEC/NSEC3 for unsigned zones and agg… Mukund Sivaraman
- Re: [DNSOP] NSEC/NSEC3 for unsigned zones and agg… Stephane Bortzmeyer
- Re: [DNSOP] NSEC/NSEC3 for unsigned zones and agg… Petr Špaček
- Re: [DNSOP] NSEC/NSEC3 for unsigned zones and agg… Petr Špaček
- Re: [DNSOP] NSEC/NSEC3 for unsigned zones and agg… Mukund Sivaraman
- Re: [DNSOP] NSEC/NSEC3 for unsigned zones and agg… Peter van Dijk