IETF Logo Mail Archive

Re: [DNSOP] DNSSEC as a Best Current Practice

Ted Lemon <mellon@fugue.com> Wed, 23 March 2022 08:21 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B149D3A125E for <dnsop@ietfa.amsl.com>; Wed, 23 Mar 2022 01:21:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.907
X-Spam-Level:
X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o6kqvsDMCup7 for <dnsop@ietfa.amsl.com>; Wed, 23 Mar 2022 01:21:03 -0700 (PDT)
Received: from mail-oa1-x34.google.com (mail-oa1-x34.google.com [IPv6:2001:4860:4864:20::34]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C6A0D3A125D for <dnsop@ietf.org>; Wed, 23 Mar 2022 01:21:03 -0700 (PDT)
Received: by mail-oa1-x34.google.com with SMTP id 586e51a60fabf-de2cb87f6aso928677fac.10 for <dnsop@ietf.org>; Wed, 23 Mar 2022 01:21:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=wD3KIS6wgLjudwcz2Frf0L+dFGq1jkXFpI+lrQ2APZE=; b=bP3s+LJybJZfil23oA75YQbrOZyq8ph29f5w14V1wZy0O7QDKpcPj94qE+gwCL9Bga cwNwUSvORNDPvsJXLvOIIlTPmG/HZ3bzyNtoAZw5aABQJ01nh5IMtXvHsPGnVDtLNEiY O0NJSWMUCXm166YDaiDe6PMjyV+kYDyQLAXOYXkEGAY3ZwVqvWAuNI2jS+khDORQox3w 7BERRs2ScIeSeSEkihT1vyr4Pufggtf24akmLj7X6hJ/ODFkf1eyVilc92Dpbkj+5r7i lEbUdnaOH9lCOXYrWWGEQ29lcA51j4rpzsWO9MMvR2nJD+3rum1ckgmBiwZ16tuL+ETy DGZg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=wD3KIS6wgLjudwcz2Frf0L+dFGq1jkXFpI+lrQ2APZE=; b=QejpV2fpt0RB7iUflCTGIDK6w7T/KzWBYjfjvjabhPUes1ENsXfv64mvTB9uWYPLwF HEwnpEgw1zBagAVgKikv4sICiZuar6monT2D3bSHu3xAt7zKjd8N9/tepwMPqfkUrZyp 8Wph02jr23BfBCFXoWTMeBfauV1lHp90E/U/LhRhgxyC9HKz4fBM1e5MRSju5z7UWqAC z036eq/zSHh6fVCSu/lRtIbG5tlNbBbicIX2GYN6rOaZ3Qn30CkuQkvsuYjLf48Z8WMi 5xo2pBtwz2eqkj0RiV2TluhRliPWiQVk9BY2Igr/I3aYzGbBl2yFTIDc+sxU9V6QGrb+ KMKA==
X-Gm-Message-State: AOAM532XwBD+iIfey3eQ3FliaPR++YkvDfiv0KtO+MUHG+TlF4YpJ1tc kIhuzlXaowgZOYYzU6+lc02ANMr17esByyd9Drn5Lw==
X-Google-Smtp-Source: ABdhPJzxfDpJUqHtmbq3tfX38mt/mjgSqgU7xN6XWweO8iIvwR11twIp/v2CSAI9EVGU26929r/5xoSnWDY6gJOz9zc=
X-Received: by 2002:a05:6870:46a1:b0:dd:a325:6fc7 with SMTP id a33-20020a05687046a100b000dda3256fc7mr3614340oap.12.1648023662077; Wed, 23 Mar 2022 01:21:02 -0700 (PDT)
MIME-Version: 1.0
References: <163bfd78-c21d-084c-9f6d-9d29b80bcbd1@necom830.hpcl.titech.ac.jp> <7B3A5D3D-2E84-45A7-BE5F-3BAC3650E95C@hopcount.ca> <e722a37a-1476-d90b-b4df-e9d4604bea59@necom830.hpcl.titech.ac.jp> <e8566381-d8e8-b99f-67c3-2e89dc9cb85@nohats.ca> <affe488c-d2c4-05a0-69b4-12c2aa97dbfa@necom830.hpcl.titech.ac.jp> <CAH1iCip7buO_WAteXn24jDics=MOGHFMcRxvbO1O9Z-HyErdAA@mail.gmail.com>
In-Reply-To: <CAH1iCip7buO_WAteXn24jDics=MOGHFMcRxvbO1O9Z-HyErdAA@mail.gmail.com>
From: Ted Lemon <mellon@fugue.com>
Date: Wed, 23 Mar 2022 09:20:51 +0100
Message-ID: <CAPt1N1kKVwezh+vK7djT1YdYLFHmHSSPRYbxRxmPYMh4ck_LGw@mail.gmail.com>
To: Brian Dickson <brian.peter.dickson@gmail.com>
Cc: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>, "dnsop@ietf.org WG" <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f5c0ac05dade6841"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/cPUlpYZnk2GOkZtQjE-pYl60sjk>
Subject: Re: [DNSOP] DNSSEC as a Best Current Practice
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Mar 2022 08:21:10 -0000

Brian, what you said about the crypto is right but there are definitely
opportunities to compromise trust at the tlds. I don’t think it’s wise to
ignore this type of attack. However, in order to make such an attack, you
have to do things which can be noticed (e.g. signing a zone delegation with
a forged key).

So the threat model for a viable  DNSSEC attack is quite a bit different
than for a recursive resolver attack, and is not something that could be
easily effected by a small entity.

Or to put it differently, the cost of a successful attack on DNSSEC would
be orders of magnitude higher than for an attack on a resolver. And unlike
a resolver attack, it is possible to detect a DNSSEC attack by comparing
known keys to detect a compromise. With a resolver attack, you have no way
to know that you’ve been spoofed.

On Tue, Mar 22, 2022 at 22:12 Brian Dickson <brian.peter.dickson@gmail.com>
wrote:

>
>
> On Tue, Mar 22, 2022 at 7:12 AM Masataka Ohta <
> mohta@necom830.hpcl.titech.ac.jp> wrote:
>
>> Paul Wouters wrote:
>>
>> >> Wrong. DNSSEC as PKI is not cryptographically secure subject to
>> >> MitM attacks on CA chains, which is not more difficult than
>> >> MitM attacks on ISP chains.
>> >
>> > I think at this point we have reached a point where your repeated
>> > claims lack any merit
>>
>> So, you ignore diginotar to have demonstrated that PKI to
>> blindly trust untrustworthy TTPs is cryptographically
>> insecure.
>>
>
> This is where your error is introduced. DNSSEC does not involve blind
> trust.
>
> Previous statements by you (Ohta-san) in this thread, and observations or
> counter-points:
>
> If a resolver correctly knows an IP address of a nameserver of a
>> parent zone and the resolver and the nameserver can communicate
>> with long enough ID, the resolver can correctly know an IP
>> address of a nameserver of a child zone, which is secure enough
>> data origin security.
>>
>
> The difference between this model (client to server transport security
> using IDs) and DNSSEC, is that DNSSEC is resistant to any MITM attacks, so
> long as the resolver's root trust anchor is the same as the one published
> by ICANN/IANA and used to sign the root zone.
>
> It is correct that the single element is a necessary component of the
> trust model for DNSSEC. It is not a dependency within DNSSEC that the
> endpoint's connectivity must be transport-secured or impervious to hijack.
> DNSSEC does not care where the data lives or how it is retrieved. It
> protects the data cryptographically.
>
>  The point is that DNSSEC, or PKI in general, is not cryptographically
>> secure merely blindly trusting untrustworthy intermediate systems,
>> which means it is against the end to end principle, improperly
>> called TTPs (Trusted Third Parties).
>
>
> I think this is where your argument fails. The trust in DNSSEC is not
> blind. The validation which is done by a resolver can be confirmed by an
> end-host, along the entire chain (tree) from root to leaf.
>
> In order to achieve complete compromise, the adversary (e.g. state) would
> need to compromise every software stack on every host and every resolver,
> and block access to every external place that could provide contradictory
> results.
>
> Given that the root trust anchor is public, and published on the IANA's
> web site with all the appropriate protections, this means anyone can
> publish the same information on their own web site, e.g. protected by TLS.
>
> The only way this would not be available to someone under the control of
> that adversary, would be the compromise of every CA's cert, or publishing
> competing certs for every TLS cert in existence, or to prevent any access
> to external sites entirely.
>
> The notion that a state exercising that level of control would also permit
> the long-enough ID communication to enable your alternative to function,
> does not seem credible.
>
> This devolves down to two possibilities: your method is not viable if the
> efforts needed to block use of the Root Trust Anchor are undertaken; or if
> the efforts needed to block the Root Trust Anchor are not undertaken (in
> their entirety), attempts to replace the Root Trust Anchor are detectable,
> which also means the real Root Trust Anchor can be obtained and validated,
> and once the latter is done, DNSSEC continues to be cryptographically
> secure.
>
> The actual real root trust anchor is not feasible to compromise, nor are
> the signing mechanisms involved for signing the root zone. A secured root
> zone and root trust anchor makes it impossible to compromise any zone
> protected by its parent, with the root zone anchoring those protections.
>
> DNSSEC is not blind trust. The ability to compromise via spoofing requires
> compromise of a parent. The root zone cannot feasibly be compromised.
> Therefore DNSSEC is secure.
>
>  I concur with the rest of the folks on this thread, this subject thread
> is effectively concluded.
>
> This message is mostly for your (Ohta-san's) benefit to understand why
> DNSSEC is not in the same category as WebPKI in terms of the trust model
> and trust mechanisms.
>
> There is an analogy in infinities:
> The rational numbers and real numbers are both infinite, but the infinity
> of the real numbers is "uncountable", a larger infinity than the infinity
> of the rational numbers, which are "countable".
>
> Brian
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>

v2.23.0 | Report a Bug | By Email