Re: [DNSOP] some 2015-era thoughts about RFC 7706 -bis
Evan Hunt <each@isc.org> Thu, 25 July 2019 16:52 UTC
Return-Path: <each@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 928D8120142 for <dnsop@ietfa.amsl.com>; Thu, 25 Jul 2019 09:52:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.899
X-Spam-Level:
X-Spam-Status: No, score=-6.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DTKiJtzf04Po for <dnsop@ietfa.amsl.com>; Thu, 25 Jul 2019 09:52:37 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 09DC412013D for <dnsop@ietf.org>; Thu, 25 Jul 2019 09:52:37 -0700 (PDT)
Received: from bikeshed.isc.org (bikeshed2.isc.org [IPv6:2001:4f8:1:f::88]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id B1FEE3AB008; Thu, 25 Jul 2019 16:52:33 +0000 (UTC)
Received: by bikeshed.isc.org (Postfix, from userid 10292) id 7FE3E4A53F; Thu, 25 Jul 2019 16:52:33 +0000 (UTC)
Date: Thu, 25 Jul 2019 16:52:33 +0000
From: Evan Hunt <each@isc.org>
To: Shumon Huque <shuque@gmail.com>
Cc: Paul Vixie <paul@redbarn.org>, "dnsop@ietf.org WG" <dnsop@ietf.org>
Message-ID: <20190725165233.GA186@isc.org>
References: <3673081.H4C9ml97Qf@linux-9daj> <20190725054450.GC92610@isc.org> <CAHPuVdWTJqKQxQT=H2N9vqyfTTu78M+P+sYKGqq1u0_=UZfwrg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAHPuVdWTJqKQxQT=H2N9vqyfTTu78M+P+sYKGqq1u0_=UZfwrg@mail.gmail.com>
User-Agent: Mutt/1.11.4 (2019-03-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/dIucKsUjhakhOtAIBUQg66fLns0>
Subject: Re: [DNSOP] some 2015-era thoughts about RFC 7706 -bis
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Jul 2019 16:52:39 -0000
On Thu, Jul 25, 2019 at 11:15:22AM -0400, Shumon Huque wrote: > Can you elaborate on how you plan to do this? > > One of the things that has always annoyed me about RFC7706 (and its > successor I-D) is that it offers no suggestions on how to validate that you > got a correct copy of the entire root zone. The example configurations > given in the appendix are all insecure - they rely on unauthenticated zone > transfer. I wouldn't say "insecure", exactly, but you're partly right - in the examples in RFC 7706, the zone transfer itself would be insecure, but once the zone was transfered, answers would still be validated. That's why the local mirror is set up in a separate auth server or view - it prevents answers from being returned as authoritative data, without validation. So clients do still have some protection; the problem is, there's no automatic recovery if the transfer is bad. Clients would start to SERVFAIL and the local root wouldn't know it had a problem. BIND 9 mirror zones address this in two ways: first, the zone is validated when transferred; the transfer is rejected if any bogus RRsets are found or if the NSEC chain is incompete. Second, if the zone is unusable, either because it failed to transfer in the first place or because it expired without a successful refresh, named automatically fails over to normal recursion to the root. This doesn't address the problem of glue and delegation NS records, but those aren't subject to DNSSEC validation during normal recursion anyway, so clients aren't substantially worse off. The transfer does represent an attack surface that wasn't there before, but it would be an extremely difficult one to exploit. That said, ZONEMD or XoT would improve things further, and I hope the root zone will adopt one or both. In the more general case for validating zone transfers, the idea is to have a sanity check that signatures are good before a secondary starts serving a zone. This is mostly about preventing self-foot-shooting incidents; ZONEMD isn't strictly necessary for it. -- Evan Hunt -- each@isc.org Internet Systems Consortium, Inc.
- [DNSOP] some 2015-era thoughts about RFC 7706 -bis Paul Vixie
- Re: [DNSOP] some 2015-era thoughts about RFC 7706… Brian Dickson
- Re: [DNSOP] some 2015-era thoughts about RFC 7706… Tony Finch
- Re: [DNSOP] some 2015-era thoughts about RFC 7706… Evan Hunt
- Re: [DNSOP] some 2015-era thoughts about RFC 7706… Paul Vixie
- Re: [DNSOP] some 2015-era thoughts about RFC 7706… Vladimír Čunát
- Re: [DNSOP] some 2015-era thoughts about RFC 7706… Shumon Huque
- Re: [DNSOP] some 2015-era thoughts about RFC 7706… Evan Hunt