[DNSOP] Re: Fwd: New Version Notification for draft-yorgos-dnsop-dry-run-dnssec-02.txt
Peter Thomassen <peter@desec.io> Fri, 19 July 2024 16:57 UTC
Return-Path: <peter@desec.io>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA508C14F711 for <dnsop@ietfa.amsl.com>; Fri, 19 Jul 2024 09:57:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=desec.io
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VldRh4vph-eU for <dnsop@ietfa.amsl.com>; Fri, 19 Jul 2024 09:57:13 -0700 (PDT)
Received: from mail.a4a.de (mail.a4a.de [IPv6:2a01:4f8:10a:1d5c:8000::8]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9A195C14F703 for <dnsop@ietf.org>; Fri, 19 Jul 2024 09:57:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=desec.io; s=20170825; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:From: References:To:Subject:MIME-Version:Date:Message-ID:Sender:Reply-To:Cc: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=wR/h5g4/n2pBtyQKEMDwy3VX8UQ715YYJ+9mVPo+vaw=; b=E8XFy7T5pVjJaFunSerfSZVRX1 dzXhTwc5LUPa6FZ9QL3WaF4w5QI1qynMXmyENsnkaXJB/mo5a40wjpQeUA16nEYYujIJR42jcON0g gEas1lNZ8YzJWAoLBuyQ8Fi45Dx9/UhAeIAFDy3cLsKyytC2VYMV6y9Ge0pz7q4UQiGcqz8J0ugdK np8kRn5fSLc+/5XNgcypYIQyTOnucjtlyJFv2bKmNf6jjzzf72m0VAdA+UCJOi8dpS02HCmnluYCB NDLMchumUcvHQsxGFw3vVtwql9Mm8TV1lCJW5QFhAAaWmG86L+cjT2PMO5x4F7rYRfrXck9HEgUVQ 2Jc+GK0g==;
Received: from s01068815449eeaf1.vn.shawcable.net ([96.49.56.2] helo=[10.100.0.31]) by mail.a4a.de with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.93) (envelope-from <peter@desec.io>) id 1sUqur-000JFX-7D; Fri, 19 Jul 2024 18:57:09 +0200
Message-ID: <6dbdacc0-51b1-4180-bbb6-e70c17695e8c@desec.io>
Date: Fri, 19 Jul 2024 09:57:05 -0700
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Yorgos Thessalonikefs <yorgos@nlnetlabs.nl>, dnsop@ietf.org
References: <172046952695.458153.14393628216486074514@dt-datatracker-5f88556585-j5r2h> <659a0f2a-eb82-4769-ad80-63e4f3a24978@nlnetlabs.nl> <SA1PR15MB43700A14CBADA73B4F63D766B3A22@SA1PR15MB4370.namprd15.prod.outlook.com> <4d0cb8bc-4c18-42aa-bc7d-18cf6ad7c90c@nlnetlabs.nl>
Content-Language: en-US
From: Peter Thomassen <peter@desec.io>
In-Reply-To: <4d0cb8bc-4c18-42aa-bc7d-18cf6ad7c90c@nlnetlabs.nl>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Message-ID-Hash: JVQKXQ3HMGPMDX5W4JXDOHZQX4MYX47F
X-Message-ID-Hash: JVQKXQ3HMGPMDX5W4JXDOHZQX4MYX47F
X-MailFrom: peter@desec.io
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: Fwd: New Version Notification for draft-yorgos-dnsop-dry-run-dnssec-02.txt
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/dKnOPDwzm_TO3YC_kwbz3ViGFSE>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>
On 7/19/24 08:34, Yorgos Thessalonikefs wrote: >> I'm also interested in the possibilities for malicious use of this extension. Can a malicious domain cause a resolver to do an enormous amount of work? Can a malicious intermediary cause an enormous volume of error reports? > For validation work, the resolver could be made to try validation twice; once with dry-run DSes, and if that fails, once more with the real DSes. > "try validation" could mean a lot of things for validating software but with the recent KeyTrap family of vulnerabilities, validators should have sufficient strategies/limits to mitigate excessive use of validation time. > Since dry-run may need to restart validation with the real DSes those strategies/limit would need to be restarted as well. This implies that supporting dry-run means that a validator can't commit to the actual work it is will to do. This seems like it could be a problem; I'm curious to learn what resolver folks say. Example: - Consider a validator to be willing to perform work W in a certain situation. - With dry-run: * can be exhausted with dry-run DS records * to follow real DS, work count is then restarted for real DS --> total work = 2W * If the resolver really wants to limit its work to W, it could commit to only W/2 --> in the worst case, work is still bound by 2 * W/2 = W - Now, when there is *no* dry-run DS, should the validator spend work W or W/2? * There's probably little reason to bound by W/2, because actual willingness is W * Work bounds with dry-run would then be W/2, and in real life would be W --> In this case, validation strategies for dry-run and real life would differ! Probably not intended ... To prevent this discrepancy between how dry-run and real validation is done, the resolver either needs to halve its work bounds (which is a disadvantage for real deployments), or commit to twice the work it is willing to do. Hmm.... Peter -- https://desec.io/
- [DNSOP] Re: New Version Notification for draft-yo… Mark Andrews
- [DNSOP] Fwd: New Version Notification for draft-y… Yorgos Thessalonikefs
- [DNSOP] Re: Fwd: New Version Notification for dra… Ben Schwartz
- [DNSOP] Re: New Version Notification for draft-yo… Mark Andrews
- [DNSOP] Re: New Version Notification for draft-yo… libor.peltan
- [DNSOP] Re: New Version Notification for draft-yo… libor.peltan
- [DNSOP] Re: Fwd: New Version Notification for dra… Yorgos Thessalonikefs
- [DNSOP] Re: New Version Notification for draft-yo… Mark Andrews
- [DNSOP] Re: New Version Notification for draft-yo… Mark Andrews
- [DNSOP] Re: New Version Notification for draft-yo… Yorgos Thessalonikefs
- [DNSOP] Re: New Version Notification for draft-yo… Yorgos Thessalonikefs
- [DNSOP] Re: Fwd: New Version Notification for dra… Peter Thomassen
- [DNSOP] Re: Fwd: New Version Notification for dra… Philip Homburg
- [DNSOP] Re: Fwd: New Version Notification for dra… Peter Thomassen
- [DNSOP] Re: Fwd: New Version Notification for dra… Yorgos Thessalonikefs
- [DNSOP] Re: Fwd: New Version Notification for dra… Philip Homburg
- [DNSOP] Re: Fwd: New Version Notification for dra… Mark Andrews