IETF Logo Mail Archive

Re: [DNSOP] I-D Action: draft-ietf-dnsop-rfc5011-security-considerations-10.txt

Michael StJohns <msj@nthpermutation.com> Tue, 19 December 2017 23:05 UTC

Return-Path: <msj@nthpermutation.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A614E1243FE for <dnsop@ietfa.amsl.com>; Tue, 19 Dec 2017 15:05:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nthpermutation-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MhoXGIETVm_a for <dnsop@ietfa.amsl.com>; Tue, 19 Dec 2017 15:05:16 -0800 (PST)
Received: from mail-qt0-x22f.google.com (mail-qt0-x22f.google.com [IPv6:2607:f8b0:400d:c0d::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C7C1512D889 for <dnsop@ietf.org>; Tue, 19 Dec 2017 15:05:15 -0800 (PST)
Received: by mail-qt0-x22f.google.com with SMTP id g9so26244106qth.9 for <dnsop@ietf.org>; Tue, 19 Dec 2017 15:05:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nthpermutation-com.20150623.gappssmtp.com; s=20150623; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding:content-language; bh=CjBtdTo2cL2fKzLagwpLqTci72VHYtvzRq7H8pfBBz0=; b=ZkHShfOaWBHZKIzQBnO+w380b8F7yifeZrszcZhgVW5l+lE81LWIgNwfNKFFE/U+70 5mjnVLPkl6yKAy2BKXR2CUNUPFznZdCa/tTxFlmyY9Rye5QNwnzLWtyHpAPh2WOt/55G dIVqvDcusgKlGttemvXqQx9WtFnsubZVshtvEvnaK7t6/N14b3uFchOZTPp7kKfICUhi FnNKz9wh7kG2pUF9qq24wnhrgvYsZR/aTvY7EJhUht405io3wncflv0EgARfA+PrZZfZ W9zF/8GgMVOuM9wlFlAhpMAURu9gcSp5cSqZ+qyBcahhFQYc/qla1rdwUCz433rwefm1 uoVw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=CjBtdTo2cL2fKzLagwpLqTci72VHYtvzRq7H8pfBBz0=; b=lbysMjGMFFgZjLjn6Yc/jMB8ouE5RTh4cWNsDG4HK8D4Ibpv0HZWmcZYISnHPjY+eU Ya5Ff+WQREJmxj+f/ZdJ0+p+OfXezw2q/YiZHhzVQTJKrn19m3YKLOuynRa5lK4mE6Vq ya0REcFoJ3Y6GxzaJcvsHCE7DoGwczDbVX8IQHV4MEC/sviGS8FY2hfzL5njBNj3cGs9 dK+wHindK+wwH3tLyuptGi4MPcBti6c1JC0jwnydyOoaZ8AdqjJmQtUv+v68M5HqMNEc ADzgsIz9vBjY9VByYfDDtIote3p4ULh5pnpoF6dWlqW4xh31Xjhy7J8kh2LTRiz1yPsk tnNQ==
X-Gm-Message-State: AKGB3mJZuWAhauM8ZAwetHdZ0QO4YxORqfmOZCYstjaNe6eqB8CsLGdI gKIApDz3PDXCGsjsIqowlZ5GH89s
X-Google-Smtp-Source: ACJfBovUUgsvWNBwwVmVH1eluEZIYK3NR3kQbD07fpqPej/zJkzSdWqGRZtGnGHefYU2l5yXLpznBw==
X-Received: by 10.237.47.228 with SMTP id m91mr7560191qtd.205.1513724714366; Tue, 19 Dec 2017 15:05:14 -0800 (PST)
Received: from [192.168.1.107] (c-69-140-114-191.hsd1.md.comcast.net. [69.140.114.191]) by smtp.gmail.com with ESMTPSA id t63sm479557qke.94.2017.12.19.15.05.13 for <dnsop@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 19 Dec 2017 15:05:13 -0800 (PST)
To: dnsop@ietf.org
References: <151370939722.7367.18068254315788230511@ietfa.amsl.com>
From: Michael StJohns <msj@nthpermutation.com>
Message-ID: <e6108779-5b9a-df26-f0fa-0b7c99a1b04b@nthpermutation.com>
Date: Tue, 19 Dec 2017 18:05:12 -0500
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.5.0
MIME-Version: 1.0
In-Reply-To: <151370939722.7367.18068254315788230511@ietfa.amsl.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/dP6fedSjTiM29SZWoEBjhRGfBYk>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-rfc5011-security-considerations-10.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Dec 2017 23:05:17 -0000

I didn't think this could get worse.  I was wrong.

I can't support any version of this document for publication.   In the 
same way that activeRefreshOffset is a nonsensical value so to are  
driftSafetyMargin and timingSafetyMargin.

1) Drift happens per query.
2) Any drift that happens related to the multiple queries in the 
addHoldDown interval can safely be ignored with respect to its impact on 
the overall wait time for the publisher.  (e.g. all the drift is going 
to do is change the phase of the last query in the interval with respect 
to the end of the addHoldDown time)
3) The only other drift that may be of interest is the drift at the 
beginning and end of the queryInterval where the end of the interval is 
the beginning of the addHoldDown interval. Given that a typical drift is 
something like 1-60 seconds it can safely be ignored related to all the 
other stuff.

Timing safety margin is based on the nonsensical driftSafetyMargin and 
activeRefreshOffset and is then by definition also nonsensical.

(And yes, I realize that Wes has set driftSafetyMargin to activeRefresh 
meaning that calculated results are identical to what I want, but 
there's no analysis that supports the use of a driftSafetyMargin and 
this just seems to be sleight of hand to replace activeRefreshOffset 
with a term that has a value activeRefresh... *pounds head against wall*)

Please delete 6.1.6, 6.,1.7 and 6.1.8 and fix the formulas accordingly.


Again:

addWaitClockTime = lastSigExpirationTime + activeRefresh + 
addHoldDownTime + activeRefresh + safetyMargin (which now seems to be 
labeled retrySafetyMargin).


Mike



On 12/19/2017 1:49 PM, internet-drafts@ietf.org wrote:
> A New Internet-Draft is available from the on-line Internet-Drafts directories.
> This draft is a work item of the Domain Name System Operations WG of the IETF.
>
>          Title           : Security Considerations for RFC5011 Publishers
>          Authors         : Wes Hardaker
>                            Warren Kumari
> 	Filename        : draft-ietf-dnsop-rfc5011-security-considerations-10.txt
> 	Pages           : 19
> 	Date            : 2017-12-19
>
> Abstract:
>     This document extends the RFC5011 rollover strategy with timing
>     advice that must be followed by the publisher in order to maintain
>     security.  Specifically, this document describes the math behind the
>     minimum time-length that a DNS zone publisher must wait before
>     signing exclusively with recently added DNSKEYs.  This document also
>     describes the minimum time-length that a DNS zone publisher must wait
>     after publishing a revoked DNSKEY before assuming that all active
>     RFC5011 resolvers should have seen the revocation-marked key and
>     removed it from their list of trust anchors.
>
>     This document contains much math and complicated equations, but the
>     summary is that the key rollover / revocation time is much longer
>     than intuition would suggest.  If you are not both publishing a
>     DNSSEC DNSKEY, and using RFC5011 to advertise this DNSKEY as a new
>     Secure Entry Point key for use as a trust anchor, you probably don't
>     need to read this document.
>
>
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-dnsop-rfc5011-security-considerations/
>
> There are also htmlized versions available at:
> https://tools.ietf.org/html/draft-ietf-dnsop-rfc5011-security-considerations-10
> https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-rfc5011-security-considerations-10
>
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=draft-ietf-dnsop-rfc5011-security-considerations-10
>
>
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org.
>
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

v2.23.0 | Report a Bug | By Email