Re: [DNSOP] nsec3-parameters opinions gathered

Viktor Dukhovni <ietf-dane@dukhovni.org> Mon, 08 November 2021 18:09 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD5E83A0D2D for <dnsop@ietfa.amsl.com>; Mon, 8 Nov 2021 10:09:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T8DFIRc072d1 for <dnsop@ietfa.amsl.com>; Mon, 8 Nov 2021 10:09:53 -0800 (PST)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 71C293A0D64 for <dnsop@ietf.org>; Mon, 8 Nov 2021 10:09:53 -0800 (PST)
Received: from smtpclient.apple (unknown [63.88.3.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by straasha.imrryr.org (Postfix) with ESMTPSA id 8DCC4BD9C7 for <dnsop@ietf.org>; Mon, 8 Nov 2021 13:09:51 -0500 (EST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\))
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
In-Reply-To: <f3622705-423c-84b7-be54-d0491e7f5062@andreasschulze.de>
Date: Mon, 08 Nov 2021 13:09:49 -0500
Content-Transfer-Encoding: quoted-printable
Reply-To: dnsop@ietf.org
Message-Id: <50917406-6FAF-4851-995A-B686F53E27B4@dukhovni.org>
References: <ybl7ddnr16f.fsf@w7.hardakers.net> <206e17b4-a920-8e3e-586d-ecc29855fae3@nic.cz> <45a10ca4-93e1-3c9c-7434-83c387d5246e@NLnetLabs.nl> <E354E8D8-5584-4607-A98D-76869F5CC68B@ogud.com> <f3622705-423c-84b7-be54-d0491e7f5062@andreasschulze.de>
To: dnsop@ietf.org
X-Mailer: Apple Mail (2.3654.120.0.1.13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/eP3pPi_Gv1c4AKZqWzpwkFJvOOM>
Subject: Re: [DNSOP] nsec3-parameters opinions gathered
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Nov 2021 18:10:00 -0000

> On 8 Nov 2021, at 12:55 pm, A. Schulze <sca@andreasschulze.de> wrote:
> 
> sorry for maybe asking an already answered question,
> but why is NSEC3 considered to have no benefit at all?

My take is that NSEC3 provides little benefit beyond the initial
(0th) iteration.

> I'm still on "NSEC allow zone-walks while NSEC3 don't"
> At least not without additional effort.

But, of course that initial iteration provides only limited protection
against zone walking, it deters *casual* attacks, by those who are not
sufficiently motivated to expend CPU on dictionary attacks (that would
likely recover a decent fraction of the names for most zones).

There are a few possible paths forward:

* Accept that sufficiently determined adversaries will mount a dictionary
  attack, but there won't be many of them.  Make do with NSEC3 and zero
  iterations.

* Accept that your zone data is not secret, publish vanilla NSEC records
  and let the zone walkers go at it.  For some TLDs, spin up a public
  AXFR service, or make zone data available via HTTPS, call it "Open Data".

* Use NSEC in combination with online signing (with ECDSA P256(13)), using
  minimal covering NSEC RRS.  These *actually* preclude offline dictionary
  attacks at the cost of online signing of negative answers.  If not leaking
  zone data is important enough, this is the actually secure way to get there.

NSEC3 is neither fish nor fowl.  Regardless of any practically realistic
iteration count, it is still vulnerable to dictionary attacks.  Its main
tangible benefit (at some non-trivial security cost) is opt-out, which is
increasingly a bad idea for most zones.

Thus we find .COM and others using "NSEC3 1 1 0 -" (just opt-out).  But
most zones, if they use NSEC3 at all, should have "NSEC3 1 0 0 -", or
just NSEC, possibly with minimal covering replies via online signing.

-- 
	Viktor.