Re: [DNSOP] On Powerbind
Mark Andrews <marka@isc.org> Wed, 15 April 2020 00:00 UTC
Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 50AD03A12F2 for <dnsop@ietfa.amsl.com>; Tue, 14 Apr 2020 17:00:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.919
X-Spam-Level:
X-Spam-Status: No, score=-1.919 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sCSMa3zeCDN2 for <dnsop@ietfa.amsl.com>; Tue, 14 Apr 2020 17:00:22 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 361703A12EF for <dnsop@ietf.org>; Tue, 14 Apr 2020 17:00:22 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 12E3F3AB00B; Wed, 15 Apr 2020 00:00:22 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 08495160054; Wed, 15 Apr 2020 00:00:22 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id E377016005D; Wed, 15 Apr 2020 00:00:21 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id vC_8AkP4gEgG; Wed, 15 Apr 2020 00:00:21 +0000 (UTC)
Received: from [172.30.42.69] (unknown [49.2.228.79]) by zmx1.isc.org (Postfix) with ESMTPSA id 25629160054; Wed, 15 Apr 2020 00:00:20 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.5\))
From: Mark Andrews <marka@isc.org>
In-Reply-To: <CAHbrMsAg4KMmMzntS-sWSeYJ3CWywC=Jv5pqBFdmCFmsY3tjUw@mail.gmail.com>
Date: Wed, 15 Apr 2020 10:00:17 +1000
Cc: Wes Hardaker <wjhns1@hardakers.net>, dnsop <dnsop@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <2E521F8C-8628-40C1-95AA-9E84D5B9C7C5@isc.org>
References: <CAHbrMsAbHV8M2GR95nyZ-vCZOGghgxrdVD5NaTC=05q16HBd5Q@mail.gmail.com> <ybllfmxvhlr.fsf@w7.hardakers.net> <CAHbrMsAg4KMmMzntS-sWSeYJ3CWywC=Jv5pqBFdmCFmsY3tjUw@mail.gmail.com>
To: Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>
X-Mailer: Apple Mail (2.3445.9.5)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/g1XEEdqkfQrqS-duiqipHQ-MlUo>
Subject: Re: [DNSOP] On Powerbind
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Apr 2020 00:00:24 -0000
> On 15 Apr 2020, at 09:34, Ben Schwartz <bemasc=40google.com@dmarc.ietf.org> wrote: > > > > On Tue, Apr 14, 2020, 6:16 PM Wes Hardaker <wjhns1@hardakers.net> wrote: > Ben Schwartz <bemasc=40google.com@dmarc.ietf.org> writes: > > > If I understand correctly, the Powerbind draft is designed to reduce > > the amount of data that must be logged in order to verify appropriate > > use of a DNSKEY "K" for a delegation-only zone. I'm trying to compare > > the amount of logging required with and without Powerbind. > > > > Here's my current best guess: > > - With Powerbind, we need to log all DS records (to detect replacement) and > > NSEC and NSEC3 records (to detect repudiation) that are signed by K, along with > > their RRSIGs. Resolvers would reject any other records signed by K. > > - Without Powerbind, we need to log any record signed by K that is not on the > > apex, along with its RRSIG. > > > > But for a delegation-only zone, aren't these the same set? What else would a > > delegation-only zone be signing beyond the apex, other than DS, NSEC, and > > NSEC3? > > The point of powerbind is to specifically state "I'm delegation only". > Without knowledge of that, you end up having to log everything, per your > own conclusion, because there is no way to know if its a delegation-only > zone. > > I'm still not able to understand this. Suppose nic.footld puts a statement for humans on their website that says ".footld promises to be delegation-only". Then a log operator and its contributors can simply log everything signed by .footld's key, which should only be delegations. If anything other than a delegation shows up in the log, that is an obvious breach of the commitment. If a customer of .footld sees a delegation in the log that doesn't match their DNSKEY, they can raise a stink. > > This is without Powerbind. How does Powerbind make this better? You can effectively have every validating resolver on the planet enforcing that responses meet this policy by default with 2-3 years. Today the majority of responses from authoritative servers are processed by validating resolvers. > As the first sentence in the abstract says "This document > introduces a new DNSKEY flag called DELEGATION_ONLY that indicates that > the particular zone will never sign zone data across a label.". IE, the > whole point is to communicate that a zone is such a zone. > > This seems like it can easily be communicated just to humans, manually enabling logging for each zone of interest. Since only the TLDs and similar zones are really of any interest for logging, manually maintaining a list of zones to log is not difficult. Certificate Transparency operators similarly maintain lists of approved CAs whose certificates are permitted in their log. A curated list of this kind is required regardless; otherwise a hostile or buggy zone could spam the log with records. > > I still don't see why we need a machine-readable label to tell the logs that a zone is delegation-only, but if we do need one, we can have it without changing the behavior of recursive resolvers, and without needing to place anything in the parent (i.e. root) zone. The root zone doesn’t have anything new unless it decides it wants to declare that it is delegation only (which I think we should request that IANA does for the Internet). For a TLD to declare it is delegation only it only needs to perform a DNSKEY roll to a DNSKEY RRset with this bit set. As part of the DNSKEY roll a new DS record is published. TLDs do DNSKEY rolls all the time and push new DS records to the root all the time. There is no process change in the interactions between IANA and the TLDs for this to happen. > What am I missing? > > -- > Wes Hardaker > USC/ISI > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
- [DNSOP] On Powerbind Ben Schwartz
- Re: [DNSOP] On Powerbind Wes Hardaker
- Re: [DNSOP] On Powerbind Ben Schwartz
- Re: [DNSOP] On Powerbind Mark Andrews
- Re: [DNSOP] On Powerbind Paul Wouters
- Re: [DNSOP] On Powerbind Paul Vixie
- Re: [DNSOP] On Powerbind Mark Andrews
- Re: [DNSOP] On Powerbind Ben Schwartz
- Re: [DNSOP] On Powerbind Petr Špaček
- Re: [DNSOP] On Powerbind Stephane Bortzmeyer
- Re: [DNSOP] On Powerbind Vittorio Bertola
- Re: [DNSOP] On Powerbind Warren Kumari
- Re: [DNSOP] On Powerbind Dick Franks
- Re: [DNSOP] On Powerbind Olaf Kolkman
- Re: [DNSOP] On Powerbind Dick Franks