Re: [DNSOP] I-D Action: draft-ietf-dnsop-ns-revalidation-06.txt
Philip Homburg <pch-dnsop-5@u-1.phicoh.com> Mon, 18 March 2024 09:34 UTC
Return-Path: <pch-b538D2F77@u-1.phicoh.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5281AC15109D for <dnsop@ietfa.amsl.com>; Mon, 18 Mar 2024 02:34:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.907
X-Spam-Level:
X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TASSNAqJI6jb for <dnsop@ietfa.amsl.com>; Mon, 18 Mar 2024 02:34:00 -0700 (PDT)
Received: from stereo.hq.phicoh.net (stereo.hq.phicoh.net [IPv6:2a10:3781:2413:1:2a0:c9ff:fe9f:17a9]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7913BC14F69E for <dnsop@ietf.org>; Mon, 18 Mar 2024 02:33:56 -0700 (PDT)
Received: from stereo.hq.phicoh.net (localhost [::ffff:127.0.0.1]) by stereo.hq.phicoh.net with esmtp (TLS version=TLSv1.2 cipher=ECDHE-RSA-CHACHA20-POLY1305) (Smail #158) id m1rm9NQ-0000LXC; Mon, 18 Mar 2024 10:33:52 +0100
Message-Id: <m1rm9NQ-0000LXC@stereo.hq.phicoh.net>
To: dnsop@ietf.org
Cc: Florian Obser <florian+ietf@narrans.de>
From: Philip Homburg <pch-dnsop-5@u-1.phicoh.com>
Sender: pch-b538D2F77@u-1.phicoh.com
References: <171073157523.47754.45386078992453305@ietfa.amsl.com> <m1msqwaur1.fsf@narrans.de>
In-reply-to: Your message of "Mon, 18 Mar 2024 08:01:38 +0100 ." <m1msqwaur1.fsf@narrans.de>
Date: Mon, 18 Mar 2024 10:33:51 +0100
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/h57VKUSi5hUFldF-blFcSWNkZMg>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-ns-revalidation-06.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Mar 2024 09:34:02 -0000
In your letter dated Mon, 18 Mar 2024 08:01:38 +0100 you wrote: >On 2024-03-17 20:12 -07, internet-drafts@ietf.org wrote: >> Internet-Draft draft-ietf-dnsop-ns-revalidation-06.txt is now available. It >is > >| 7. Security Considerations >| [...] >| In case of non DNSSEC validating >| resolvers, an attacker controlling a rogue name server for the root >| has potentially complete control over the entire domain name space >| and can alter all unsigned parts undetected. > >can alter *all* parts undetected. > >It's a non-DNSSEC validating resolver, it doesn't care about signed or >unsigned. Maybe just drop that sentence, it doesn't add much. A non DNSSEC validation resolver may have downstream validators that can detect changes to signed data. So an attacker that wishes to stay undetected has to be careful not to modify signed data. I guess the authors should add some clarifying text here to make clear why in the case of a non validating resolver the attacker can only alter the unsigned parts.
- [DNSOP] I-D Action: draft-ietf-dnsop-ns-revalidat… internet-drafts
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-ns-reval… Florian Obser
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-ns-reval… Florian Obser
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-ns-reval… Philip Homburg
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-ns-reval… Willem Toorop