IETF Logo Mail Archive

Re: [DNSOP] Comments on draft-wessels-dns-zone-digest-02

Paul Wouters <paul@nohats.ca> Mon, 20 August 2018 15:40 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 12473127598 for <dnsop@ietfa.amsl.com>; Mon, 20 Aug 2018 08:40:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UQB54uTE-2oD for <dnsop@ietfa.amsl.com>; Mon, 20 Aug 2018 08:40:08 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6472A130E50 for <dnsop@ietf.org>; Mon, 20 Aug 2018 08:40:08 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 41vJ0Q56QBzM57; Mon, 20 Aug 2018 17:40:06 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1534779606; bh=ZP8mt5wic3p/lSH+mvOsTLM6I1Or+6D0jKzPpekzK1A=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=AP2mj22eXuRCZ6vUS5eJ/8MJ+dr1zWDkTx4D+vFHEcp4ojPev+Nmo4dKCB55nGE7J V3Y1Cj9FoDYwnpGY+VbhTiMgix+UwrHyE+yk/4nnSIEpFDKPlQUT6C6w59bpv/A4Y+ nIl/rb+/s7j6QpuHPnuXn6fN1tzEzeryp0nDnB2E=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id WWGp_s3_Cwle; Mon, 20 Aug 2018 17:40:05 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Mon, 20 Aug 2018 17:40:04 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 92286B76E; Mon, 20 Aug 2018 11:40:03 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca 92286B76E
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 8C20640D6EB6; Mon, 20 Aug 2018 11:40:03 -0400 (EDT)
Date: Mon, 20 Aug 2018 11:40:03 -0400
From: Paul Wouters <paul@nohats.ca>
To: Brian Dickson <brian.peter.dickson@gmail.com>
cc: Bob Harold <rharolde@umich.edu>, "dnsop@ietf.org WG" <dnsop@ietf.org>
In-Reply-To: <BA2DA98C-AF02-4A6C-A607-94EF3DAF3DF9@gmail.com>
Message-ID: <alpine.LRH.2.21.1808201133350.888@bofh.nohats.ca>
References: <CAH1iCir=GH0oAkR-RBYqQbPLVvrO1nvx8js7bg7FqGAA7MPKbA@mail.gmail.com> <alpine.LRH.2.21.1808191520010.21687@bofh.nohats.ca> <CA+nkc8Dgxtp4pxwHqaEbjdfpysOjAtLVJ_bPwFG02L10cTn6iA@mail.gmail.com> <CAHPuVdVj9YYnG8UbUYFVZZNBDFFEi+t2fM0Urugx0JxJzDgaVQ@mail.gmail.com> <alpine.LRH.2.21.1808201056020.17754@bofh.nohats.ca> <BA2DA98C-AF02-4A6C-A607-94EF3DAF3DF9@gmail.com>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/hFVl48EtSrV5BD7f2uUCCqXjWGA>
Subject: Re: [DNSOP] Comments on draft-wessels-dns-zone-digest-02
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Aug 2018 15:40:10 -0000

On Mon, 20 Aug 2018, Brian Dickson wrote:

>> Those zones would have a signed ZONEMD but no DS record leading to a
>> validated path anyway, so those are lost without an external (from
>> DNSSEC) PKI which falls very far outside the scope of ZONEMD.
>> 
>> Paul
>
> What Shumon was referring to is the actual TLD zones themselves.
>
> For example, the NS sets for COM have nameserver names under gtld-servers.net, which is an unsigned zone. 
>
> The A/AAAA records, needed for finding the COM servers aren’t signed, even if attempting to find the AA answer. 
>
> What ZONEMD would provide is a method of validation of the non-authoritative A/AAAA (glue) for the TLD itself.

It wouldn't add anything. To trust the ZONEMD record, you would need to
have traveled the DS chain from root to .com anyway and gotten valid
answers. At that point you are at the child and you can (and have to)
confirm the DNSKEY there, and then you might as well also confirm the
parental glue you followed in the child you found, since you've reached
that child zone anyway (which secure validating resolves already do
anyway)

> While not as strong as using NS names in a signed zone, it is still a method of preventing poisoning of those glue records (A/AAAA specifically).

You can never prevent poisoning. You have to blindly follow any glue and
verify at the alleged child zone that you reached the real thing, since
IP redirections or MITM are always possible.

> NB: root-servers.net is unsigned.

The number of insecure hops doesn't matter. What matters is finding a
signed zone with a DNSKEY that matches the DS record.

And also as I said before, the attackers that can change glue on you
dwarve in comparison with upstream hops that can just redirect IP
traffic which accomplishes the exact same thing. Fixing the 1% isn't
helpful when any hotel/coffeeshop can redirect your IP streams to
say 192.5.6.30 anyway.

Paul

v2.23.0 | Report a Bug | By Email