Re: [DNSOP] Empty Non-Terminal vs NXDOMAIN in draft-ietf-dnsop-nsec-aggressiveuse
Warren Kumari <warren@kumari.net> Tue, 18 October 2016 16:24 UTC
Return-Path: <warren@kumari.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B44F31296BC for <dnsop@ietfa.amsl.com>; Tue, 18 Oct 2016 09:24:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RoqC6txeyjON for <dnsop@ietfa.amsl.com>; Tue, 18 Oct 2016 09:24:49 -0700 (PDT)
Received: from mail-qk0-x229.google.com (mail-qk0-x229.google.com [IPv6:2607:f8b0:400d:c09::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AA72D1294E2 for <dnsop@ietf.org>; Tue, 18 Oct 2016 09:24:49 -0700 (PDT)
Received: by mail-qk0-x229.google.com with SMTP id z190so301112666qkc.2 for <dnsop@ietf.org>; Tue, 18 Oct 2016 09:24:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=2zmhh+A8+7XRqzILKnmuAtBhTWSBnWDcHwVkRdQHDeg=; b=XOd5vplpYwZ4aUTjoFqwZ6IQKYZaDPmUwk5PJ6iAi5YYI71rbJQNO50/SGb+zW2QMz SpfCVn4t1raePamma9hhtVicidzddkAD0OyUTchOY8wzVflASgMcE0ZqXB4ynO3+CTIG AhsJAbNNDDg0kI4yxIahHtiFT+9cdayuIbiSSJVpLMrV4Cou2t4dQRUQzW/rJvLaaeRQ UyiA5gBva74MlhnfxkmzGjul4w+Wh11pCds7GGaWi/MjlRqVXGci8HRCRmzHpfkZfVjR p/X3E+Fu9K+ac+ILhV7v5CGoSWi4GWo3cRu95JwXxPzNzPv93fI1SnuQVOlypwzJpwpV +w5g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=2zmhh+A8+7XRqzILKnmuAtBhTWSBnWDcHwVkRdQHDeg=; b=OCAFTxXwgA880eC5MV3H5v7VEqHmF6x57xM3k1qH9OuejOoN+XcO0nzLWtoXW8Ibld DLuwpPpq1zU+1XjhgoRbCB2AHFsjzX/1ZSfKPBq4TQSWlR7uJfg4cOuzApP4Gy0MEM4p 4gugp8NJQHijzhEXgI4R14jlwoXNFQnE8J9Ec+UpOksWxafAx6C4MnSyv7EUM7gSKgjS zlkx0S3GHDx3jisR6nuq10HUj3GslNPYtmN28N29K3vVvbdXCHxXaC5pCDieIdvj8mTh 65rm+pa+2BdoVHn+Gxw2ZlyOEPgjE+VU98UCbZfu6LzDWdTjc/ZecTWIPnDpve6tyse/ 7W9A==
X-Gm-Message-State: AA6/9RkmYMD1VtGL2ccGfTU7BnKTfx9yaLaIeULdqvFvMKT3unQZdXGeWyId+dMxbCC6Kwt7QG5yjmTYLwgsyiSy
X-Received: by 10.55.151.70 with SMTP id z67mr1460394qkd.185.1476807888700; Tue, 18 Oct 2016 09:24:48 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.55.147.196 with HTTP; Tue, 18 Oct 2016 09:24:18 -0700 (PDT)
In-Reply-To: <20161010221511.7C7735628F23@rock.dv.isc.org>
References: <EA312F37-2E4C-45E0-AF0A-B0A0663B73E8@dnss.ec> <20161010203908.EE0225626F0A@rock.dv.isc.org> <0BE787CD-3877-48C0-8BF9-3E15F605D314@dnss.ec> <20161010221511.7C7735628F23@rock.dv.isc.org>
From: Warren Kumari <warren@kumari.net>
Date: Tue, 18 Oct 2016 12:24:18 -0400
Message-ID: <CAHw9_iK9fQvT0Kd1iZC1L_2q-_D9ApO7OTSRTkrD1+VPPTGGKw@mail.gmail.com>
To: Mark Andrews <marka@isc.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/hTgBw2BDkcEcbbi9B-CUK1yEWso>
Cc: dnsop <dnsop@ietf.org>, Roy Arends <roy@dnss.ec>
Subject: Re: [DNSOP] Empty Non-Terminal vs NXDOMAIN in draft-ietf-dnsop-nsec-aggressiveuse
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Oct 2016 16:24:52 -0000
On Mon, Oct 10, 2016 at 6:15 PM, Mark Andrews <marka@isc.org> wrote: > > In message <0BE787CD-3877-48C0-8BF9-3E15F605D314@dnss.ec>, Roy Arends writes: >> On 10 Oct 2016, at 21:39, Mark Andrews <marka@isc.org> wrote: >> >=20 >> >=20 >> > In message <EA312F37-2E4C-45E0-AF0A-B0A0663B73E8@dnss.ec>, Roy Arends = >> writes: >> >> Having read the draft >> >>=20 >> >> How does one distinguish a Empty Non-Terminal NODATA response from an >> >> NXDOMAIN response, solely by looking at the NSEC or NSEC3 records. >> >=20 >> > NSEC: Find the NSEC record that proves that there are no records >> > at the given name (note all of the owner, the next domain name and >> > the bit map need to be examined to do this). It either the owner >> > name or the next domain name of that record are a subdomain of the >> > given name then it is a ENT otherwise it is a NXDOMAIN. >> >> Thanks Mark. >> >> There should be some guidance to this in the draft. >> >> To be complete, for NSEC3: each empty non-terminal has an NSEC3 record = >> associated with it, so there is always a matching NSEC3 record. >> >> The issue remains with NSEC. It is possible to determine the difference. = >> It is important to determine the difference. This method is not = >> specified in the draft that encourages this local optimisation. >> >> Warmly >> >> Roy Mark, I hope you don't mind, but I stole your below text and included it as an Appendix in the NSEC document. It's been pushed to GitHub -- https://github.com/wkumari/draft-ietf-dnsop-nsec-aggressiveuse W > > If the NSEC record has not been verified as secure discard it. > > If the given name sorts before or matches the NSEC owner name discard > it as it does not prove the NXDOMAIN or ENT. > > If the given name is a subdomain of the NSEC owner name and the NS > bit is present and the SOA bit is absent then discard the NSEC as > it is from a parent zone. > > If the next domain name sorts after the NSEC owner name and the > given name sorts after or matches next domain name then discard the > NSEC record as it does not prove the NXDOMAIN or ENT. > > If the next domain name sorts before or matches the NSEC owner name > and the given name is not a subdomain of the next domain name then > discard the NSEC as it does not prove the NXDOMAIN or ENT. > > You now have a NSEC record that proves the NXDOMAIN or ENT. > > If the next domain name is a subdomain of the given name you have > a ENT otherwise you have a NXDOMAIN. > >> >=20 >> >> There is an attack vector where an RCODE0 can be replaced by RCODE3 = >> while >> >> keeping the rest of the response completely intact, causing an = >> aggressive >> >> use enabled cache to deny existing records. >> >>=20 >> >> These kind of subtleties arent described in the draft, as far as I = >> can >> >> tell. >> >>=20 >> >> Roy >> >> _______________________________________________ >> >> DNSOP mailing list >> >> DNSOP@ietf.org >> >> https://www.ietf.org/mailman/listinfo/dnsop >> >=20 >> > --=20 >> > Mark Andrews, ISC >> > 1 Seymour St., Dundas Valley, NSW 2117, Australia >> > PHONE: +61 2 9871 4742 INTERNET: marka@isc.org >> > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: marka@isc.org > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf
- [DNSOP] Empty Non-Terminal vs NXDOMAIN in draft-i… Roy Arends
- Re: [DNSOP] Empty Non-Terminal vs NXDOMAIN in dra… Mark Andrews
- Re: [DNSOP] Empty Non-Terminal vs NXDOMAIN in dra… Roy Arends
- Re: [DNSOP] Empty Non-Terminal vs NXDOMAIN in dra… Mark Andrews
- Re: [DNSOP] Empty Non-Terminal vs NXDOMAIN in dra… Warren Kumari