IETF Logo Mail Archive

Re: [DNSOP] draft-dnsop-dnssec-extension-pkix

Taekyoung Kwon <tkkwon98@gmail.com> Fri, 21 July 2023 12:37 UTC

Return-Path: <tkkwon98@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 664A2C151AF3 for <dnsop@ietfa.amsl.com>; Fri, 21 Jul 2023 05:37:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.595
X-Spam-Level:
X-Spam-Status: No, score=-1.595 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, FREEMAIL_REPLYTO_END_DIGIT=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4e_bDyQ9rfeP for <dnsop@ietfa.amsl.com>; Fri, 21 Jul 2023 05:37:14 -0700 (PDT)
Received: from mail-lf1-x12b.google.com (mail-lf1-x12b.google.com [IPv6:2a00:1450:4864:20::12b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3F5E1C151AE3 for <dnsop@ietf.org>; Fri, 21 Jul 2023 05:37:14 -0700 (PDT)
Received: by mail-lf1-x12b.google.com with SMTP id 2adb3069b0e04-4fb7373dd35so3784059e87.1 for <dnsop@ietf.org>; Fri, 21 Jul 2023 05:37:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1689943031; x=1690547831; h=to:subject:message-id:date:from:reply-to:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=U8lpp1AabLwmSJ0Qbe3vrB4KBXGWjFeJh8xGQO3dxpE=; b=Zab238ve/UOUZC1PS/QJVTwAEFErmk9Bd72tCSAoZWbM5eXble7lU+TuwDJGM0rfwI lGxo0sNc3aYhh/OLiaXn6rnKL8VxNIsb/a/Z5XHK2Pr160b9Yvbj1D2Ns6ZpXofdGtzu SlCqzV74VIcDDC0RdzL9k62Thj2Wl7wTPy6+SpGJFqawpZFM8XLRiPZ5BNC41l6GjPsf dpLjioUlPG+mT+z8P1Fh4KktS1Do5uO6R/Y0OGA1MtLjaYi2Sl0xBfVlnBzYwmdR4K+E YU+Jl5FboZv57q8YmeRHmEDa+L/B8PNETpC6ejT0aWAoXTwy1aGnJjAqf07bB7eMKGEj E4gw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1689943031; x=1690547831; h=to:subject:message-id:date:from:reply-to:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=U8lpp1AabLwmSJ0Qbe3vrB4KBXGWjFeJh8xGQO3dxpE=; b=PwLmSXDxMdw2RMOGH/pOsOoOVrJ2VnM5BrXf3ZCm2njJ4AqCwSJoQD9tjbj+cOYKCs Y3Fbd72iLno7FFVv4JURZeR0PPsLAueRY+BJUIAPu95f2CBdrdqhu9dvhG/5vfVt7ENp ymd8ZemvM1WF9eBU+QE+VOxwCw6wZEkXewfKwLy9uMf7pdV9HqbQfwZBPAaU/fpIkhpi eh5lFD0U0wV1Kohyp8xp7qAl6VP/fT11tygWO6GvdrA3MquWWgIUjz+9st0gg3U0KOfw rdK+YhDSOwSp0NofyQYMXjcqJOC7nCyRhdZku3tE1UgULPrkDUGpxjgn7vWbouSaJOiy UTwQ==
X-Gm-Message-State: ABy/qLatJmKg7+7P9IBZpv9HvglqebWziOlpNbxmYQjucDuQyajSVuYl 67J0MPmFwJVoU6h1Df7yer2uncZj6nsm0xpykZhrOHiO
X-Google-Smtp-Source: APBJJlE293KM3AwmuVCz7PXCzAhuXQ4Vzi0RjkfTskCtCyx/VcuTdeyJJ/rjGaIsLPPg90h8PtQINLtffwLXWqI6GyU=
X-Received: by 2002:a05:6512:10d1:b0:4f8:6253:540 with SMTP id k17-20020a05651210d100b004f862530540mr782228lfg.19.1689943030765; Fri, 21 Jul 2023 05:37:10 -0700 (PDT)
MIME-Version: 1.0
References: <mailman.24475.1689590257.32488.dnsop@ietf.org>
In-Reply-To: <mailman.24475.1689590257.32488.dnsop@ietf.org>
Reply-To: tkkwon98@gmail.com
From: Taekyoung Kwon <tkkwon98@gmail.com>
Date: Fri, 21 Jul 2023 21:36:59 +0900
Message-ID: <CAH4JENZy91063yvU9QzNseJWotR=6Om9rSfzOeHya=ND8is-4w@mail.gmail.com>
To: dnsop@ietf.org
Content-Type: multipart/alternative; boundary="0000000000000a1ce00600fe8667"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/hgjXGYMxWnkdu5bgRr1Psr-Kw8c>
Subject: Re: [DNSOP] draft-dnsop-dnssec-extension-pkix
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Jul 2023 12:37:18 -0000

Hi! Victor, Mark and Paul,

Thank you so much for crucial comments and candid opinions.
We have been thinking about the downgrade attacks that you mentioned.
Right now, It is not easy to come up with a solution space for such attacks.
We agree that it is better to discuss this proposal (after addressing such
issues) in later meetings.
So we'd like to withdraw our presentation slot this time.

Thank you,

Hyeonmin and Taekyoung,


On Mon, Jul 17, 2023 at 7:38 PM <dnsop-request@ietf.org> wrote:

> Send DNSOP mailing list submissions to
>         dnsop@ietf.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://www.ietf.org/mailman/listinfo/dnsop
> or, via email, send a message with subject or body 'help' to
>         dnsop-request@ietf.org
>
> You can reach the person managing the list at
>         dnsop-owner@ietf.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of DNSOP digest..."
> Today's Topics:
>
>    1.  draft-dnsop-dnssec-extension-pkix on IETF117 dnsop agenda?
>       (Viktor Dukhovni)
>    2. Re:  draft-dnsop-dnssec-extension-pkix on IETF117 dnsop
>       agenda? (Viktor Dukhovni)
>    3. Re:  draft-dnsop-dnssec-extension-pkix on IETF117 dnsop
>       agenda? (Mark Andrews)
>    4. Re:  [Ext] draft-dnsop-dnssec-extension-pkix on IETF117 dnsop
>       agenda? (Paul Hoffman)
>    5. Re:  Best Practices for Managing Existing Delegations When
>       Deleting a Domain or Host (Viktor Dukhovni)
>    6. Re:  Fwd: New Version Notification -
>       draft-ietf-dnsop-avoid-fragmentation-13.txt (Peter van Dijk)
>
>
>
> ---------- Forwarded message ----------
> From: Viktor Dukhovni <ietf-dane@dukhovni.org>
> To: dnsop-chairs@ietf.org
> Cc: dnsop@ietf.org
> Bcc:
> Date: Sun, 16 Jul 2023 15:06:35 -0400
> Subject: [DNSOP] draft-dnsop-dnssec-extension-pkix on IETF117 dnsop agenda?
> I see that draft-dnsop-dnssec-extension-pkix is included on the IETF117
> dnsop agenda.
>
>     https://datatracker.ietf.org/doc/draft-dnsop-dnssec-extension-pkix/
>
> I haven't seen prior discussion of this item on the list, and,
> personally, rather suspect it unlikely to gain meaningful support from
> the WG and see adoption.
>
> Would it possible to defer discussion of this document to such time as
> some evidence of support emerges, and in the meantime use the timeslot
> for more realistically productive proposals?
>
> --
>     Viktor.
>
>
>
>
>
> ---------- Forwarded message ----------
> From: Viktor Dukhovni <ietf-dane@dukhovni.org>
> To: dnsop@ietf.org
> Cc:
> Bcc:
> Date: Sun, 16 Jul 2023 15:53:12 -0400
> Subject: Re: [DNSOP] draft-dnsop-dnssec-extension-pkix on IETF117 dnsop
> agenda?
> On Sun, Jul 16, 2023 at 03:06:35PM -0400, Viktor Dukhovni wrote:
> > I see that draft-dnsop-dnssec-extension-pkix is included on the IETF117
> dnsop agenda.
> >
> >     https://datatracker.ietf.org/doc/draft-dnsop-dnssec-extension-pkix/
> >
> > I haven't seen prior discussion of this item on the list, and,
> > personally, rather suspect it unlikely to gain meaningful support from
> > the WG and see adoption.
> >
> > Would it possible to defer discussion of this document to such time as
> > some evidence of support emerges, and in the meantime use the timeslot
> > for more realistically productive proposals?
>
> I should perhaps have stated the technical criteria on which I consider
> the proposal non-viable.  To whit:
>
>     - The proposed protocol lacks all downgrade resistance.
>     - Without a signed delegation from the parent, the existence of the
>       zone apex CERT MRs and associated RRSIGs is trivially denied  by
>       an on-path attacker.
>     - This protocol adds failure modes (CERTs and RRSIGs are available,
>       but don't match), without adding any security.
>
> Since the point of DNSSEC is to thwart active attacks, and the protocol
> in the proposed draft offers no such protection, I consider it
> non-viable.
>
> There are other substantial issues, but the above is sufficient to stop
> looking for more reasons why this is a dead-end.
>
> --
>     Viktor.
>
>
>
>
>
> ---------- Forwarded message ----------
> From: Mark Andrews <marka@isc.org>
> To: dnsop <dnsop@ietf.org>
> Cc:
> Bcc:
> Date: Mon, 17 Jul 2023 09:47:35 +1000
> Subject: Re: [DNSOP] draft-dnsop-dnssec-extension-pkix on IETF117 dnsop
> agenda?
>
>
> > On 17 Jul 2023, at 05:53, Viktor Dukhovni <ietf-dane@dukhovni.org>
> wrote:
> >
> > On Sun, Jul 16, 2023 at 03:06:35PM -0400, Viktor Dukhovni wrote:
> >> I see that draft-dnsop-dnssec-extension-pkix is included on the IETF117
> dnsop agenda.
> >>
> >>    https://datatracker.ietf.org/doc/draft-dnsop-dnssec-extension-pkix/
> >>
> >> I haven't seen prior discussion of this item on the list, and,
> >> personally, rather suspect it unlikely to gain meaningful support from
> >> the WG and see adoption.
> >>
> >> Would it possible to defer discussion of this document to such time as
> >> some evidence of support emerges, and in the meantime use the timeslot
> >> for more realistically productive proposals?
> >
> > I should perhaps have stated the technical criteria on which I consider
> > the proposal non-viable.  To whit:
> >
> >    - The proposed protocol lacks all downgrade resistance.
> >    - Without a signed delegation from the parent, the existence of the
> >      zone apex CERT MRs and associated RRSIGs is trivially denied  by
> >      an on-path attacker.
> >    - This protocol adds failure modes (CERTs and RRSIGs are available,
> >      but don't match), without adding any security.
> >
> > Since the point of DNSSEC is to thwart active attacks, and the protocol
> > in the proposed draft offers no such protection, I consider it
> > non-viable.
> >
> > There are other substantial issues, but the above is sufficient to stop
> > looking for more reasons why this is a dead-end.
> >
> > --
> >    Viktor.
> >
> > _______________________________________________
> > DNSOP mailing list
> > DNSOP@ietf.org
> > https://www.ietf.org/mailman/listinfo/dnsop
>
> I concur.  This is a horribly flawed proposal.
>
> Mark
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742              INTERNET: marka@isc.org
>
>
>
>
>
> ---------- Forwarded message ----------
> From: Paul Hoffman <paul.hoffman@icann.org>
> To: "dnsop@ietf.org" <dnsop@ietf.org>
> Cc: "dnsop-chairs@ietf.org" <dnsop-chairs@ietf.org>
> Bcc:
> Date: Sun, 16 Jul 2023 23:54:21 +0000
> Subject: Re: [DNSOP] [Ext] draft-dnsop-dnssec-extension-pkix on IETF117
> dnsop agenda?
> On Jul 16, 2023, at 12:06 PM, Viktor Dukhovni <ietf-dane@dukhovni.org>
> wrote:
> > Would it possible to defer discussion of this document to such time as
> > some evidence of support emerges, and in the meantime use the timeslot
> > for more realistically productive proposals?
>
> +1. The 15 minutes allocated to this draft would be better spent on longer
> mic lines for the other drafts that have a higher likelihood of adoption.
> Once this draft has more on-list discussion, if those of us who are
> skeptical are wrong, the discussion in Prague will be even more fruitful.
>
> --Paul Hoffman
>
>
>
>
>
> ---------- Forwarded message ----------
> From: Viktor Dukhovni <ietf-dane@dukhovni.org>
> To: "dnsop@ietf.org" <dnsop@ietf.org>
> Cc:
> Bcc:
> Date: Sun, 16 Jul 2023 22:52:52 -0400
> Subject: Re: [DNSOP] Best Practices for Managing Existing Delegations When
> Deleting a Domain or Host
> On Tue, Jul 11, 2023 at 07:06:49PM +0000, Hollenbeck, Scott wrote:
>
> > https://datatracker.ietf.org/doc/draft-hollenbeck-regext-epp-delete-bcp/
> >
> > The draft includes descriptions of current known practices and
> > suggests that some should be avoided, some are candidates for "best",
> > and there are others that haven't been used that might also be
> > candidates for "best". The authors would like to learn if others agree
> > with our assessments and/or can suggest improvements.
>
> Thanks for reaching out, I'll do my best to share what I hope is a
> sensible perspective.  But first some followups to already posted
> feedback.
>
> On Tue, Jul 11, 2023 at 03:22:40PM -0700, Brian Dickson wrote:
>
> > For example, the registrar for the domain that is the parent of a host
> > entry, should be able to "disavow" a particular reference (delegation
> > to said host). It would be the responsibility of the other registrar
> > (for the domain being disavowed) to clean up the broken delegations.
> > This is basically giving authority to the DNS operator as a party to
> > the situation, even if only indirectly.
>
> Just checking the intent here, I think you're saying the "disavowal" is
> potentially a case-by-case option.  So that e.g. at the time that DNS
> service for a domain is discontinued, the DNS operator (perhaps via
> their registrar) should be able to break drop NS records from a
> *particular* delegation.
>
> This is an interesting proposal.  It reasonably aligns with the
> operational reality that it takes mutual agreement between two parties
> to provide working DNS for a domain that isn't self-hosted.
>
> In the DANE/DNSSEC survey, I am tracking almost ~350k zones (out of
> ~22.8M) with no SEP, roughly half of which are just lame delegations
> (the listed servers return "REFUSED"), but for various reasons it is
> difficult for the former DNS operator to get the delegations terminated.
>
> The chief difficulty here is that this does not work for "external"
> nameserver objects.  If we're really going to solve this problem, the
> solution should I think also work for the case when the nameserver and
> the client zone live in different registries.
>
> We need a protocol by which such disavowal can happen regardless of
> where the nameserver might be found.
>
> Of course if that's too difficult to solve in a timely manner, and we
> can reduce barriers in host object management within a registry, that's
> fine too, and the larger goal need not hold up progress on the more
> focused problem.
>
> > Maybe having the otherwise dangling or otherwise blocking references
> > converted to their respective in-bailiwick names might be a solution.
> E.g.
> > if domain2.example had an NS record pointing to ns1.domain1.example, and
> > domain1.example were deleted (or ns1.domain1.example were deleted),
> having
> > the reference converted (by whom??) to ns1.domain2.example would suffice.
> > But, that would also require picking a new IP address to use for the glue
> > for that (new) host object. It's a thorny problem, a real can of worms.
>
> In the most typical situation, the servers in question will have for
> some time already discontinued DNS service for the objects to be
> removed, and the dependent domain loses nothing (only gains!) from
> having the no longer willing nameservers deleted.
>
> Therefore, my take is that the delegation NS record should be simply
> removed from the dependent zone.  No renaming, or other steps to paper
> over the issue.  Subsequent replacement is up to the owner of the
> dependent zone.  Indeed if everything was done optimally, the dependent
> delegations would have proactively switched to working nameservers
> first.
>
> Now we do want to prevent accidents, and so deletion of host objects
> that are still used as nameservers by zones not being deleted should
> perhaps require some form of confirmation that some dependencies are
> being forcibly broken.  How to do that, and whether confirmation should
> actually require the requesting party to submit a second request, ...
> is user interface design that should be discussed with care.  I don't
> claim to have the right answer on how to balance safety vs. usability.
>
> > This means that unrelated glue records could point at the same IP
> > address, even if the host records are distinct with different owners.
> > First-to-register does not guarantee that the correct ownership could
> > be determined by creation time (i.e.  it's a race condition without a
> > stronger mechanism.)
>
> Explicit disavowal should be able to solve this too, if the IP addresses
> targetted can be reasonably safely (multiple samples over a period of
> time, or a confirmed request from the point of contact for the IP space,
> ...) determined to be refusing service for the disavowed zones.
>
> So my own position is that:
>
>     - The host object owner should be able to delete it at will, with
>       any friction solely to help avoid difficult to recover accidents,
>       rather than prevent the nameserver owner/operator from
>       discontinuing service.
>
>     - The dependent zones would then have the corresponding nameserver
>       entries deleted (not renamed, ...).
>
>     - Of course nameserver operators should have a communication channel
>       with contact persons the domains they serve, and should first prod
>       them to move to alternative arrangements when service is slated to
>       be discontinued.
>
>     - When a delegation is still listing stale nameservers, the
>       best-practice communication process has broken down somewhere
>       along the way, and we're no longer in the realm of
>       "best-practice".
>
>     - Disavowal of specific relationships, well short of removing the
>       host object for everyone is IMHO a good idea.  This should work
>       across, not just within, registries.  And should work for
>       IP-aliased servers.
>
>     - That is, a target nameserver whether by name or IP address should
>       be able within a reasonable timeframe to drop a delegation to
>       which it no longer consents.
>
> The last two items are of course more of a wish list for a future state
> than a current "best-practice".  The earlier items could be practicable
> today.
>
> --
>     Viktor.
>
>
>
>
>
> ---------- Forwarded message ----------
> From: Peter van Dijk <peter.van.dijk@powerdns.com>
> To: dnsop <dnsop@ietf.org>
> Cc:
> Bcc:
> Date: Mon, 17 Jul 2023 12:28:07 +0200
> Subject: Re: [DNSOP] Fwd: New Version Notification -
> draft-ietf-dnsop-avoid-fragmentation-13.txt
> On Wed, 2023-07-05 at 18:51 -0400, Tim Wicinski wrote:
>
> All
>
> The authors of draft-ietf-dnsop-avoid-fragmentation worked with different
> implementers to expand upon the index of Known Implementations, and what
> they implement specifically.
>
> The chairs would like to have a one week follow up Working Group Last Call
> comment period. We are looking for substantive comments regarding the
> changes made, and if they are enough to address concerns raised.
>
>
> As Vladimir also said in his dnsdir review, this document is in way better
> shape than it was.
>
> I do see one obstacle.
>
> In section 3.1, the draft says:
>
> > 2. UDP responders are RECOMMENDED to set IP "Don't Fragment flag (DF)
> bit" [RFC0791 <https://www.rfc-editor.org/rfc/rfc791>] on IPv4.
>
> Then in Appendix D (Known Implementations), all implementations have
> indicated they do *not* set the DF bit. It seems wrong to RECOMMEND
> something, especially in a document targeted for BCP, that nobody is doing.
>
> This comment period will end Wednesday July 12, 2023.   If there
> are substantive comments raised, we can address these during the meeting.
>
> A friendly request: please indicate Last Calls in the Subject! I missed
> this one until now.
>
>
> Kind regards,
> --
> Peter van Dijk
> PowerDNS.COM BV - https://www.powerdns.com/
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>

v2.23.0 | Report a Bug | By Email