Re: [DNSOP] new dnsop related draft: RFC5011 security considerations
Matthijs Mekking <matthijs@pletterpet.nl> Wed, 03 August 2016 12:24 UTC
Return-Path: <matthijs@pletterpet.nl>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 508CD12D197 for <dnsop@ietfa.amsl.com>; Wed, 3 Aug 2016 05:24:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lXpSjR9P4YFf for <dnsop@ietfa.amsl.com>; Wed, 3 Aug 2016 05:24:23 -0700 (PDT)
Received: from dicht.nlnetlabs.nl (dicht.nlnetlabs.nl [185.49.140.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4C1F912D98E for <dnsop@ietf.org>; Wed, 3 Aug 2016 05:24:22 -0700 (PDT)
Received: by dicht.nlnetlabs.nl (Postfix, from userid 58) id D4E928AF7; Wed, 3 Aug 2016 14:24:19 +0200 (CEST)
Received: from [IPv6:2001:981:19be:1:ce4:ab61:ba1c:6288] (unknown [IPv6:2001:981:19be:1:ce4:ab61:ba1c:6288]) by dicht.nlnetlabs.nl (Postfix) with ESMTPSA id 018338AF5 for <dnsop@ietf.org>; Wed, 3 Aug 2016 14:24:18 +0200 (CEST)
Authentication-Results: dicht.nlnetlabs.nl; dmarc=none header.from=pletterpet.nl
To: dnsop@ietf.org
References: <0lfuqoqhd7.fsf@wjh.hardakers.net> <20160803135819.3421ce3f@pallas.home.time-travellers.org>
From: Matthijs Mekking <matthijs@pletterpet.nl>
X-Enigmail-Draft-Status: N1110
Message-ID: <c06d6704-b49d-c437-4b0d-1b000d61b554@pletterpet.nl>
Date: Wed, 03 Aug 2016 14:24:17 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <20160803135819.3421ce3f@pallas.home.time-travellers.org>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/ixyowrUBb0dKioM6Hg0qK3j808g>
Subject: Re: [DNSOP] new dnsop related draft: RFC5011 security considerations
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Aug 2016 12:24:26 -0000
Shane, On 08/03/2016 01:58 PM, Shane Kerr wrote: > Wes, > > At 2016-08-01 15:00:52 -0700 > Wes Hardaker <wjhns1@hardakers.net> wrote: > >> The following draft, authored by Warren and I, might be of interest to >> the dnsop crowd: >> >> https://tools.ietf.org/html/draft-hardaker-rfc5011-security-considerations-00 >> >> [it currently does not have a home] > > Reading this document it basically seems like the hold-down timer is > actually a potential for mischief, rather than a good thing. There is > no mitigation recommended, right? I can't think of a fix that doesn't > involve protocol changes. > > My own feeling is that the hold-down timer is tricky operationally, and > adds no actual value. I'd support using your draft as the basis of a > proposal to deprecate the hold-down timer completely. The Add Hold-Down time adds value in the form of some mitigation against automated configuration of a compromised trust anchor in the resolver. While not waterproof, I don't think we should abandon the Add Hold-Down timer, although the long time may be somewhat of a burden and the outlined Denial of Service attack is to be taken serious. I would rather see a mitigation against the replay attack by for example adding a jitter to the Active Refresh, to make the query interval less predictable. Best regards, Matthijs > > Cheers, > > -- > Shane > > > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop >
- Re: [DNSOP] new dnsop related draft: RFC5011 secu… Shane Kerr
- Re: [DNSOP] new dnsop related draft: RFC5011 secu… Matthijs Mekking
- Re: [DNSOP] new dnsop related draft: RFC5011 secu… Warren Kumari
- Re: [DNSOP] new dnsop related draft: RFC5011 secu… Michael StJohns
- Re: [DNSOP] new dnsop related draft: RFC5011 secu… Wes Hardaker
- Re: [DNSOP] new dnsop related draft: RFC5011 secu… Wes Hardaker
- Re: [DNSOP] new dnsop related draft: RFC5011 secu… Wes Hardaker
- Re: [DNSOP] new dnsop related draft: RFC5011 secu… Matthijs Mekking
- Re: [DNSOP] new dnsop related draft: RFC5011 secu… Matthijs Mekking
- Re: [DNSOP] new dnsop related draft: RFC5011 secu… Wes Hardaker
- Re: [DNSOP] new dnsop related draft: RFC5011 secu… Bob Harold
- Re: [DNSOP] new dnsop related draft: RFC5011 secu… Wessels, Duane
- [DNSOP] new dnsop related draft: RFC5011 security… Wes Hardaker