Re: [DNSOP] requesting WGLC for 5011-security-considerations

Matthijs Mekking <matthijs@pletterpet.nl> Thu, 20 July 2017 12:35 UTC

Return-Path: <matthijs@pletterpet.nl>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7E98A129AC4 for <dnsop@ietfa.amsl.com>; Thu, 20 Jul 2017 05:35:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0V_AKqpdlCLC for <dnsop@ietfa.amsl.com>; Thu, 20 Jul 2017 05:35:06 -0700 (PDT)
Received: from dicht.nlnetlabs.nl (open.nlnetlabs.nl [IPv6:2a04:b900::1:0:0:10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EFFA3131C17 for <dnsop@ietf.org>; Thu, 20 Jul 2017 05:34:59 -0700 (PDT)
Received: from [IPv6:2001:981:19be:1:50bf:8888:2e7c:bc75] (unknown [IPv6:2001:981:19be:1:50bf:8888:2e7c:bc75]) by dicht.nlnetlabs.nl (Postfix) with ESMTPSA id EDF47B5F7 for <dnsop@ietf.org>; Thu, 20 Jul 2017 14:34:57 +0200 (CEST)
Authentication-Results: dicht.nlnetlabs.nl; dmarc=none header.from=pletterpet.nl
To: dnsop@ietf.org
References: <ybl4luqq05v.fsf@w7.hardakers.net>
From: Matthijs Mekking <matthijs@pletterpet.nl>
Message-ID: <7d425067-84ff-2471-d39a-0c3a20c0116c@pletterpet.nl>
Date: Thu, 20 Jul 2017 14:34:56 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <ybl4luqq05v.fsf@w7.hardakers.net>
Content-Type: text/plain; charset=utf-8
Content-Language: en-GB
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/kxxe0ZLZjAjiCSQKTgjvkzZKbfQ>
Subject: Re: [DNSOP] requesting WGLC for 5011-security-considerations
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Jul 2017 12:35:13 -0000

Wes,

It's been a while since I have had a look at this draft, my apologies.

I don't think it is ready for WGLC because I am not convinced the math
is correct. Section 6 defines the waitTime:

     waitTime = addHoldDownTime
                + (DNSKEY RRSIG Signature Validity)
                + MAX(MIN((DNSKEY RRSIG Signature Validity) / 2,
                          MAX(original TTL of K_old DNSKEY RRSet) / 2,
                          15 days),
                      1 hour)
                + 2 * MAX(TTL of all records)

Which is the same as:

     waitTime = addHoldDownTime
                + (DNSKEY RRSIG Signature Validity)
                + queryInterval
                + 2 * MAX(TTL of all records)

but reads better.

This should be the same as Itrp as defined in RFC 7583:

      Itrp >= queryInterval + AddHoldDownTime + queryInterval

Basically these two differ at the following points:

1. Itrp does not include (DNSKEY RRSIG Signature Validity). It does
mention that the validator should not see a validly signed DNSKEY RRset
without the new key in that period. So adding (DNSKEY RRSIG Signature
Validity) is a good update.

2. waitTime only adds one queryInterval, while Itrp adds two. I believe
to be safe on the publishing side, two queryIntervals is needed. RFC
7583 explains:

   A validator will treat it as a trust anchor the next
   time it retrieves the RRset, a process that can take up to another
   queryInterval (the third term).

3. waitTime adds two MAX(TTL of all records) (margin). The draft says
that it probably not needed, and I agree, and that explains why it is
missing from the Itrp definition.

4. Both definitions (Itrp and waitTime) don't really take into
consideration the retryTime defined in RFC 5011. Perhaps that can be
used for defining the extra safety margin.

5. Itrp actually is defined with a modifiedQueryInterval which excludes
the RRSIG expiration interval. Now this is recognized to be the time
between inception and expiration of the RRSIG, I actually think it does
not need to be removed from the equation. So Itrp could have worked with
just queryInterval.

Given these points I think the correct definition of waitTime is:

     margin = 2 * MAX(TTL)

     waitTime = addHoldDownTime
                + signatureValidity(DNSKEY)
                + 2 * queryInterval
                + margin

I think slop needs to be separated and it should be documented that this
is a suggested value for the slop.

Furthermore, this document should also give guidance on the wait time
before a revoked DNSKEY can be removed from the zone:

     waitRemoveTime = signatureValidity(DNSKEY)
                + queryInterval
                + margin

This document should probably update RFC 7583 because it is giving a
better definition of Itrp and Irev.

For readability of the document I would like to suggest to move the
Attack example and breakdown to the Appendix.


Kind regards,
  Matthijs


On 05-07-17 19:11, Wes Hardaker wrote:
> 
> Folks,
> 
> We believe that the latest draft-rfc5011-security-considerations
> document is ready for WGLC, and would like the chairs to start that
> process unless anyone thinks it's not ready to go forward.  In
> particular, we believe all outstanding issues with it have been
> resolved.
> 
> Objections?
>