[DNSOP] Re: Secdir early review of draft-ietf-dnsop-compact-denial-of-existence-04

Michael Sinatra <michael@brokendns.net> Wed, 31 July 2024 15:30 UTC

Return-Path: <michael@brokendns.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F9ECC19ECB3 for <dnsop@ietfa.amsl.com>; Wed, 31 Jul 2024 08:30:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=brokendns.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YjlLtP8I7yRj for <dnsop@ietfa.amsl.com>; Wed, 31 Jul 2024 08:30:47 -0700 (PDT)
Received: from burnttofu.net (burnttofu.net [IPv6:2607:fc50:1:9d00::9977]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 634DBC169402 for <dnsop@ietf.org>; Wed, 31 Jul 2024 08:30:46 -0700 (PDT)
Received: from elwha.brokendns.net (elwha.brokendns.net [206.125.172.202]) by burnttofu.net (8.18.1/8.18.1) with ESMTPS id 46VFUg7R049256 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT); Wed, 31 Jul 2024 11:30:43 -0400 (EDT) (envelope-from michael@brokendns.net)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=brokendns.net; s=bt; t=1722439843; bh=6omF0SHXnfLbyTfDp7iJ9/zZfEcPWMa5BdicyLO3/wE=; h=Date:Subject:To:Cc:References:From:In-Reply-To; b=DTyBhB0wvkMjl0N3JvDnmbNfiLl4JchMBmOZyotDKDw9oM+eSp+UsrRhDrdELJdNP hygNUqd9zidd+lRAbpf0suSxLO5ruiAPEjlXdPprn+H4ud+wAilmtN0g5g/bj1q6RP msti1nhPOK+zaQP0BEf02uOCRZcSxPP29+k+ycDhGjZXWxoC1Y/+d6SjU0aePbxLDL FrMppaqTrwT93iPKTbUppn0GEsur6STHJ0utV+Dd8pkOlxEhkng/7fHLgox5UgmaPC V6N3l8+951uD8rpf6JGCsxRX7YMqnYa1pBpWL7l1QCulJPoYgtuR9MyB09f0nHCU+G +uw4FCOJhXw1w==
Received: from [IPV6:2620:83:8004:572::1:959] (unknown [IPv6:2620:83:8004:572::1:959]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by elwha.brokendns.net (5.65c/IDA-1.4.4/5.63) with ESMTPSA id 0CAA3728B; Wed, 31 Jul 2024 08:30:41 -0700 (PDT)
Message-ID: <7c4612cf-a1e8-47b1-b682-7bba9a0e7319@brokendns.net>
Date: Wed, 31 Jul 2024 08:30:30 -0700
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Shumon Huque <shuque@gmail.com>
References: <172238346320.1988233.11549951810315868557@dt-datatracker-659f84ff76-9wqgv> <d62f53f0-fe73-4e35-84cb-ddda704a73eb@brokendns.net> <CAHPuVdXYqoKjeO18kXoud2YO6KO_FL=m2xSjqQ7QdwV2mLi8Qg@mail.gmail.com>
Content-Language: en-US
From: Michael Sinatra <michael@brokendns.net>
In-Reply-To: <CAHPuVdXYqoKjeO18kXoud2YO6KO_FL=m2xSjqQ7QdwV2mLi8Qg@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Message-ID-Hash: 5A74EEJYHQR472EWW6OUI55LO7IM6Y6V
X-Message-ID-Hash: 5A74EEJYHQR472EWW6OUI55LO7IM6Y6V
X-MailFrom: michael@brokendns.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: dnsop@ietf.org, bew.stds@gmail.com
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: Secdir early review of draft-ietf-dnsop-compact-denial-of-existence-04
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/lvBYy-Us24gpTstYZ-txHajaJKM>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>


On 7/30/24 19:22, Shumon Huque wrote:
> Thank you Michael,
> 
> Your observation is certainly true. However, I want to point out that 
> inability to
> synthesize NXDOMAIN via aggressive negative caching applies to any online
> signing scheme that uses minimally covering NSEC, not just Compact DoE.

Yes, and you may want to add that to the text.  From an operator's 
perspective, this solves one set of security considerations, but they 
should be aware of the trade-offs when choosing a denial-of-existence 
mechanism.

> Your suggestion to explicitly mention the impact on mitigation of 
> certain classes
> of attacks sounds reasonable to me. We'll review the proposed text in 
> your PR.

Thanks.

> Are there good references we can cite for water torture and random subdomain
> attacks?

That's a tough one.  I'll review the lit again, but most of the 
references I have found online describe the circa-2014-style of attacks, 
but things have evolved (e.g. the names queried have evolved to not 
"look" random; there is much more effective leverage being applied by 
using both direct queries from botnets *and* indirect usage of public 
resolver services, etc.).  Someone posted some updated stuff to 
dns-operations@ about a year ago; I'll see what I can dig up and add it 
to the comments.

michael