Re: [DNSOP] Working Group Last Call for Revised IANA Considerations for DNSSEC
Joe Abley <jabley@hopcount.ca> Thu, 12 August 2021 20:38 UTC
Return-Path: <jabley@hopcount.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 418A33A48FD for <dnsop@ietfa.amsl.com>; Thu, 12 Aug 2021 13:38:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=hopcount.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QuC8hKvVyfhr for <dnsop@ietfa.amsl.com>; Thu, 12 Aug 2021 13:38:44 -0700 (PDT)
Received: from mail-qt1-x82f.google.com (mail-qt1-x82f.google.com [IPv6:2607:f8b0:4864:20::82f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F05653A23D7 for <dnsop@ietf.org>; Thu, 12 Aug 2021 13:38:43 -0700 (PDT)
Received: by mail-qt1-x82f.google.com with SMTP id l3so6374707qtk.10 for <dnsop@ietf.org>; Thu, 12 Aug 2021 13:38:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hopcount.ca; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=xeTJ4v0Wfq6J7haYljuyZDPklcwhkf5+JDFiHyGoDRk=; b=jS1AlfSX/oFI+HRSfFgrqGCSd422yU/M/F0X4jvkhOxSqCeOoi0BzYv+bKDES8iig/ vCdp6SbwDL7C4VKBh06V6v66RyASOTSl0a+xzlkPl4jUvY2Ea5r9JS3eP4YHva3PQu4U 7CqeBOS3pKxOxpNFfhN1yJ0wAL/elVhcyqbr0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=xeTJ4v0Wfq6J7haYljuyZDPklcwhkf5+JDFiHyGoDRk=; b=pHO1ngXYrMCCnkz53oTlKDfaSIXeki1rho03+lyv+WLXNPCgudLehYq9xcXSNj1kKv 11L4R7G3yljrhEi8MWTUODfaxyBj4Q3UY5XNRj3JHe82xBQ3kztxXtnQgqIsv+KrQjg/ xvlyEsv0YsK72scZlnMpD722GoruMGvlrQqzmqAOchbOkWMZabY5S5Hkzw+9qnhwW95l OaCzQhp20dsTJEoWSVEQuy2xQXJOZFeWBAc1YVNfBUzYo55Z3SXeRJWMVEiJ5EdmqQ7L /9vDjIus5wQCvS8b1eGy7dFe0OlhuKG4IxYG88G4T4Se35gWf9Z52hjLqFnmuvd8q/FJ X4Zg==
X-Gm-Message-State: AOAM532/gFfhVg6Dqq1hpY5CJafMd2DXI7xxYkrmEwaMwIibF8WJygAF g3LpX9oXXsD8qZyB4CyKWEEblA==
X-Google-Smtp-Source: ABdhPJwH72shFeTxEZ0i01fxKZO0Sv3vKW9LbFBgHHRuhxAL4Xa0mYbaMfiLBsZvLk7gYQcPwdnvbg==
X-Received: by 2002:a05:622a:14ce:: with SMTP id u14mr5567592qtx.165.1628800721336; Thu, 12 Aug 2021 13:38:41 -0700 (PDT)
Received: from smtpclient.apple ([2607:f2c0:e784:c7:edcd:97c0:f2fa:9a14]) by smtp.gmail.com with ESMTPSA id f2sm1669342qth.11.2021.08.12.13.38.40 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 12 Aug 2021 13:38:40 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\))
From: Joe Abley <jabley@hopcount.ca>
In-Reply-To: <48c1577-59f-5255-ac4-b8931d0d9b2@nohats.ca>
Date: Thu, 12 Aug 2021 16:38:39 -0400
Cc: Olafur Gudmundsson <ogud@ogud.com>, Tim WIcinski <tjw.ietf@gmail.com>, dnsop <dnsop@ietf.org>, dnsop-chairs <dnsop-chairs@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <B0C03889-2B09-49CC-A88D-D3F33FAA6679@hopcount.ca>
References: <7216daac-3446-3481-a358-d1b11c92a2d@nohats.ca> <2A137295-D5FC-4FDA-9270-88FEF9A60265@hopcount.ca> <48c1577-59f-5255-ac4-b8931d0d9b2@nohats.ca>
To: Paul Wouters <paul@nohats.ca>
X-Mailer: Apple Mail (2.3654.120.0.1.13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/mTAh6WvU4Lnt05yUiEWHd_EkRjE>
Subject: Re: [DNSOP] Working Group Last Call for Revised IANA Considerations for DNSSEC
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Aug 2021 20:38:51 -0000
Hi Paul, On 12 Aug 2021, at 15:48, Paul Wouters <paul@nohats.ca> wrote: > On Thu, 12 Aug 2021, Joe Abley wrote: > >>> This would have been excellent to do when we did DS. It would still be >>> good to do this now, I agree. But it would be too late for some of the >>> things discussed now. >> >> Can you talk more about why you think so? > > I did a small presentation during IETF 111 DPRIVE. You can find the > presentation deck and the recording on the IETF site. Thanks, I will go and dig that out at some point. >> Support for novel interpretations of particular DS algorithms will require support on both the provisioning and consumer side. Is it really that much more work to specify new DS-like RRTypes? > > It does not neccessarilly require support on the provisioning side, as > it is "just another DS record" from the provisioning point of view > unless lawyers insisted the TLD somehow verifies the pubkey is > pre-published or in an algorithm they 'support' (allow). I think the set of acceptable algorithms is constrained sufficiently often by registries and registrars that it makes little sense to consider any other case. But you may have different use-cases in mind. >> There's truck-roll in both cases. Neither path is really going to make these features generally available any time soon. > > There is a huge difference between "support for a DS record with > unknown or unexpected content at the RRR level" and "change all > DNS and EPP software on the planet". The first one has like 1500 > actors. The second has millions or billions. I agree, but I don't think that observation is particularly helpful. My earlier point was that any mechanism that changes the implementation of a referral is going to need to be backwards compatible to validators and authoritative servers that don't support it. Truck roll is required not to maintain the integrity of the DNS, but to enable the new desired functionality. I think there's a lot of inertia on the provisioning side and no matter what mechanism is preferred. It might seem like accepting a new DS algorithm is much easier, but in practice it might also be that you only need a new RRType to be supported in two or three code bases before substantially all TLDs have support. My experience is that it can take years to have new algorithms supported by the RR machinery, regardless of how simple they are to express and consume in the DNS. It's always worth remembering that registry systems are not DNS systems; they are operated and constrained very differently. Without data I would suggest it's not especially helpful to predict which path is more rocky. On the resolver side, a very small handful of resolvers account for the bulk of the world's validation. But regardless of what critical mass you identify as important to establish, there's substantially the same weight of change required on the consumer side. Whether you special-case a DS hack or understand what to do with a new RRType received as part of a referral, you still need code changes. > And as I argued, even if we do this by overloading DS or NS, is that > overloading really something we need? As it is only required for > privacy to nameservers that are in-bailiwick to the domain, which in > itself is already pretty much a dead give away even when you only > can observe encrypted TLS traffic to an IP address of a well known > published nameserver. I certainly don't fully understand the degree of risk from subverting a resolver to send a query to a bogus authority server. I am not arguing for or against any kind of mechanism to mitigate unsigned glue. So I don't have any order of preference. However: > So my own order of preference is likely something like: > > 1) Forget about protecting in-bailiwick nameservers > 2) Do it securely using DS at parent > (only requires new code for validating nameservers that don't exist yet) I don't understand what the parenthetical comment here means. You're suggesting that existing validating resolvers that don't know how to interpret a weird algorithm in a DS RRSet received during a referral don't need to be changed? Joe
- [DNSOP] Working Group Last Call for Revised IANA … Tim Wicinski
- Re: [DNSOP] Working Group Last Call for Revised I… Donald Eastlake
- Re: [DNSOP] Working Group Last Call for Revised I… Vladimír Čunát
- Re: [DNSOP] Working Group Last Call for Revised I… Dmitry Belyavsky
- Re: [DNSOP] Working Group Last Call for Revised I… Dmitry Belyavsky
- Re: [DNSOP] Working Group Last Call for Revised I… Olafur Gudmundsson
- Re: [DNSOP] Working Group Last Call for Revised I… Paul Wouters
- Re: [DNSOP] Working Group Last Call for Revised I… Joe Abley
- Re: [DNSOP] Working Group Last Call for Revised I… Paul Wouters
- Re: [DNSOP] Working Group Last Call for Revised I… Joe Abley
- Re: [DNSOP] Working Group Last Call for Revised I… Paul Wouters
- Re: [DNSOP] Working Group Last Call for Revised I… Joe Abley
- Re: [DNSOP] Working Group Last Call for Revised I… Brian Dickson
- Re: [DNSOP] Working Group Last Call for Revised I… Murray S. Kucherawy
- Re: [DNSOP] [Ext] Working Group Last Call for Rev… Paul Hoffman
- Re: [DNSOP] Working Group Last Call for Revised I… Tim Wicinski
- Re: [DNSOP] Working Group Last Call for Revised I… Daniel Migault
- Re: [DNSOP] Working Group Last Call for Revised I… Vladimír Čunát
- Re: [DNSOP] Working Group Last Call for Revised I… Daniel Migault
- Re: [DNSOP] Working Group Last Call for Revised I… Daniel Migault
- Re: [DNSOP] Working Group Last Call for Revised I… Vladimír Čunát