Re: [DNSOP] Working Group Last Call draft-ietf-dnsop-resolver-priming
Stephane Bortzmeyer <bortzmeyer@nic.fr> Tue, 23 August 2016 10:33 UTC
Return-Path: <bortzmeyer@nic.fr>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 87FE712D918 for <dnsop@ietfa.amsl.com>; Tue, 23 Aug 2016 03:33:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.448
X-Spam-Level:
X-Spam-Status: No, score=-7.448 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.548] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XW2suFfSgaB6 for <dnsop@ietfa.amsl.com>; Tue, 23 Aug 2016 03:33:01 -0700 (PDT)
Received: from mx4.nic.fr (mx4.nic.fr [IPv6:2001:67c:2218:2::4:12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D55212D90C for <dnsop@ietf.org>; Tue, 23 Aug 2016 03:33:01 -0700 (PDT)
Received: from mx4.nic.fr (localhost [127.0.0.1]) by mx4.nic.fr (Postfix) with SMTP id AEB27280603; Tue, 23 Aug 2016 12:32:59 +0200 (CEST)
Received: from relay2.nic.fr (relay2.nic.fr [192.134.4.163]) by mx4.nic.fr (Postfix) with ESMTP id A96D3280109; Tue, 23 Aug 2016 12:32:59 +0200 (CEST)
Received: from b12.nic.fr (unknown [192.134.7.106]) by relay2.nic.fr (Postfix) with ESMTP id A7ACAB3800C; Tue, 23 Aug 2016 12:32:29 +0200 (CEST)
Received: by b12.nic.fr (Postfix, from userid 1000) id D57AA3FEF7; Tue, 23 Aug 2016 12:32:28 +0200 (CEST)
Date: Tue, 23 Aug 2016 12:32:28 +0200
From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
To: Tim Wicinski <tjw.ietf@gmail.com>
Message-ID: <20160823103228.jsgzpcfx34dmee7i@nic.fr>
References: <f8c62b82-258c-2b2b-5186-c3cd8e7d7448@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <f8c62b82-258c-2b2b-5186-c3cd8e7d7448@gmail.com>
X-Operating-System: Debian GNU/Linux stretch/sid
X-Kernel: Linux 4.6.0-1-amd64 x86_64
X-Charlie: Je suis Charlie
Organization: NIC France
X-URL: http://www.nic.fr/
User-Agent: Mutt/1.6.2-neo (2016-07-23)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/ok8nZR4PwuLfY6XoszNpcbkWTOY>
Cc: dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] Working Group Last Call draft-ietf-dnsop-resolver-priming
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Aug 2016 10:33:03 -0000
On Thu, Aug 04, 2016 at 08:03:35PM -0400, Tim Wicinski <tjw.ietf@gmail.com> wrote a message of 27 lines which said: > This starts a Working Group Last Call for draft-ietf-dnsop-resolver-priming I know, it's too late (damned holidays) but I think the document is OK, I just suggest a few additions: Section 3.3: Replace the first two sentences by: The resolver MAY set the DNSSEC OK [RFC4033] bit. At the time this document is being published, there is little use to performing DNSSEC validation on the priming query. This is because all root name servers are under a separate zone, "root-servers.net" (delegated to the root name servers). The resolver will eventually need AAAA and A RRsets of the NS names in this zone. But the "root-servers.net" zone is not signed. So a man-in-the-middle attack on the priming query can result in malicious data in the responses. (it was proposed and explained in <https://mailarchive.ietf.org/arch/msg/dnsop/c09YZDWvSbcuNxQbDshICQdW5IE>) Same section 3.3, at the end, add: Note a validating resolver won't accept responses from rogue root name servers, if they are different from the real responses, since the resolver has a trust anchor for the root and the answers from the root are signed. So, if there is a man-in-the-middle attack on the priming query, the only result for a validating resolver will be a denial of service. Section 5, add a reference to section 3.3, after "DNSSEC". There is also a small contradiction between the abstract ("and the necessary address information for reaching the root servers") and section 4.1 ("There ___may be___ an Additional section with A and/or AAAA RRSets"). Two personal questions (I cannot find a discussion on these two points in the archive): Section 4.1 "There may be an Additional section with A and/or AAAA RRSets" There is no mention of what the resolver should do if this section is missing. Sending a query XXX.root-servers.net/AAAA to the same authoritative server used for the priming? Section 4.2 "a resolver SHOULD consider the address information found in the Additional section complete for any particular server that appears at all" Why this rule? (Most root name servers, when the advertised buffer is too small, sacrifice IPv6 addresses.)
- Re: [DNSOP] Working Group Last Call draft-ietf-d… Tim Wicinski
- Re: [DNSOP] Working Group Last Call draft-ietf-dn… 神明達哉
- Re: [DNSOP] Working Group Last Call draft-ietf-dn… Marek Vavruša
- Re: [DNSOP] Working Group Last Call draft-ietf-dn… Warren Kumari
- Re: [DNSOP] Working Group Last Call draft-ietf-dn… Paul Hoffman
- Re: [DNSOP] Working Group Last Call draft-ietf-dn… Andreas Gustafsson
- Re: [DNSOP] Working Group Last Call draft-ietf-dn… Bob Harold
- Re: [DNSOP] Working Group Last Call draft-ietf-dn… Paul Hoffman
- Re: [DNSOP] Working Group Last Call draft-ietf-d… Shane Kerr
- [DNSOP] Working Group Last Call draft-ietf-dnsop… Tim Wicinski
- Re: [DNSOP] Working Group Last Call draft-ietf-d… Edward Lewis
- Re: [DNSOP] Working Group Last Call draft-ietf-d… Stephane Bortzmeyer