Re: [DNSOP] Validating responses when following unsigned CNAME chains...

Michael StJohns <msj@nthpermutation.com> Thu, 30 April 2020 00:01 UTC

Return-Path: <msj@nthpermutation.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 03F6F3A0ACE for <dnsop@ietfa.amsl.com>; Wed, 29 Apr 2020 17:01:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nthpermutation-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ehgo8jkTPiSx for <dnsop@ietfa.amsl.com>; Wed, 29 Apr 2020 17:01:28 -0700 (PDT)
Received: from mail-qt1-x82a.google.com (mail-qt1-x82a.google.com [IPv6:2607:f8b0:4864:20::82a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2C24F3A0ACB for <dnsop@ietf.org>; Wed, 29 Apr 2020 17:01:27 -0700 (PDT)
Received: by mail-qt1-x82a.google.com with SMTP id h26so3549895qtu.8 for <dnsop@ietf.org>; Wed, 29 Apr 2020 17:01:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nthpermutation-com.20150623.gappssmtp.com; s=20150623; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding:content-language; bh=6gs6bj/94b8xvyzkSDGX+lu1dlbqqromY2chXKdM3Zo=; b=zryhAjSr39Ekm06Dkch2VwMAisgoyv1/OMv5nf+RXXXB+4/LVwLCRy/p0WFVx8gMc9 zlsfbIyT4V00v3l5zDVFDsRuWYEEdFCiKJzs5tHgu7qj+yYN6HOUFFZm+XqAL0XjlxS9 GMsh4Ds+aB92LI8jNWJEhyGYNBiOY0sXcHjSn7bd9gzQX1a+6saygZOBZTHCsL3Opp/M USVC4tEdRnHZi5RPhFUgwy4511jFZ80ZnF88t9xwCUePQRaEbRcH/ZztXuRirEYqWng+ tw+f1qM3tZ1bGVnd33a/UeI8yGtXNm7mINpbkeMJgx0g5cHc84brOtzL6n0j5BqWaoqW jQPg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=6gs6bj/94b8xvyzkSDGX+lu1dlbqqromY2chXKdM3Zo=; b=EvgwmXZgquiNvQT9kTu5149i6+P42WE4D+8I8tlBR0vugFc2VqX4k1l31csRJec/SV njNwo2TwkWojJVjb+DtgTT2lv7T7tLrtUiTsM9/6pkLIRJ+NYonKsGETt3hLS4gLsEuT F+znpUBzMIom0HHDDaCgAdwu8ARdXgBxZzcvEGzCEiJRo9luIpNLVJQde8XvycmWGojF 2oHIjLLuaypo23biKX9J8R6AZMhADNA1j5RXn6utuUe6Qr3Ekhm+T6L9PeSEaltvkw+u 5+WhJKbkLBSdHIQKQf4uwMNCMfo8T/8il8FovCXUhlhQuPUQzJ3DAYYcAIqI6YleFCpQ NBeg==
X-Gm-Message-State: AGi0PubqOvdR2LX/FEBryeH8yNdEpjD1frcnB07NyD6vaqITL3tUQ53s hrCwNHqk0nrcskTQeh6dHa2FyoSBVZ+3PQ==
X-Google-Smtp-Source: APiQypLPoPCpIydb1GQyoe4h1xOqmqjbBdeATRWAXSPMNCrFxhM8gP9XvsdqGqPOvtDXamEeTaemGA==
X-Received: by 2002:ac8:2fda:: with SMTP id m26mr987060qta.80.1588204885627; Wed, 29 Apr 2020 17:01:25 -0700 (PDT)
Received: from [192.168.1.115] (pool-71-163-188-115.washdc.fios.verizon.net. [71.163.188.115]) by smtp.gmail.com with ESMTPSA id b10sm626621qtj.30.2020.04.29.17.01.24 for <dnsop@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 29 Apr 2020 17:01:25 -0700 (PDT)
To: dnsop@ietf.org
References: <1EA6A13C-6E60-4ED9-9A50-E33D9D17504C@fugue.com>
From: Michael StJohns <msj@nthpermutation.com>
Message-ID: <129b0546-0123-30e0-cfca-8a66721ab046@nthpermutation.com>
Date: Wed, 29 Apr 2020 20:01:23 -0400
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Thunderbird/68.7.0
MIME-Version: 1.0
In-Reply-To: <1EA6A13C-6E60-4ED9-9A50-E33D9D17504C@fugue.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/pCIcGEhszZJMLk1XtuFhuNOADB8>
Subject: Re: [DNSOP] Validating responses when following unsigned CNAME chains...
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Apr 2020 00:01:30 -0000

On 4/29/2020 5:50 PM, Ted Lemon wrote:
> Is there an RFC or draft that talks about what the right thing is to do when an unsigned CNAME points to a record in a signed zone?
>
> That is, suppose we are doing validation. The CNAME doesn’t validate, because it’s not signed. When we look up the record the CNAME points to, do we set the DO bit? Do we validate the answer? Or do we assume that because the CNAME isn’t signed, we don’t need to validate what it points to?
>
> I think the answer is that we validate, but I’m curious to know what others think of this.
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop


See this chain 
https://mailarchive.ietf.org/arch/msg/dnsext/_kxMmGeBUI8OW03tWlcgcCW9QlU/ 
(Yup - 12 years ago).

I don't think I ever managed to convince anyone this was a problem.

If you've got a validated CNAME, that points into an unsecured zone, 
then your state is probably Unsecure (if you treat it similar to a 
secure delegation to an unsigned zone) or Unknown.

If you've got an securely insecure (e.g. delegation was to an insecure 
zone at some point) CNAME that points into a secure zone, I would say 
your result is probably Bogus  or Unsecure as you haven't any way to 
evaluate trust.  I don't think you can bootstrap security this way.

Mike