Re: [DNSOP] Current status of draft-ietf-dnsop-dnssec-validator-requirements
Daniel Migault <mglt.ietf@gmail.com> Thu, 22 June 2023 20:27 UTC
Return-Path: <mglt.ietf@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 71701C15108E; Thu, 22 Jun 2023 13:27:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.093
X-Spam-Level:
X-Spam-Status: No, score=-2.093 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qsOjypWJbA9B; Thu, 22 Jun 2023 13:27:48 -0700 (PDT)
Received: from mail-pf1-x42c.google.com (mail-pf1-x42c.google.com [IPv6:2607:f8b0:4864:20::42c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7E4D8C14CE38; Thu, 22 Jun 2023 13:27:48 -0700 (PDT)
Received: by mail-pf1-x42c.google.com with SMTP id d2e1a72fcca58-668723729c5so3776889b3a.3; Thu, 22 Jun 2023 13:27:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1687465668; x=1690057668; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=7U+dPGtFayHtwKxFB6qzlUiVpztZOpaGEo5ShLXRf5w=; b=gMnwl//oTn7EkNMHQFiIiu3zBbTdoNU6fw1ZDltp7citDrJOCP3YafoLLUIurAJKUV cah5BNZZCErhMr+bQbQwmaJfo5+x7lmsE8JDiRoM9fwvx+8YkVol+5k48cRP4QCsHDSz OID2tVe3Jla8zu79M42z6hlg7YNiDAtbxKy6mAUQaziCG8DHXBUxR5fW1iEeRTOPDipy K+8libuy7e0vunMk7oTP+j72BDLRNE1a+iSAkdC5P8/uCc81t5dyF7NbBdwFBPebOrcU Iu+v9FNnLpNdHLEO7qVqZL+gJpC5+z5hPdA40kfR4SOrYP5T3TJhQN/A2grzFKMYjVKq Rq1A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1687465668; x=1690057668; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=7U+dPGtFayHtwKxFB6qzlUiVpztZOpaGEo5ShLXRf5w=; b=mEkBL7bgPbkoKdkTyb7nUqueGJT0zmi2jgYlfJhkbgdW4XIdxCjzlL6oMn9YKxRlM8 fzU0TYNnHMNvT15Tnw0M7T1UfslEmo1ZQb2qQ3IMi2q/4nWkXZ8UmHY0MSzPIcWTaDUJ icjPuQy40sIttz1930CCLD+V3nzHRhJEkHsQaD4x55JxoHLO3bmYB2/yx5hFivNkkXK0 zDU1hA8rlvPv1IixGqDByPeYx7Eel7EA3qsP0YKy0huzbs4J2opdpoah+d0cNvXvQJY8 ahG5+w8dF1/O8HegC9h8oXo+H78KXBoK8dbg/2MS/nHRoqK74Pgey+hl2XVItLARujlM UNaQ==
X-Gm-Message-State: AC+VfDzsydtPwt0W38DcHHs9mZYddlR9Oc+ShYL/RgEQ8I4lJ1jGqtf1 KoRBYtZueLItcMIhV/jzS58/kPxSW9JE8Kfj8potHIopmG3z+A==
X-Google-Smtp-Source: ACHHUZ41kWOTSHL0zEt9fBSjc9TKiLvS2e+3lPAf37Gpz8yd0CgRxFfZsembXB+VJaQmmCvAq935lDCKIwXZwdWh0To=
X-Received: by 2002:a05:6a21:328d:b0:121:faac:2442 with SMTP id yt13-20020a056a21328d00b00121faac2442mr11149679pzb.47.1687465667847; Thu, 22 Jun 2023 13:27:47 -0700 (PDT)
MIME-Version: 1.0
References: <CADyWQ+FBu991wu4ZEwKs9w-hGQfUR0oOGXruQv1BwX63NsNhBw@mail.gmail.com> <CADyWQ+EXXDkw_LfFm6w9OZjWunsgRchE-E3FVh38JO+QSGJ0cw@mail.gmail.com> <m1wn0fp405.fsf@narrans.de> <02c16402-5a4f-16c1-6c9f-9fc2b655fbfd@huitema.net> <CADZyTkmZWUrTgL4z6HWGCu=ysJ5qewMV1RJ2j4EysyBE=DqJEQ@mail.gmail.com>
In-Reply-To: <CADZyTkmZWUrTgL4z6HWGCu=ysJ5qewMV1RJ2j4EysyBE=DqJEQ@mail.gmail.com>
From: Daniel Migault <mglt.ietf@gmail.com>
Date: Thu, 22 Jun 2023 16:27:36 -0400
Message-ID: <CADZyTk=xJQ61MVLDNsmW8gMny8HH0vbk0DURxDbA7G=6QXfPhA@mail.gmail.com>
To: Christian Huitema <huitema@huitema.net>
Cc: Florian Obser <florian+ietf@narrans.de>, Tim Wicinski <tjw.ietf@gmail.com>, dnsop <dnsop@ietf.org>, dnsop-chairs <dnsop-chairs@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b3ec6f05febdb73d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/pNU2Mmi97wKLl_feszynb63MKco>
Subject: Re: [DNSOP] Current status of draft-ietf-dnsop-dnssec-validator-requirements
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Jun 2023 20:27:49 -0000
Hi, I have just drafted a secure transport and a security considerations section, that I believe provide sufficient guidance to a DRO. I expect to further review these sections and publish a new version very soon. As always, comments are welcome. https://github.com/mglt/draft-mglt-dnsop-dnssec-validator-requirements/blob/master/draft-ietf-dnsop-dnssec-validator-requirements.mkd Yours, Daniel On Thu, Jun 15, 2023 at 8:00 PM Daniel Migault <mglt.ietf@gmail.com> wrote: > Hi Christina, > > Thanks for the review and the suggestions. Please see my comments inline. > > Yours, > Daniel > > On Wed, Jun 14, 2023 at 11:56 AM Christian Huitema <huitema@huitema.net> > wrote: > >> I know that the feedback was due last Sunday, but here comes mine >> anyhow, after looking at the latest iteration of the draft. >> >> The draft makes a number of recommendations, which seem all reasonable, >> but what struck me was the weak tie between these recommendations and >> the security considerations. > > I agree that we should reconsider that section. My initial version of the > security consideration section was in my opinion too long and I > considered it as too repetitive with the main body. I then focused on the > security where the DRO is the vector of attacks/vulnerabilities. I suppose > I have been a bit too far in that direction and this is too limitative. I > will reconsider this, and your comment on the threat model gives a good > insight on what could be added. I agree that we should add some text on the > threat models current and long term. > > What also strikes me is the absence of >> any consideration relative to secure transports such as DoT or DoQ. >> > That is correct. This is something that we did not consider and probably > have to mention. I think this will be a section on its own - and not a > security consideration. > >> >> I would love to see a document that addresses the future target, in >> which secure transports are use in most or all transactions between stub >> and recursive, or between recursive and authoritative. I think that in >> such scenarios, the threat model changes quite a bit. >> > > I tend to think that future direction might be a bit beyond the scope of > the document, but I do tend to think that a threat model discussion can be > useful for an operator. > > In the old model, we are very concerned about third parties spoofing >> responses and polluting resolver caches. In a secure transport model, >> the only parties that can spoof responses are the resolvers themselves: >> authoritative resolvers abusing their authority to add falsehoods in >> additional sections, recursive resolvers abusing the client trust to >> send false responses. >> >> I do think that DNSSEC is still useful, even in a secure transport >> world. But the focus changes. For example, if we consider that "spoofing >> by recursive server" is a threat, then having the recursive set bits to >> affirm that the response is verified is not much of a protection -- the >> emphasis should move to verification by the client. I would love to see >> this discussed. >> >> I agree that would become useful in giving insight into what threat the > DRO is addressing. > > >> -- Christian Huitema >> >> On 6/7/2023 10:38 AM, Florian Obser wrote: >> > On 2023-06-07 13:08 -04, Tim Wicinski <tjw.ietf@gmail.com> wrote: >> >> Just a reminder we're looking for any feedback on continuing work on >> this >> >> document. The Chairs/OverLord Warren feel significant work on this >> >> document is needed, but that may not be relevant. >> > >> > The document seems to have a rather pessimistic view on running a >> > validator. It has this huge list of things that an operator has to do >> > and does not assign any importance to them - everything seems to be >> > equally important. >> > >> > If I were to read this as the person responsible for running the >> > recursive resolver at an enterprise or at an ISP I'd think: That sounds >> > like effort and incredibly fragile, it's probably best to not enable >> > validation. >> > >> > It would be nice to have an informational RFC on the topic, but I'm not >> > convinced this is it. Maybe Andrew's suggestion to split this up is the >> > way forward. Maybe have one document with minimum requirements (correct >> > time, stuff like that) and take it from there. >> > >> >> >> >> We're wrapping this feedback up this Sunday 11 June. >> >> >> >> (and Thanks Andrew for your comments) >> >> >> >> tim >> > >> >> _______________________________________________ >> DNSOP mailing list >> DNSOP@ietf.org >> https://www.ietf.org/mailman/listinfo/dnsop >> > > > -- > Daniel Migault > Ericsson > -- Daniel Migault Ericsson
- [DNSOP] Current status of draft-ietf-dnsop-dnssec… Tim Wicinski
- Re: [DNSOP] Current status of draft-ietf-dnsop-dn… Andrew McConachie
- Re: [DNSOP] Current status of draft-ietf-dnsop-dn… Tim Wicinski
- Re: [DNSOP] Current status of draft-ietf-dnsop-dn… Florian Obser
- Re: [DNSOP] Current status of draft-ietf-dnsop-dn… Christian Huitema
- Re: [DNSOP] Current status of draft-ietf-dnsop-dn… Peter Thomassen
- Re: [DNSOP] [EXT] Re: Current status of draft-iet… Jacques Latour
- Re: [DNSOP] Current status of draft-ietf-dnsop-dn… Viktor Dukhovni
- Re: [DNSOP] Current status of draft-ietf-dnsop-dn… Peter Thomassen
- Re: [DNSOP] Current status of draft-ietf-dnsop-dn… Daniel Migault
- Re: [DNSOP] Current status of draft-ietf-dnsop-dn… Daniel Migault
- Re: [DNSOP] Current status of draft-ietf-dnsop-dn… Daniel Migault
- Re: [DNSOP] Current status of draft-ietf-dnsop-dn… Daniel Migault
- Re: [DNSOP] Current status of draft-ietf-dnsop-dn… Daniel Migault
- Re: [DNSOP] Current status of draft-ietf-dnsop-dn… Tim Wicinski