IETF Logo Mail Archive

Re: [DNSOP] Current status of draft-ietf-dnsop-dnssec-validator-requirements

Daniel Migault <mglt.ietf@gmail.com> Thu, 22 June 2023 20:27 UTC

Return-Path: <mglt.ietf@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 71701C15108E; Thu, 22 Jun 2023 13:27:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.093
X-Spam-Level:
X-Spam-Status: No, score=-2.093 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qsOjypWJbA9B; Thu, 22 Jun 2023 13:27:48 -0700 (PDT)
Received: from mail-pf1-x42c.google.com (mail-pf1-x42c.google.com [IPv6:2607:f8b0:4864:20::42c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7E4D8C14CE38; Thu, 22 Jun 2023 13:27:48 -0700 (PDT)
Received: by mail-pf1-x42c.google.com with SMTP id d2e1a72fcca58-668723729c5so3776889b3a.3; Thu, 22 Jun 2023 13:27:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1687465668; x=1690057668; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=7U+dPGtFayHtwKxFB6qzlUiVpztZOpaGEo5ShLXRf5w=; b=gMnwl//oTn7EkNMHQFiIiu3zBbTdoNU6fw1ZDltp7citDrJOCP3YafoLLUIurAJKUV cah5BNZZCErhMr+bQbQwmaJfo5+x7lmsE8JDiRoM9fwvx+8YkVol+5k48cRP4QCsHDSz OID2tVe3Jla8zu79M42z6hlg7YNiDAtbxKy6mAUQaziCG8DHXBUxR5fW1iEeRTOPDipy K+8libuy7e0vunMk7oTP+j72BDLRNE1a+iSAkdC5P8/uCc81t5dyF7NbBdwFBPebOrcU Iu+v9FNnLpNdHLEO7qVqZL+gJpC5+z5hPdA40kfR4SOrYP5T3TJhQN/A2grzFKMYjVKq Rq1A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1687465668; x=1690057668; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=7U+dPGtFayHtwKxFB6qzlUiVpztZOpaGEo5ShLXRf5w=; b=mEkBL7bgPbkoKdkTyb7nUqueGJT0zmi2jgYlfJhkbgdW4XIdxCjzlL6oMn9YKxRlM8 fzU0TYNnHMNvT15Tnw0M7T1UfslEmo1ZQb2qQ3IMi2q/4nWkXZ8UmHY0MSzPIcWTaDUJ icjPuQy40sIttz1930CCLD+V3nzHRhJEkHsQaD4x55JxoHLO3bmYB2/yx5hFivNkkXK0 zDU1hA8rlvPv1IixGqDByPeYx7Eel7EA3qsP0YKy0huzbs4J2opdpoah+d0cNvXvQJY8 ahG5+w8dF1/O8HegC9h8oXo+H78KXBoK8dbg/2MS/nHRoqK74Pgey+hl2XVItLARujlM UNaQ==
X-Gm-Message-State: AC+VfDzsydtPwt0W38DcHHs9mZYddlR9Oc+ShYL/RgEQ8I4lJ1jGqtf1 KoRBYtZueLItcMIhV/jzS58/kPxSW9JE8Kfj8potHIopmG3z+A==
X-Google-Smtp-Source: ACHHUZ41kWOTSHL0zEt9fBSjc9TKiLvS2e+3lPAf37Gpz8yd0CgRxFfZsembXB+VJaQmmCvAq935lDCKIwXZwdWh0To=
X-Received: by 2002:a05:6a21:328d:b0:121:faac:2442 with SMTP id yt13-20020a056a21328d00b00121faac2442mr11149679pzb.47.1687465667847; Thu, 22 Jun 2023 13:27:47 -0700 (PDT)
MIME-Version: 1.0
References: <CADyWQ+FBu991wu4ZEwKs9w-hGQfUR0oOGXruQv1BwX63NsNhBw@mail.gmail.com> <CADyWQ+EXXDkw_LfFm6w9OZjWunsgRchE-E3FVh38JO+QSGJ0cw@mail.gmail.com> <m1wn0fp405.fsf@narrans.de> <02c16402-5a4f-16c1-6c9f-9fc2b655fbfd@huitema.net> <CADZyTkmZWUrTgL4z6HWGCu=ysJ5qewMV1RJ2j4EysyBE=DqJEQ@mail.gmail.com>
In-Reply-To: <CADZyTkmZWUrTgL4z6HWGCu=ysJ5qewMV1RJ2j4EysyBE=DqJEQ@mail.gmail.com>
From: Daniel Migault <mglt.ietf@gmail.com>
Date: Thu, 22 Jun 2023 16:27:36 -0400
Message-ID: <CADZyTk=xJQ61MVLDNsmW8gMny8HH0vbk0DURxDbA7G=6QXfPhA@mail.gmail.com>
To: Christian Huitema <huitema@huitema.net>
Cc: Florian Obser <florian+ietf@narrans.de>, Tim Wicinski <tjw.ietf@gmail.com>, dnsop <dnsop@ietf.org>, dnsop-chairs <dnsop-chairs@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b3ec6f05febdb73d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/pNU2Mmi97wKLl_feszynb63MKco>
Subject: Re: [DNSOP] Current status of draft-ietf-dnsop-dnssec-validator-requirements
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Jun 2023 20:27:49 -0000

Hi,

I have just drafted a secure transport  and a security considerations
section, that I believe provide sufficient guidance to a DRO. I expect to
further review these sections and publish a new version very soon. As
always, comments are welcome.

https://github.com/mglt/draft-mglt-dnsop-dnssec-validator-requirements/blob/master/draft-ietf-dnsop-dnssec-validator-requirements.mkd

Yours,
Daniel

On Thu, Jun 15, 2023 at 8:00 PM Daniel Migault <mglt.ietf@gmail.com> wrote:

> Hi Christina,
>
> Thanks for the review and the suggestions. Please see my comments inline.
>
> Yours,
> Daniel
>
> On Wed, Jun 14, 2023 at 11:56 AM Christian Huitema <huitema@huitema.net>
> wrote:
>
>> I know that the feedback was due last Sunday, but here comes mine
>> anyhow, after looking at the latest iteration of the draft.
>>
>> The draft makes a number of recommendations, which seem all reasonable,
>> but what struck me was the weak tie between these recommendations and
>> the security considerations.
>
> I agree that we should reconsider that section. My initial version of the
> security consideration section was in my opinion too long and I
> considered it as too repetitive with the main body. I then focused on the
> security where the DRO is the vector of attacks/vulnerabilities. I suppose
> I have been a bit too far in that direction and this is too limitative. I
> will reconsider this, and your comment on the threat model gives a good
> insight on what could be added. I agree that we should add some text on the
> threat models current and long term.
>
> What also strikes me is the absence of
>> any consideration relative to secure transports such as DoT or DoQ.
>>
> That is correct. This is something that we did not consider and probably
> have to mention. I think this will be a section on its own - and not a
> security consideration.
>
>>
>> I would love to see a document that addresses the future target, in
>> which secure transports are use in most or all transactions between stub
>> and recursive, or between recursive and authoritative. I think that in
>> such scenarios, the threat model changes quite a bit.
>>
>
>  I tend to think that future direction might be a bit beyond the scope of
> the document, but I do tend to think that a threat model discussion can be
> useful for an operator.
>
> In the old model, we are very concerned about third parties spoofing
>> responses and polluting resolver caches. In a secure transport model,
>> the only parties that can spoof responses are the resolvers themselves:
>> authoritative resolvers abusing their authority to add falsehoods in
>> additional sections, recursive resolvers abusing the client trust to
>> send false responses.
>>
>> I do think that DNSSEC is still useful, even in a secure transport
>> world. But the focus changes. For example, if we consider that "spoofing
>> by recursive server" is a threat, then having the recursive set bits to
>> affirm that the response is verified is not much of a protection -- the
>> emphasis should move to verification by the client. I would love to see
>> this discussed.
>>
>> I agree that would become useful in giving insight into what threat the
> DRO is addressing.
>
>
>> -- Christian Huitema
>>
>> On 6/7/2023 10:38 AM, Florian Obser wrote:
>> > On 2023-06-07 13:08 -04, Tim Wicinski <tjw.ietf@gmail.com> wrote:
>> >> Just a reminder we're looking for any feedback on continuing work on
>> this
>> >> document.  The Chairs/OverLord Warren feel significant work on this
>> >> document is needed, but that may not be relevant.
>> >
>> > The document seems to have a rather pessimistic view on running a
>> > validator. It has this huge list of things that an operator has to do
>> > and does not assign any importance to them - everything seems to be
>> > equally important.
>> >
>> > If I were to read this as the person responsible for running the
>> > recursive resolver at an enterprise or at an ISP I'd think: That sounds
>> > like effort and incredibly fragile, it's probably best to not enable
>> > validation.
>> >
>> > It would be nice to have an informational RFC on the topic, but I'm not
>> > convinced this is it. Maybe Andrew's suggestion to split this up is the
>> > way forward. Maybe have one document with minimum requirements (correct
>> > time, stuff like that) and take it from there.
>> >
>> >>
>> >> We're wrapping this feedback up this Sunday 11 June.
>> >>
>> >> (and Thanks Andrew for your comments)
>> >>
>> >> tim
>> >
>>
>> _______________________________________________
>> DNSOP mailing list
>> DNSOP@ietf.org
>> https://www.ietf.org/mailman/listinfo/dnsop
>>
>
>
> --
> Daniel Migault
> Ericsson
>


-- 
Daniel Migault
Ericsson

v2.23.0 | Report a Bug | By Email