IETF Logo Mail Archive

[DNSOP] Re: Working Group Last Call for draft-ietf-dnsop-ns-revalidation "Delegation Revalidation by DNS Resolvers"

Willem Toorop <willem@nlnetlabs.nl> Tue, 18 March 2025 15:01 UTC

Return-Path: <willem@nlnetlabs.nl>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id DF62CDFACD8 for <dnsop@mail2.ietf.org>; Tue, 18 Mar 2025 08:01:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=nlnetlabs.nl
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Gjs2PNbnKSff for <dnsop@mail2.ietf.org>; Tue, 18 Mar 2025 08:01:31 -0700 (PDT)
Received: from mout-b-202.mailbox.org (mout-b-202.mailbox.org [195.10.208.62]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 1E8B8DFACCC for <dnsop@ietf.org>; Tue, 18 Mar 2025 08:01:31 -0700 (PDT)
Received: from smtp2.mailbox.org (smtp2.mailbox.org [IPv6:2001:67c:2050:b231:465::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-b-202.mailbox.org (Postfix) with ESMTPS id 4ZHFRB1RMVzDrVn for <dnsop@ietf.org>; Tue, 18 Mar 2025 16:01:26 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nlnetlabs.nl; s=MBO0001; t=1742310086; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references:autocrypt:autocrypt; bh=1OhgvcibZWuf5vQzZETeL82WK2fKrev/VVfyWbRh7F0=; b=A64icFIe6vLPaB5OXIREL+UYkzkKau0o8PGcKXYq4RCCUl55XVmT16e1E5TYWiBpwkYcKj 6bvto0CvX6RI25zwyCS6J+oTVCTFnI3ocB1l742hN/L5BUoJNY1+IL55RttfJOCwzB46st WDmGAsVYFWvOWutYX5B+9MflaVwcOp0h24nnFlkvwNJOCpkPibHEtjFbe6citWkrRB53IM db6GnY0Iq1T6FZjwH9RSGUHCNO9Dr2kn6zUOJV7POo4twA00eXmf1gm9wkywIqWf+61Es6 sDQYgHdc2HKAoq8htEpgi1hP920zBZw5Uh8/XZg0CR60bBap4TIqRys54w21Ug==
Message-ID: <9c2ad9e4-881b-4835-bc4c-5b96ef0f2681@nlnetlabs.nl>
Date: Tue, 18 Mar 2025 16:01:24 +0100
MIME-Version: 1.0
To: dnsop@ietf.org
References: <CADyWQ+GHwYS3T=M+7655Ps5f-mJ7H3FfstDGvHsR_D=eHXf43g@mail.gmail.com> <SA1PR15MB43705D3DBC37FB92F3BA5714B3DF2@SA1PR15MB4370.namprd15.prod.outlook.com> <551bb4a8-f787-4caf-8615-c284203d7b7e@nic.cz> <CAHPuVdWwFGKE7QRHXP1Ru9geQdV+VY4-Z-AYgkhac7dQuB9cZw@mail.gmail.com> <6fa27e23-ec6d-4989-8068-aafb4925d1dd@nic.cz> <CAHPuVdUy1s9gaQyJ=GiqdxAPZwUc2-4HvQBCb77c-Zh5feAjvg@mail.gmail.com> <C5ABE18F-AB8B-4654-BF93-D660D4240446@fl1ger.de> <2a6088fb-3275-464d-bca1-92a4cbaa78aa@nlnetlabs.nl> <2b862da9-e428-47f3-9ecc-c55a4e589bac@desec.io> <a23915b8-3a28-417c-a709-ef3123c4a74d@nlnetlabs.nl> <bc9d2dba-9a9c-4fe5-a484-ace272836007@desec.io> <94da4d77-2904-43ba-9bcd-27e22e6a4604@nlnetlabs.nl> <a16dd152-b49e-4f89-a56a-1c5b4f3e8bb4@desec.io> <9ef0d670-0e54-4233-90d8-e36f42a236a4@nlnetlabs.nl> <161ff3cb-3261-4a63-8f75-122d2fcf7782@desec.io>
Content-Language: en-US
From: Willem Toorop <willem@nlnetlabs.nl>
Autocrypt: addr=willem@nlnetlabs.nl; keydata= xsFNBE1s81EBEACuJzGgccrmYEAzHc//vBq66gH7orM0GtKfQZHh4uR1FMxZXl07WevUYNuB ywTpinU9rpY1Q3S4w6QgNklgpsaHXmbOpyFjJ8FpllV8TRPiXiNrNxTpMnlb6InoszopX69t kBVHTP6cJkNgPx6R4BM0ARqEGQmOL8mAcoWyGVzbsamuGRaia54zs/kc3i9yiqEzRkoQmfwr 7sr49n7gOpmaqXvonOSiUvgEziep77emMcqVa/qZxR1r7KUq85qTNTqsQwl2cQdKS7WwOeuG 6ZIJmJ1bakriKzLBYF5xIHKSYJW0ZA20tNFrVKgTkEjiXvAJh4HlJEIi35tqa/IzWUJSc1ai nhBjxbwSl8BRq5aaPgwB+xXiDqY6BrQW1slvl5TF2A6Xr7JJ0rkH3EZgXxABAZ3WJ3RLwq1z 8jnNYj+UW/mSLsbOtgfOiBhFUXMZneHvVVvz6F6XAtyrejDl5sD2gnzm1VDfK6T6bvLtR7zr kWre0lpycDmgmUKgaEiXzfLvwT9RaWk8GdqU2GG+QOiwf+hT0peDieuodjMr59sUbx7GqVe/ 45rJBRSx+HCl2Jm7Th2Xr0kpStCd7ebVoEq9wpMyu+dM9wOTtibA9P3+9u4rAdimpAdQxEbh WbRNCng2EVhThbqRK3cTZLbtqKaWgAJqa/IQVpL9b5ps8Z4JVQARAQABzSNXaWxsZW0gVG9v cm9wIDx3aWxsZW1AbmxuZXRsYWJzLm5sPsLBjwQTAQIAOQIbIwYLCQgHAwIGFQgCCQoLBBYC AwECHgECF4AWIQTcNO5dskF7zBUeUQDl+PghL3ekmAUCXgm/sAAKCRDl+PghL3ekmLEOD/0W 50GFW5OfS/aZ3k7BfoBgSYEpgs3wUPxFCvkw4LsREcSLSdE9jFfIWh7sGiS1yP/kQGZr/yUn R58nAjGr9exyB90VsgEQqUlbks5nCqQZZrMcZRgHCB0IitYZqewBfl/GON/mqApTEQXgTJS7 0wi66828X7AyCA6kPgUfDl5V/zOE0GKm8ejNtKIIEnscNHUwpNpwTF/EegU6Fo6Ih4/bMvpg RytCgIi1tdmWETeyKjL7ASIGZL0kZkTfhQZV+V5NgToDnMFxPyndvv57Fip2mUSPkAAWRhgq ApL797C/KMpc1mCK43g6gD21KP01e5yz1BnSc09NJ7huLHYDFQKRBCfbUZuJe0KSibpRgmNE YaWT1sxByxqPbTmWDgvRXy4TGhkPm21wLqRACVmymd/KiFHdaB5NzWzrC5C0eWSCs2oziDuy Szf8/71sI8pNwjqBIp/8zA8ZI9AZrCkgzeuEeyKBcjW8O83iJkx2S9CC0KBrryvTi2QwitHX +WxJnGlOFNLQG4fp9/6EDuPUEKgmbqaiooCgDyU4aHYPFpUrHTc8aajahJ29wcXkWkIrm6rB mWzT/+05jyrrMl0HoSmZIqhwgtGHrWw+bnCxBZV2JOynDE0n+z4zh8N4rQ1vvCXu36CcR/62 YFTliLVKowkFtqO+om6DO8MBws/FoYnw/M7BTQRNbPNRARAApOziFbP3grro+2weP9wG0eYk InH0Gwc/x6hSN3iIFHtxaBNOC3U8YI0HMI8Yi5SJrzTx2rG7Uvw5aNCnBcMKNeoCJufSYIkx E41WzPEkqSNidkYoY6jxyDs6ZAFnIR3qqt/FV/93Acux1BMlnPP1sY7G5hUAC7Src8dbmAYV z6mnd43jurMYzESOygROP9yVrGOqKyiEbXf+GQ/o+8OgPs4504Z1BA/xvgZEEPqtn8Wowu/g LzTMOfMIfWsuk0ZCmV/VqfLTpZMCwMvh/qAQAsfrZMjE5fhTtbF668fHIpc4C4357H8y8XZr PXbhhtxYLu3V2pVbfKzbTMpp6Z6bJdIrFXpoyfgoFwkXcJ0zWgAFkPK+Iv16XtD/JDKWlkLo SXhCjBo8g4C7M50hzpy4zo9Na8ECtwpWBCFZ8myF94WZ+TGnP+FZz0rjTIKOZv6E9kivdFtd KxAi1RSQGo5Iwc2ugiBf4hpYyrd7vIwd0yqUqvSVTnaV8Ft8QKOV4H807grdIYkE/NOAu3N7 4uxbFIlChAxYq/ohLBCtbeuyZSOqBA2tIZE5fetHLw2+7Otq+zhrcWZ1SkchbDYp9jYzoCxf 0cEW5GyKaCoWNCblVupcDs20ckKcDVG+peWD+InnD4MSUeizHCMdL5Rt6MMaZVD4hOqWHf33 Wiw+NmrUjLUAEQEAAcLBdgQYAQIAIAIbDBYhBNw07l2yQXvMFR5RAOX4+CEvd6SYBQJeCb+w AAoJEOX4+CEvd6SYnQwQAKUN8F1N3G5rRgdyorRjX9+NEvZSn6sFAZZsngkO1fWny3z9PoGS 9n3OrKdqO2U9NdwvdWELyuFIv+3spd6Mn6DSYLSfqjg9i+YGC3AiQNoRR+VX1FWQ/TatFLpq +o1Lby04sWABhKic6pCxeCPXY2CzE7DSfUtMwBsPheK4JhpQNt6U4+7x24QIHbxcivpTq59V 7fZB8JpUgoN1k7DEAes9MEd1iOKM6ZucKgx1Q3elaS8DjRW7nJl+U9eaufa3BVt3+J3eL3Lr Q6ep4IDNEkQJoOwJytBzVQJcGkE0pdkSjO4jEocsNcQRVTahOazuYVUyYezqHDxUltAJqBux jnyyR2zZayDCoX82+UI0jtubwz1rFMqCdzID8n3PPn0AlmcHAsSNnCv4mIhI+tofc6bndNcu tJZMjoYA1MmEhgx1TStQptAQP/ZRNwV2TZFR20gwQWV1p/5R/GTlP3olNdC9Ojy0AmFMBLZb x7PI75HVJ2wtF8aq7vo2iltEM1k1zhl0Su5Ov/TEBq6JhqD5UzpqJPV6tTz76EEXfx58AxFh fVkytieLXCPI0kQTWfenexd9DUANCoa/TfYIEOi7YHJGYx/DpjfSPfThDxTGfWt0WaMILpOq +YTFA468fQW5xgeVvJlBNry4dT1XXgVbe/H+CN7q7C0Y1Ng11VOfO65X
In-Reply-To: <161ff3cb-3261-4a63-8f75-122d2fcf7782@desec.io>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------rNjl8qV7S50bavfCYHE99M6K"
X-Rspamd-Queue-Id: 4ZHFRB1RMVzDrVn
Message-ID-Hash: 3DWV5JYX3GAOUAJCQRL45XRQ4WFOFMKT
X-Message-ID-Hash: 3DWV5JYX3GAOUAJCQRL45XRQ4WFOFMKT
X-MailFrom: willem@nlnetlabs.nl
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: Working Group Last Call for draft-ietf-dnsop-ns-revalidation "Delegation Revalidation by DNS Resolvers"
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/pRLRe-iHC-3EOwNjMdk2Ko0QUSI>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

Op 18-03-2025 om 08:20 schreef Peter Thomassen:
> On 3/18/25 12:39, Willem Toorop wrote:
>>>>> - For signed delegations, NS revalidation protects the privacy of 
>>>>> the actual query.
>>>> And in addition to that prevents all unsigned parts of the hijacked 
>>>> zone to be rewritten. For example if com is hijacked, unsigned 
>>>> zones like google.com can be redirected.
>>> First, .com is signed, so I'm not sure how you'd hijack it as a whole.
>> With an NS revalidating resolvers this is impossible, because the 
>> authoritative [child] side .com NS RRset is signed.
> Sure, the hijacker can't fake .com's apex NS RRset and have it 
> validate, so NS revalidation would catch a spoofed referral from the 
> root to .com.
>
> But, even with NS revalidation, the hijacker *can* fake unsigned 
> delegations within .com. This seems to be effectively the same as 
> injecting a proxy into the .com referral from the root, where the 
> proxy forwards secure responses unmodified and only fakes unsigned 
> delegations within .com.
Indeed the same effect. But a different method.
> An attacker who is in a position to do the former likely can also do 
> the latter.
Not necessarily. Some IPs are easier to hijack than others.
> Applying NS revalidation thus seems to make no difference with regards 
> to insecure delegation hijacking, even in signed zones.

It guarantees the referral responses are coming from the intended name 
servers IPs and thereby more likely to come from the intended name servers.

So yes, it protects against hijacked IPs on the internet, but not to an 
on path attacker inbetween the resolver and its connection to the internet.

-- Willem

>
> Best,
> Peter
>

v2.43.4 | Report a Bug | By Email | System Status