Re: [DNSOP] New draft: Algorithm Negotiation in DNSSEC

Mark Andrews <marka@isc.org> Mon, 10 July 2017 22:41 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 79645131846 for <dnsop@ietfa.amsl.com>; Mon, 10 Jul 2017 15:41:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.902
X-Spam-Level:
X-Spam-Status: No, score=-6.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 19p56qwkHL2P for <dnsop@ietfa.amsl.com>; Mon, 10 Jul 2017 15:41:11 -0700 (PDT)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [199.6.1.65]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 43269127180 for <dnsop@ietf.org>; Mon, 10 Jul 2017 15:41:11 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.ams1.isc.org (Postfix) with ESMTPS id EBFDB24AE15; Mon, 10 Jul 2017 22:41:00 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id F413B160041; Mon, 10 Jul 2017 22:41:04 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id DCCAA16006E; Mon, 10 Jul 2017 22:41:04 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id FhPkSZgJqSOP; Mon, 10 Jul 2017 22:41:04 +0000 (UTC)
Received: from rock.dv.isc.org (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id 34D9E160041; Mon, 10 Jul 2017 22:41:04 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id EDB357E3CB92; Tue, 11 Jul 2017 08:41:02 +1000 (AEST)
To: Shumon Huque <shuque@gmail.com>
Cc: Paul Wouters <paul@nohats.ca>, Bob Harold <rharolde@umich.edu>, "dnsop@ietf.org WG" <dnsop@ietf.org>
From: Mark Andrews <marka@isc.org>
References: <CAHPuVdUVQqvFZJFV4D88cg4fGfFqxnzAwj1VRr6oK7Y1n9hDUw@mail.gmail.com> <CA+nkc8BiSMSNqa9FifNAqWiZuf7prVjD6EKSnbFjq_EWi8kSoA@mail.gmail.com> <CAHPuVdVWi-4nQeoBuyKe7f81mieVpznFwd25Nb5at6t-JpYzUA@mail.gmail.com> <CAHPuVdUnUhfVtvgBWbyXD1fWjz04QMKp59Ar1HNonmAkJeLj6A@mail.gmail.com> <alpine.LRH.2.21.1707101641220.31889@bofh.nohats.ca> <CAHPuVdVFyFrXxmpJg-hO0Wv_SD9FMpzYZjWtGFZeZA-9hFQaiA@mail.gmail.com>
In-reply-to: Your message of "Mon, 10 Jul 2017 17:59:18 -0400." <CAHPuVdVFyFrXxmpJg-hO0Wv_SD9FMpzYZjWtGFZeZA-9hFQaiA@mail.gmail.com>
Date: Tue, 11 Jul 2017 08:41:02 +1000
Message-Id: <20170710224102.EDB357E3CB92@rock.dv.isc.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/pqQJNFNSgzj__8uxlxGYvIpZXOI>
Subject: Re: [DNSOP] New draft: Algorithm Negotiation in DNSSEC
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Jul 2017 22:41:14 -0000

In message <CAHPuVdVFyFrXxmpJg-hO0Wv_SD9FMpzYZjWtGFZeZA-9hFQaiA@mail.gmail.com>om>, Shumon 
Huque writes:
> On Mon, Jul 10, 2017 at 5:00 PM, Paul Wouters <paul@nohats.ca> wrote:
> 
> > On Mon, 10 Jul 2017, Shumon Huque wrote:
> >
> > We've posted a new draft on algorithm negotiation which we're hoping
> >> to discuss at IETF99 (and on list of course). I've discussed this
> >> topic with several folks at DNS-OARC recently.
> >>
> >>     https://tools.ietf.org/html/draft-huque-dnssec-alg-nego-00
> >>
> >
> > I'm not a fan :)
> >
> >         This means that DNS servers have to send responses with signatures
> > of
> >         all algorithms that the requested data are signed with, which can
> >         result in significantly large responses.
> >
> > This seems to be a pretty small use case. And it is the only one
> > mentioned in the introduction. It only affects zones that are in
> > algorithm rollover, unless you want to run zones that permanently sign
> > using multiple algorithms, but that's not a use case mentioned.
> >
> 
> Perhaps we didn't explain it clearly enough, so let me give you a concrete
> example:
> 
> My zone is currently signed with 2048-bit RSASHA256. I want to offer
> signatures with Ed448 (or some other new algorithm) also, so that newer
> validators can take advantage of it. However, I want to be able to continue
> to support the current population of validators that don't support Ed448
> until a sufficient amount of time has passed where they have all been
> upgraded - this could be some number of years.

It will take a number of years.
 
> I also don't want to double sign the zone and return multiple signatures in
> the responses, because they might be fragmented and cause timeouts and
> retransmissions at the client (validator) end. I could truncate those
> responses and prompt them to re-query over TCP, but then again I have
> caused an unnecessary failed roundtrip and have incurred additional
> processing costs associated with TCP, and maybe I haven't scaled up my
> authoritative infrastructure sufficiently to deal with that.

Just send the large UDP messages up to the advertised EDNS UDP size.
Just make sure that your end correctly handles ICMP PTB messages
and doesn't have stupid firewall rules (or othe equipement) that
drop your fragmented replies.  If your equipement can't handle ICMP
PTB, fragment at sizes that won't generate PTB responses / don't
set DF on the packets and set your TCP segment sizes so that they
won't generate ICMP PTB.  Let the other end deal with their
broken/misconfigured equipment.  Its not your job to get the answers
through their broken equipement.  All you are doing is penalising
those that have working equipement by forcing them to use TCP when
UDP would be sufficient.  All that does is shift packet size issues
to TCP.  Slow validation will get them to fix their equipement.

> I also don't want to deploy only Ed448 and cause my zone to be instantly
> treated as unsigned by the vast majority of resolvers. Obviously, because
> I've nullified the security benefit of DNSSEC, but also because I have
> application security protocols, like DANE, that critically depend on DNSSEC
> authentication, for which this would pose a grave security risk.

For some reason there is this insane rush to use Ed448 before even
the major crypto providors have shipped releases which support it.
Get support into major packages then use it in production.  Yes,
we are working on adding it to BIND.  Name servers get upgraded.

> So the goal is not to have them "permanently" signed with multiple
> algorithms, but for a defined transition period, which may not be very
> short. At that point, the older algorithm would be withdrawn -- so
> algorithm rollover, but over an extended period.
> 
> For any caching nameserver with multiple clients, there will be no gain
> > for the next 10 years, as it only takes 1 old client not using this
> > option to cause the caching nameserver to refetch (adding more bandwidth
> > usage)
> >
> > You explain all this is vulnerable to a downgrade attack. And the
> > clients SHOULD (not MUST?) check the algorithms used in the DNSKEY
> > RRset.
> 
> 
> Yes, that should have been a MUST (I made a note of that already for the
> next revision).
> 
> 
> > Since you need to survive the DNSEY RRset size, most of the introduction
> > explaining how this is to survive packet size matters at all, you still
> > need to survive it.
> >
> 
> Of course there are initial costs. The goal is longer term - the benefits
> will increase with more adoption over time. There will be a lot of large
> responses initially, which will decrease over time.
> 
> 
> > I don't think response size during a KSK algorithm roll is an issue that
> > needs fixing.
> >
> > Can there be 'pre-pubished' DNSKEY's that are not used for signing yet, to
> >>> would not be available for response signatures?
> >>>
> >>
> > Very good question Yes, there certainly can be. If the pre-published key's
> >> algorithm is higher strength than the others, then it could cause the
> >> resolver to
> >> mistakenly deduce an algorithm downgrade attack might be in progress. I
> >> think this
> >> argues that we really do need the new zone apex (active) algorithms list
> >> record -
> >> which we already were thinking of proposing - in the last paragraph of
> >> Section 7.
> >>
> >
> > One would hope zones are migrated from "strong" to "even stronger"
> > algorithms, and not from "weak" to "strong enough", so I don't think
> > algorithm downgrade is ever an issue.
> >
> 
> Really? RSA1024 is still widely deployed, and is frequently why DNSSEC is
> the butt of jokes in the larger security community.
 
Which is solved by not allowing key generators to generate small keys.  This
isn't a algorithm roll issue.

> > This draft gives me a feeling it is really about something else, keeping
> > long term dual signed zones out there. I don't think that we should
> > aim for that to become commonplace.
> 
> See the first example I gave. We're not trying to surreptitiously sneak in
> a use case.
> 
> -- 
> Shumon Huque
> 
> --f403045dd5b0d7d11d0553fdb193
> Content-Type: text/html; charset="UTF-8"
> Content-Transfer-Encoding: quoted-printable
> 
> <div dir=3D"ltr"><div class=3D"gmail_extra"><div class=3D"gmail_quote">On M=
> on, Jul 10, 2017 at 5:00 PM, Paul Wouters <span dir=3D"ltr">&lt;<a href=3D"=
> mailto:paul@nohats.ca" target=3D"_blank">paul@nohats.ca</a>&gt;</span> wrot=
> e:<br><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-l=
> eft:1px #ccc solid;padding-left:1ex"><span class=3D"">On Mon, 10 Jul 2017, =
> Shumon Huque wrote:<br>
> <br>
> <blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
> x #ccc solid;padding-left:1ex">
> We&#39;ve posted a new draft on algorithm negotiation which we&#39;re hopin=
> g<br>
> to discuss at IETF99 (and on list of course). I&#39;ve discussed this<br>
> topic with several folks at DNS-OARC recently.<br>
> <br>
> =C2=A0 =C2=A0 <a href=3D"https://tools.ietf.org/html/draft-huque-dnssec-alg=
> -nego-00" rel=3D"noreferrer" target=3D"_blank">https://tools.ietf.org/html/=
> dr<wbr>aft-huque-dnssec-alg-nego-00</a><br>
> </blockquote>
> <br></span>
> I&#39;m not a fan :)<br>
> <br>
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 This means that DNS servers have to send respon=
> ses with signatures of<br>
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 all algorithms that the requested data are sign=
> ed with, which can<br>
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 result in significantly large responses.<br>
> <br>
> This seems to be a pretty small use case. And it is the only one<br>
> mentioned in the introduction. It only affects zones that are in<br>
> algorithm rollover, unless you want to run zones that permanently sign<br>
> using multiple algorithms, but that&#39;s not a use case mentioned.<br></bl=
> ockquote><div><br></div><div>Perhaps we didn&#39;t explain it clearly enoug=
> h, so let me give you a concrete example:</div><div><br></div><div>My zone =
> is currently signed with 2048-bit RSASHA256. I want to offer signatures wit=
> h Ed448 (or some other new algorithm) also, so that newer validators can ta=
> ke advantage of it. However, I want to be able to continue to support the c=
> urrent population of validators that don&#39;t support Ed448 until a suffic=
> ient amount of time has passed where they have all been upgraded - this cou=
> ld be some number of years.</div><div><br></div><div>I also don&#39;t want =
> to double sign the zone and return multiple signatures in the responses, be=
> cause they might be fragmented and cause timeouts and retransmissions at th=
> e client (validator) end. I could truncate those responses and prompt them =
> to re-query over TCP, but then again I have caused an unnecessary failed ro=
> undtrip and have incurred additional processing costs associated with TCP, =
> and maybe I haven&#39;t scaled up my authoritative infrastructure sufficien=
> tly to deal with that.</div><div><br></div><div>I also don&#39;t want to de=
> ploy only Ed448 and cause my zone to be instantly treated as unsigned by th=
> e vast majority of resolvers. Obviously, because I&#39;ve nullified the sec=
> urity benefit of DNSSEC, but also because I have application security proto=
> cols, like DANE, that critically depend on DNSSEC authentication, for which=
>  this would pose a grave security risk.</div><div><br></div><div>So the goa=
> l is not to have them &quot;permanently&quot; signed with multiple algorith=
> ms, but for a defined transition period, which may not be very short. At th=
> at point, the older algorithm would be withdrawn -- so algorithm rollover, =
> but over an extended period.</div><div><br></div><blockquote class=3D"gmail=
> _quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:=
> 1ex">
> For any caching nameserver with multiple clients, there will be no gain<br>
> for the next 10 years, as it only takes 1 old client not using this<br>
> option to cause the caching nameserver to refetch (adding more bandwidth<br=
> >
> usage)<br>
> <br>
> You explain all this is vulnerable to a downgrade attack. And the<br>
> clients SHOULD (not MUST?) check the algorithms used in the DNSKEY<br>
> RRset. </blockquote><div><br></div><div>Yes, that should have been a MUST (=
> I made a note of that already for the next revision).</div><div>=C2=A0</div=
> ><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1=
> px #ccc solid;padding-left:1ex">
> Since you need to survive the DNSEY RRset size, most of the introduction<br=
> >
> explaining how this is to survive packet size matters at all, you still<br>
> need to survive it.<br></blockquote><div><br></div><div>Of course there are=
>  initial costs. The goal is longer term - the benefits will increase with m=
> ore adoption over time. There will be a lot of large responses initially, w=
> hich will decrease over time.</div><div>=C2=A0</div><blockquote class=3D"gm=
> ail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-le=
> ft:1ex">
> I don&#39;t think response size during a KSK algorithm roll is an issue tha=
> t<br>
> needs fixing.<span class=3D""><br>
> <br>
> <blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
> x #ccc solid;padding-left:1ex"><blockquote class=3D"gmail_quote" style=3D"m=
> argin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
> Can there be &#39;pre-pubished&#39; DNSKEY&#39;s that are not used for sign=
> ing yet, to<br>
> would not be available for response signatures?<br>
> </blockquote></blockquote>
> <br>
> </span><span class=3D""><blockquote class=3D"gmail_quote" style=3D"margin:0=
>  0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
> Very good question Yes, there certainly can be. If the pre-published key&#3=
> 9;s<br>
> algorithm is higher strength than the others, then it could cause the resol=
> ver to<br>
> mistakenly deduce an algorithm downgrade attack might be in progress. I thi=
> nk this<br>
> argues that we really do need the new zone apex (active) algorithms list re=
> cord -<br>
> which we already were thinking of proposing - in the last paragraph of Sect=
> ion 7.<br>
> </blockquote>
> <br></span>
> One would hope zones are migrated from &quot;strong&quot; to &quot;even str=
> onger&quot;<br>
> algorithms, and not from &quot;weak&quot; to &quot;strong enough&quot;, so =
> I don&#39;t think<br>
> algorithm downgrade is ever an issue.<br></blockquote><div><br></div><div>R=
> eally? RSA1024 is still widely deployed, and is frequently why DNSSEC is th=
> e butt of jokes in the larger security community.</div><div>=C2=A0</div><bl=
> ockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #=
> ccc solid;padding-left:1ex">
> <br>
> This draft gives me a feeling it is really about something else, keeping<br=
> >
> long term dual signed zones out there. I don&#39;t think that we should<br>
> aim for that to become commonplace.</blockquote><div><br></div><div>See the=
>  first example I gave. We&#39;re not trying to surreptitiously sneak in a u=
> se case.=C2=A0</div><div><br></div><div>--=C2=A0</div><div>Shumon Huque</di=
> v><div><br></div></div></div></div>
> 
> --f403045dd5b0d7d11d0553fdb193--
> 
> 
> --===============7925457567352458756==
> Content-Type: text/plain; charset="us-ascii"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
> 
> --===============7925457567352458756==--
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org