Re: [DNSOP] new dnsop related draft: RFC5011 security considerations
Matthijs Mekking <matthijs@pletterpet.nl> Wed, 03 August 2016 12:44 UTC
Return-Path: <matthijs@pletterpet.nl>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3BD0C12DAF2 for <dnsop@ietfa.amsl.com>; Wed, 3 Aug 2016 05:44:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oODrIOIIns5m for <dnsop@ietfa.amsl.com>; Wed, 3 Aug 2016 05:44:40 -0700 (PDT)
Received: from dicht.nlnetlabs.nl (open.nlnetlabs.nl [185.49.140.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 606B812DB55 for <dnsop@ietf.org>; Wed, 3 Aug 2016 05:44:38 -0700 (PDT)
Received: by dicht.nlnetlabs.nl (Postfix, from userid 58) id B5F9C8B65; Wed, 3 Aug 2016 14:44:36 +0200 (CEST)
Received: from [IPv6:2001:981:19be:1:ce4:ab61:ba1c:6288] (unknown [IPv6:2001:981:19be:1:ce4:ab61:ba1c:6288]) by dicht.nlnetlabs.nl (Postfix) with ESMTPSA id 4D9A48B63 for <dnsop@ietf.org>; Wed, 3 Aug 2016 14:44:32 +0200 (CEST)
Authentication-Results: dicht.nlnetlabs.nl; dmarc=none header.from=pletterpet.nl
To: dnsop@ietf.org
References: <0lfuqoqhd7.fsf@wjh.hardakers.net>
From: Matthijs Mekking <matthijs@pletterpet.nl>
X-Enigmail-Draft-Status: N1110
Message-ID: <99f615b9-15e6-d034-3926-83e273df6870@pletterpet.nl>
Date: Wed, 03 Aug 2016 14:44:31 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <0lfuqoqhd7.fsf@wjh.hardakers.net>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/sA12ECfRelVT53ed1S5hqFnmYjA>
Subject: Re: [DNSOP] new dnsop related draft: RFC5011 security considerations
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Aug 2016 12:44:46 -0000
Hi Wes, Warren, On 08/02/2016 12:00 AM, Wes Hardaker wrote: > > The following draft, authored by Warren and I, might be of interest to > the dnsop crowd: > > https://tools.ietf.org/html/draft-hardaker-rfc5011-security-considerations-00 > > [it currently does not have a home] Thanks for this document. Two comments: 1. In the introduction you mention there is no guidance to how long a DNSKEY must be published before it can be considered accepted. Perhaps there is no implicit guidance in RFC 5011, you should be able to derive it from the timing parameters defined in that document. In fact, it has been done before and RFC 7583 (DNSSEC Key Rollover Timing Considerations) gives guidance on exactly this in Section 3.3.4. 2. The outlined attack is possible because the defined queryInterval is approximately done at the half of the RRSIG expiration interval. If the queryInterval was to be increased that it would be at most the full expiration interval, the replay attack cannot be successfully executed. While this makes the DNSKEY rollover duration even longer, it is now secured against the outlined attack. Best regards, Matthijs
- Re: [DNSOP] new dnsop related draft: RFC5011 secu… Shane Kerr
- Re: [DNSOP] new dnsop related draft: RFC5011 secu… Matthijs Mekking
- Re: [DNSOP] new dnsop related draft: RFC5011 secu… Warren Kumari
- Re: [DNSOP] new dnsop related draft: RFC5011 secu… Michael StJohns
- Re: [DNSOP] new dnsop related draft: RFC5011 secu… Wes Hardaker
- Re: [DNSOP] new dnsop related draft: RFC5011 secu… Wes Hardaker
- Re: [DNSOP] new dnsop related draft: RFC5011 secu… Wes Hardaker
- Re: [DNSOP] new dnsop related draft: RFC5011 secu… Matthijs Mekking
- Re: [DNSOP] new dnsop related draft: RFC5011 secu… Matthijs Mekking
- Re: [DNSOP] new dnsop related draft: RFC5011 secu… Wes Hardaker
- Re: [DNSOP] new dnsop related draft: RFC5011 secu… Bob Harold
- Re: [DNSOP] new dnsop related draft: RFC5011 secu… Wessels, Duane
- [DNSOP] new dnsop related draft: RFC5011 security… Wes Hardaker