IETF Logo Mail Archive

Re: [DNSOP] new dnsop related draft: RFC5011 security considerations

Matthijs Mekking <matthijs@pletterpet.nl> Wed, 03 August 2016 12:44 UTC

Return-Path: <matthijs@pletterpet.nl>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3BD0C12DAF2 for <dnsop@ietfa.amsl.com>; Wed, 3 Aug 2016 05:44:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oODrIOIIns5m for <dnsop@ietfa.amsl.com>; Wed, 3 Aug 2016 05:44:40 -0700 (PDT)
Received: from dicht.nlnetlabs.nl (open.nlnetlabs.nl [185.49.140.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 606B812DB55 for <dnsop@ietf.org>; Wed, 3 Aug 2016 05:44:38 -0700 (PDT)
Received: by dicht.nlnetlabs.nl (Postfix, from userid 58) id B5F9C8B65; Wed, 3 Aug 2016 14:44:36 +0200 (CEST)
Received: from [IPv6:2001:981:19be:1:ce4:ab61:ba1c:6288] (unknown [IPv6:2001:981:19be:1:ce4:ab61:ba1c:6288]) by dicht.nlnetlabs.nl (Postfix) with ESMTPSA id 4D9A48B63 for <dnsop@ietf.org>; Wed, 3 Aug 2016 14:44:32 +0200 (CEST)
Authentication-Results: dicht.nlnetlabs.nl; dmarc=none header.from=pletterpet.nl
To: dnsop@ietf.org
References: <0lfuqoqhd7.fsf@wjh.hardakers.net>
From: Matthijs Mekking <matthijs@pletterpet.nl>
X-Enigmail-Draft-Status: N1110
Message-ID: <99f615b9-15e6-d034-3926-83e273df6870@pletterpet.nl>
Date: Wed, 03 Aug 2016 14:44:31 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <0lfuqoqhd7.fsf@wjh.hardakers.net>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/sA12ECfRelVT53ed1S5hqFnmYjA>
Subject: Re: [DNSOP] new dnsop related draft: RFC5011 security considerations
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Aug 2016 12:44:46 -0000

Hi Wes, Warren,

On 08/02/2016 12:00 AM, Wes Hardaker wrote:
> 
> The following draft, authored by Warren and I, might be of interest to
> the dnsop crowd:
> 
> https://tools.ietf.org/html/draft-hardaker-rfc5011-security-considerations-00
> 
> [it currently does not have a home]

Thanks for this document. Two comments:

1. In the introduction you mention there is no guidance to how long a
DNSKEY must be published before it can be considered accepted. Perhaps
there is no implicit guidance in RFC 5011, you should be able to derive
it from the timing parameters defined in that document. In fact, it has
been done before and RFC 7583 (DNSSEC Key Rollover Timing
Considerations) gives guidance on exactly this in Section 3.3.4.

2. The outlined attack is possible because the defined queryInterval is
approximately done at the half of the RRSIG expiration interval. If the
queryInterval was to be increased that it would be at most the full
expiration interval, the replay attack cannot be successfully executed.
While this makes the DNSKEY rollover duration even longer, it is now
secured against the outlined attack.

Best regards,
  Matthijs

v2.23.0 | Report a Bug | By Email