IETF Logo Mail Archive

Re: [DNSOP] New Version Notification for draft-muks-dnsop-dns-message-checksums-00.txt

"Joe Abley" <jabley@hopcount.ca> Mon, 28 September 2015 23:53 UTC

Return-Path: <jabley@hopcount.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C1E161A6F92 for <dnsop@ietfa.amsl.com>; Mon, 28 Sep 2015 16:53:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v_Qgp9gowiGS for <dnsop@ietfa.amsl.com>; Mon, 28 Sep 2015 16:53:23 -0700 (PDT)
Received: from mail-io0-x233.google.com (mail-io0-x233.google.com [IPv6:2607:f8b0:4001:c06::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 36B0E1A6EE8 for <dnsop@ietf.org>; Mon, 28 Sep 2015 16:53:23 -0700 (PDT)
Received: by ioii196 with SMTP id i196so194310215ioi.3 for <dnsop@ietf.org>; Mon, 28 Sep 2015 16:53:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hopcount.ca; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-type; bh=OZqzC6/m3FfCI/Ae7V3vnL+SDHMPR6aMIKQ+R9UeDCk=; b=mfP+SMI9S9Y2vDLwf9FlXD6g8FDt/csjWzU8a6BKwXzwVg4Rf7pidCZN3HO4NrzLyF shC1Z9hiARQXosjsIOjIVux24voEqBAJM/tmMHYT3DAy9ndUT+Wz1zV8GBcHys1aTkt6 AO5q0Jb25dtc0w/oMY2rIIQKtITJM0gfjK1jE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-type; bh=OZqzC6/m3FfCI/Ae7V3vnL+SDHMPR6aMIKQ+R9UeDCk=; b=RaSvlUX2/OXr680ZRgwHQFhCJdDoB6B6WwWF98YXgVaaHltw0hy+VZ5o4KtnIz51xd T+H9yYXqJkg97jKGoQEd27X07EZM6V54yXfPbCYZiUuUgxmV/1vxwCz4HOP6nfB8cd3O B4xBCSxNv5KmFs85egbSFyZQU3NQvqa9SvGpeUXNyVZumlDjMeizN5N3IYLlpc1Bn0c9 YctAk3fE4qHvqdjqnh8f3/mACTU1xZRnOpyNwv1RP6lXfU+nWlJuZRupXBr/CWalDNsz 6zCsEnwkxVXTe1Sg0SaSW+tbWQ2qLsWP4xNQTL+qTpBf2c/HXObJZ0h/dJprMAlOq3eR eY6A==
X-Gm-Message-State: ALoCoQm2sKWW5YBWY6Pm+aDJgJAB8vM62rgJQpI1Pl/YXz+XNAugOZIaeU0WKFWpnfGmT/sCdB90
X-Received: by 10.107.154.211 with SMTP id c202mr21332494ioe.53.1443484402368; Mon, 28 Sep 2015 16:53:22 -0700 (PDT)
Received: from [199.212.92.19] (135-23-68-43.cpe.pppoe.ca. [135.23.68.43]) by smtp.gmail.com with ESMTPSA id b10sm9222379igb.9.2015.09.28.16.53.21 (version=TLSv1 cipher=RC4-SHA bits=128/128); Mon, 28 Sep 2015 16:53:21 -0700 (PDT)
From: Joe Abley <jabley@hopcount.ca>
To: Mukund Sivaraman <muks@isc.org>
Date: Mon, 28 Sep 2015 19:53:10 -0400
Message-ID: <BB4FDC1E-4FC7-4583-8314-5D3BBCB3531A@hopcount.ca>
In-Reply-To: <20150928155157.GB19077@jurassic.l0.malgudi.org>
References: <20150928155157.GB19077@jurassic.l0.malgudi.org>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=_MailMate_314440A2-F29B-4504-BFFC-5C050B1CE54F_="; micalg="pgp-sha1"; protocol="application/pgp-signature"
X-Mailer: MailMate (1.9.1r5103)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/si00V-SjPT576CBswOsk_Fw6Hdk>
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] New Version Notification for draft-muks-dnsop-dns-message-checksums-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Sep 2015 23:53:24 -0000


On 28 Sep 2015, at 11:51, Mukund Sivaraman wrote:

> o  draft-muks-dnsop-dns-message-checksums-00
>    Initial draft (renamed version).  Removed the NONCE-COPY field as
>    it is no longer necessary.  Doubled the size of the NONCE field to
>    128 bits.  Added sample checksum algorithms.  Fixed incorrect
>    reference, language and grammar.

                    +-------+-------+-----------------+
                    | Value | Type  | Status, Remarks |
                    +-------+-------+-----------------+
                    | 0     | EMPTY | Empty digest    |
                    | 1     | SHA-1 | Mandatory       |
                    +-------+-------+-----------------+

Reserving other values for private use might be useful.

The document doesn't describe the expected behaviour when a DNS server receives a DNS message with a CHECKSUM option that specifies an algorithm that is unknown by the receiver.

The IANA Considerations section seems inadequate -- it might be worth reviewing RFC 5226 and fleshing out the text that instantiates this registry (or anticipating the smooth passage of draft-leiba-cotton-iana-5226bis-11 and reading that instead for the same reason).

The Security Considerations section should say more about the limitations of this approach, e.g. the ability of an off-path attacker to correct for changes that would change a checksum with other changes that will restore it, which is my lazy précis of the no-doubt more succinct observation that Vixie made somewhere in this thread (or another thread near it).

The primary point of this draft is to offer some degree of integrity protection for unsigned responses (since signed responses already have it); it might be useful to spell that out. If I receive a query with the CHECKSUM option which I support, but I know I'm going to return signed data (and DO=1 in the query) I might decide to pretend I don't implement CHECKSUM because it's not especially useful if I have RRSIGs to tell you about. Does the receiver of my response get to assume that I don't support CHECKSUM at all, and never ask for it again?

If I send a query with the CHECKSUM option to a server (or through a middlebox) that doesn't handle unknown EDNS(0) option types correctly, and I hear no response, what should I do? If I receive something else unexpected (like a FORMERR), what should I do? Not accommodating the errors of others might well be the right thing, here, but we know that end users don't care about technical correctness when "you are broken but my neighbour's ISP is fine" and hence there will be pressure to mitigate the failures of others in some way or other. Having different implementations fall back differently seems less than desirable.


Joe

v2.23.0 | Report a Bug | By Email