IETF Logo Mail Archive

Re: [DNSOP] I-D Action: draft-ietf-dnsop-nsec-aggressiveuse-01.txt

Warren Kumari <warren@kumari.net> Tue, 13 September 2016 15:57 UTC

Return-Path: <warren@kumari.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D0E512B3F7 for <dnsop@ietfa.amsl.com>; Tue, 13 Sep 2016 08:57:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wgLes3Iva-hh for <dnsop@ietfa.amsl.com>; Tue, 13 Sep 2016 08:57:00 -0700 (PDT)
Received: from mail-qt0-x229.google.com (mail-qt0-x229.google.com [IPv6:2607:f8b0:400d:c0d::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 985D612B59C for <dnsop@ietf.org>; Tue, 13 Sep 2016 08:28:18 -0700 (PDT)
Received: by mail-qt0-x229.google.com with SMTP id 38so90824644qte.1 for <dnsop@ietf.org>; Tue, 13 Sep 2016 08:28:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=4hy2FbE4oZgDzGoB9WaU1bFdMbEN1mereqR8BCTeGsI=; b=Yk1iWs/Tde+Ue9Ks3iHVe2cjEZq/NfmZ95Ims0yqc4VYvLUOPJ9bYJQDwwHVflRq2h LvtCLx7OLudEjVzX81cLLqqKRFY0QvIxVDd85bdmmmJYAaRlk5ov6OyIiGj6l+ubsNxG iRjgMK6ag/lYgeN6IfHXen2p2w3g47jnjY2iIp45CiECAYlTQoy6y5ENvaV73DgQ2hUp 8MntpaMCGp2fLzVILdxm4bhZjpERdZtCjghn4I/LJ46nqSiMLOMLyf8pPeA0TM3mtiO5 +LsoCHmmDbClC8D9+8+CbVCS/2w+0ZFuX8XMYF+swQPfcrGfor2qip8nIu7LZ8aG2wIp 0FDA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=4hy2FbE4oZgDzGoB9WaU1bFdMbEN1mereqR8BCTeGsI=; b=TH6S8Tw/W7WaD+1LB7Naabe8Ko2//V/tYUMtY8J+G7jn8n3P8AFWHjv2OzzOOdXWXP d9xrMhdTlJkfMXQX6ZpT3wetbxHBA4isySkAWI7JIdFEpSlvfMTSF9DWxk3BMwQj6472 9p6lxYw2NCjPzg7nJTRhHjeSp4WwYZ2eCyoLMb4m3Pe5OsH8AH6HR2sqY+SetwGUor65 jiTtu2cbgNUl0NewhntxgoQki3cmDHmY1BVf3KHzNJ+d8b0dfkytq/qDv1yp4SF28wnX 6Qhf/3/FQxvUhyYOVFxsLlKbbZipNYw5BCcBNk/TCrcqFX8K1b8AZsY1Wc4pZFGp+nJl ltZA==
X-Gm-Message-State: AE9vXwOGOUKPiJ2r5m6YOtFB7kkPvH8iuSH4TfVxGROzeZPLUFlYJh3HttToxcK8kEI0evvRIC7LRcbZxswSXbfE
X-Received: by 10.200.33.183 with SMTP id 52mr1714367qty.128.1473780497588; Tue, 13 Sep 2016 08:28:17 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.55.147.196 with HTTP; Tue, 13 Sep 2016 08:27:47 -0700 (PDT)
In-Reply-To: <CAJE_bqeLnEd+VrJTzQT=2TNhangBd9TuVnCM=CKz2Y4O1danmA@mail.gmail.com>
References: <20160803191756.6121.3153.idtracker@ietfa.amsl.com> <CAJE_bqeLnEd+VrJTzQT=2TNhangBd9TuVnCM=CKz2Y4O1danmA@mail.gmail.com>
From: Warren Kumari <warren@kumari.net>
Date: Tue, 13 Sep 2016 11:27:47 -0400
Message-ID: <CAHw9_iKLxGJQiTvymPCWH8Wy3Bz3U2mci5E_Oz_S_ZiZkyUpbA@mail.gmail.com>
To: 神明達哉 <jinmei@wide.ad.jp>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/slDFoiq-0DIuyvd1ebh6sjViVik>
Cc: dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-nsec-aggressiveuse-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Sep 2016 15:57:08 -0000

Apologies for the delay in responding.

On Wed, Aug 17, 2016 at 2:18 PM, 神明達哉 <jinmei@wide.ad.jp> wrote:
> At Wed, 3 Aug 2016 13:32:56 -0700,
> Warren Kumari <warren@kumari.net> wrote:
>
>> We have updated this document with comments and feedback from Berlin.
>> We have also gone through and done another editing pass, removing a
>> significant amount of text which was intended to drive the discussion,
>> but would not really be useful in a published RFC.
>>
>> Please review it, we believe that the document is ready (or almost
>> ready) for WGLC.
> I see draft-ietf-dnsop-nsec-aggressiveuse-01 has been improved a lot.

Thank you for your comments; we are trying to make it better, and
appreciate your review.

>
> Some comments on this version:
>
> - general: there still seem to be a (IMO) misleading claim as if this
>   technique were a strong mitigation against DoS attacks rather than a
>   possible performance optimization.  I'll point out some specific
>   cases below, but independently from whether/how to address these
>   points, we might want to follow the style of
>   draft-ietf-dnsop-nxdomain-cut-04.  It has a dedicated section (sec
>   4) that discusses the benefit, and mentions its attack mitigation
>   effect as a secondary benefit.  I think the same logic applies to
>   nsec-aggressiveuse.

Thank you. Based on your previous comments I had tried to tone down /
scrub much of the DoS wording - I'd thought I'd achieved a reasonable
compromise, but I'll give it another whirl.
I like your above suggestion, and have added Section 6 - Benefits.
I have tried to explain the mitigation which this provides *under
ideal circumstances*. It decreases the number of queries sent by each
recursive being used as a reflector in the attack from close to
infinite (conservatively [a-z0-9\-]^label_length, or 37^63 (assuming
one label)) to something around 2*[entries_in_zone] (one for each
actual entry, one for each "hole").
I'm not sure that my explanation is a: useful or b: clear or c: correct :-)

>
> - general: I suggest removing/rephrasing the phrase "full-service
>   resolver".  As far as I understand it, nsec-aggressiveuse is totally
>   irrelevant to whether the resolver is "full-service" (which I
>   interpret as performing recursive resolution from the root) or not.
>   The only critical point for it to work is that the resolver has/uses
>   cache and it performs DNSSEC validation.  As long as a resolver
>   meets this condition, nsec-aggressiveuse should be equally
>   usable/effective even if it only uses an external forwarder.  Since
>   the use of cache is probably too obvious, a better terminology would
>   be "validating resolver".

Thank you. I have removed the "full-service" terminology, and replaced
it with "validating resolver" where applicable. In many cases the
"validating" bit was clear from context / was redundant and so I just
said "resolver" or "implementation" to improve readability. I also
added something to the terminology section basically explaining this.

>
> - general: I wonder whether we also want to use NSEC/NSEC3 for
>   NOERROR-NODATA type of negative cache information.
>
> - Abstract
>
>    This increases resilience to DoS attacks, increases
>    performance / decreases latency, decreases resource utilization on
>    both authoritative and recursive servers, and also increases privacy.
>
>   I suggest rephrasing it to be less misleading, e.g.,
>
>    This increases performance / decreases latency, decreases resource
>    utilization on both authoritative and recursive servers, and also
>    increases privacy.  [It may also help increase resilience to DoS
>    attacks to some extent.]
>
>   The second sentence could simply be removed, but I added it in case
>   if we really want to say something about it in the abstract.

How is:
This increases performance / decreases latency, decreases resource
utilization on both authoritative and recursive servers, and also
increases privacy. It may also help increase resilience to certain DoS
attacks in some circumstances.

(I took your suggestion and made it even less strong)


>
> - Section 1
>
>    [...]  This method of negative caching requires
>    exact matching; this leads to unnecessary additional lookups, which
>    have negative implications for DoS survivability, increases latency,
>    leads to extra resource utilization on both authoritative and
>    recursive servers, and decreases privacy by leaking queries.
>
>   I suggest removing "which have negative implications for DoS
>   survivability" to be less misleading.

Thanks, done.

>
> - Section 5.2
>
>    [...] It SHOULD provide a configuration switch to
>    disable aggressive use of NSEC and allow it to be enabled or disabled
>    for specific zones.
>
>   I suggest s/specific zones/specific domains/ since it's not trivial
>   for a recursive server operator to know whether a particular domain
>   name is a zone apex or not at the time of configuring the server.

Oh, yeah. Nice catch, done!

>
> - Section 5.4
>
>    and it may be justified for performance and other benefits.  (Note
>    that, so far, this is orthogonal to "when aggressive use (of NSEC) is
>    enabled").
>
>    Furthermore, when aggressive use of NSEC is enabled, the aggressive
>    use of cached deduced wildcard will be more effective.
>
>   This text seems to be derived from a prior review comment of mine,
>   which was a bit too casual.  I suggest revising this part as
>   follows:
>
>    and it may be justified for performance and other benefits.
>
>    Such aggressive use of cached deduced wildcard can be employed
>    independently from aggressive use of NSEC.  But, it will be more
>    effective when both are enabled since the resolver can determine
>    the name subject to wildcard would not otherwise exist more
>    efficiently.
>

Oh, ta, thanks. I integrated previous comments in a bit of a rush.

W

> --
> JINMEI, Tatuya
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop



-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf

v2.23.0 | Report a Bug | By Email