Re: [DNSOP] On removing a pargraph in RFC4035
Mark Andrews <marka@isc.org> Thu, 24 March 2022 23:26 UTC
Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0CFFC3A0E12 for <dnsop@ietfa.amsl.com>; Thu, 24 Mar 2022 16:26:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.109
X-Spam-Level:
X-Spam-Status: No, score=-7.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isc.org header.b=qv+msH9w; dkim=pass (1024-bit key) header.d=isc.org header.b=TPuFRr51
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ceG8oEv8tL9f for <dnsop@ietfa.amsl.com>; Thu, 24 Mar 2022 16:26:44 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5ED333A0E01 for <dnsop@ietf.org>; Thu, 24 Mar 2022 16:26:44 -0700 (PDT)
Received: from zimbrang.isc.org (zimbrang.isc.org [149.20.1.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id 2E20B3AB006; Thu, 24 Mar 2022 23:26:43 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.10.3 mx.pao1.isc.org 2E20B3AB006
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=isc.org; s=ostpay; t=1648164403; bh=x9rkJBPyx9JWjPE9yHQJHPCJRq95Y6P4Tts3z6kiKlc=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=qv+msH9wMi8AIkkELGNFoYSK+RC6huU6TTApp71dmfp6Uvfc4TXzPS2qZ6J/HVOQS WCZ0nC19R5SfyiyYoVp89BYpctpeGOxxAK7qeuGmAepDi5wAVPzx2oApORUlQXT0cF f2tP9T4nCtmpFQbCkx+OCnKtKL5KNlIMVXr0RePU=
Received: from zimbrang.isc.org (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTPS id 635CB1103174; Thu, 24 Mar 2022 23:25:57 +0000 (UTC)
Received: from localhost (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTP id 3619011031DE; Thu, 24 Mar 2022 23:25:57 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.10.3 zimbrang.isc.org 3619011031DE
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=05DFB016-56A2-11EB-AEC0-15368D323330; t=1648164357; bh=ZOHPRcm4aUavD0AVZITNpwacViPo2OYS67lstrhJ4T8=; h=Mime-Version:From:Date:Message-Id:To; b=TPuFRr51ZiU0VgCmyGx/o3NOtBhw8W8vhMV+gCYYPyxHi+aKOsY3dbdloL2Qi9tvq UT3E//lyJ0f/7EOqFy/gR03XsGANhYLru2JM7JCSppHLeH5JB3nW60naDq01VHEdAH fEe1aScWPtXHsk+2OFg7HEfGxC76vX0zkgOKHJP0=
Received: from zimbrang.isc.org ([127.0.0.1]) by localhost (zimbrang.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id UlgkqHiLEpG1; Thu, 24 Mar 2022 23:25:57 +0000 (UTC)
Received: from smtpclient.apple (n114-74-26-107.bla4.nsw.optusnet.com.au [114.74.26.107]) by zimbrang.isc.org (Postfix) with ESMTPSA id 0CE241103174; Thu, 24 Mar 2022 23:25:55 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\))
From: Mark Andrews <marka@isc.org>
In-Reply-To: <BE76BE65-AF60-4AF7-B6E3-30F3CFB3B7EF@wisser.se>
Date: Fri, 25 Mar 2022 10:26:37 +1100
Cc: Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>, "libor.peltan" <libor.peltan=40nic.cz@dmarc.ietf.org>, dnsop <dnsop@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <7B9FDB45-2EE6-48C1-9869-4C6D22162E65@isc.org>
References: <7c000345-7eaf-5bf3-9523-84045f49cb71@nic.cz> <CAHbrMsB1=wiWqpLehYOfeFczb4KEZVbzHRr110Y+=pvXd8Y_oQ@mail.gmail.com> <E731FBC4-72F8-4BF2-8907-C579989544A4@wisser.se> <CAHbrMsAtsbJcAYEQgK4f7d3te2OTygHoLWTwiKy0AxSRinOK0A@mail.gmail.com> <E3ECD0B4-8F61-44AF-968A-260D9F5933F2@isc.org> <BE76BE65-AF60-4AF7-B6E3-30F3CFB3B7EF@wisser.se>
To: Ulrich Wisser <ulrich@wisser.se>
X-Mailer: Apple Mail (2.3654.120.0.1.13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/t42taTh6xmpUz5AJ8Cybk7RQ0-I>
Subject: Re: [DNSOP] On removing a pargraph in RFC4035
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Mar 2022 23:26:49 -0000
> On 25 Mar 2022, at 03:50, Ulrich Wisser <ulrich@wisser.se> wrote: > > Hi Mark, > > Sorry for the late answer, IETF and some other stuff keeps me busy. > > > Let’s start with this > > We did not and do not propose to remove anything from RFC 4035. Currently we are asking for RFC 6840 to be amended > > RFC 6840 Section 5.11 > This requirement applies to servers, not validators. Validators > SHOULD accept any single valid path. They SHOULD NOT insist that all > algorithms signaled in the DS RRset work, and they MUST NOT insist > that all algorithms signaled in the DNSKEY RRset work. > > > PROPOSED CHANGE > This requirement applies to servers, not validators. Validators > SHOULD accept any single valid path. They MUST NOT insist that all > algorithms signaled in the DS RRset work, and they MUST NOT insist > that all algorithms signaled in the DNSKEY RRset work. > > > > We absolutely do not want to enable lying. We want to enable transfer of domains between to signers using different algorithms. > > I share your analysis that this is possible today. It violates RFC 4035 section 2.2. It should work given that you use two fairly well supported algorithms and your resolver follows the “SHOULD” in RFC 6840 section 5.11. If you are really worried about that you can do it in 3 stages. Provider A adds A DNSKEYs and RRSIGs, provider B then adds B DNSKEYs and RRSIGs (the A RRSIGs for DNSKEY will now be invalid), then provider A re-signs the DNSKEY RRset. The whole point of the rules in section 2.2 is to *ensure* that a validator which supports only A gets A RRSIGs and that a validator that only supports algorithm B gets B RRSIGs when the DS RRset says there are both algorithms are present. The rules are there to ensure that. That said the written rule is not the only way to achieve this goal, it is just the simplest rule that will achieve this goal. If a signer follows the rule it can’t defeat the goal of the rule. There MUST be an RRSIG for each RRset using at least one DNSKEY of each algorithm in the zone apex DNSKEY RRset. The apex DNSKEY RRset itself MUST be signed by each algorithm appearing in the DS RRset located at the delegating parent (if any). Note a signer can violate this and still achieve the goal of the rules but it requires knowledge that the signer usually doesn’t have (i.e. that an algorithm isn’t in the DS RRset so that it is safe to not have every RRset signed with every algorithm. Validators can’t determine this as the DNS is loosely coherent so they have to assume that the DNSKEY RRset comes from a different instance of the zone to the RRset they are validating.). If we ever revise this section we should add in the goal of the section. > So the first step is to change 6840 to “MUST”, so that resolvers use any validation path and do not insist on a specific or all algorithms being present. Changing the SHOULD to a MUST doesn’t solve the problem that a client that only supports algorithm A can’t validate the RRset after it has been told that signatures for algorithm A are present (see the DS RRset) when it gets answers from B. Add to that clients don’t always talk *directly* to the authoritative servers so there is no "go ask another authoritative server" to get a set of RRSIGs that work. > Secondly, problems arise if a resolver only supports one of the algorithms. In that case half of the answers would be considered bogus. We are looking for a way to make this work. > > I admit, the problem is not trivial, but I have faith in DNSOP! ( Please don’t prove me wrong. Pretty please!) > > /Ulrich > > > > >> On 22 Mar 2022, at 00:59, Mark Andrews <marka@isc.org> wrote: >> >> Also the whole point of mandatory to implement (which includes business practices) is to prevent cases like this. >> If a business wants to lie to its customers about supporting DNSSEC it should be taken to court, preferably by >> bodies like the ACCC. >> >> As for migration between providers, provided there is some co-operation, it is possible to migrate between two providers with non overlapping algorithms. It does require the signed zone data to be transferred back and forth between the operators. It does require DNSKEY records to be swapped. >> >> raw zone + provider B keys -> add A keys and sign by A -> sign by B preserving A signatures and keys -> transfer to A for serving. >> >> This works today and requires no DNSSEC protocol changes. It may require some minor implementation changes. For BIND that would be to stop stripping out DNSSEC stuff from A at B when inline signing. It could all be done in single server instances with views. This is conceptually what BIND does when introducing a new algorithm with incremental signing except for transferring the new zone back and forth. >> >>> On 22 Mar 2022, at 06:58, Ben Schwartz <bemasc=40google.com@dmarc.ietf.org> wrote: >>> >>> If we assume the existing install base of resolvers isn't going away, then I don't see how we could relax the requirement. There are already deployed resolvers enforcing it. You would need a "flag day" to deprecate them, which could not happen for many years. >>> >>> This seems a lot harder than just telling your next DNS provider that you can't do business with them until they implement another one of the (very small number of) widely implemented algorithms. >>> >>> Of course, I've personally argued for essentially the opposite of this proposal [1]. Until DNSSEC has algorithmic agility without sacrificing compatibility or security, it's only usable as "extra" security. >>> >>> [1] https://www.ietf.org/archive/id/draft-schwartz-dnsop-dnssec-strict-mode-00.html >>> >>> On Mon, Mar 21, 2022 at 12:06 PM Ulrich Wisser <ulrich@wisser.se> wrote: >>> Hi Ben, >>> >>> The proposal is not to remove the possibility of double signatures, but to relax the requirement so that other use cases become possible. >>> >>> Our use case is the transition from one dns provider to another without going insecure. If both use the same algorithm you can use the multi-signer dnssec to do this. But if the signers only support a distinct set of algorithms you are out of luck. >>> >>> As Libor pointed out, there are some implications to validation that must be considered. >>> >>> I would say, there are no obvious or easy solutions. But I think/hope that DNSOP will be able to come up with some ideas that we can explore. >>> >>> >>> /Ulrich >>> >>> >>>> On 21 Mar 2022, at 10:32, Ben Schwartz <bemasc@google.com> wrote: >>>> >>>> I'm concerned about this. Concretely, this seems like it would raise a major barrier to rolling out new algorithms. For example, any zone that offers ECDSA and RSA signatures would be insecure for any RSA-only resolvers. It's hard to see how new algorithms could be adopted at scale if this rule were in place. >>>> >>>> On Sun, Mar 20, 2022 at 4:42 PM libor.peltan <libor.peltan=40nic.cz@dmarc.ietf.org> wrote: >>>> Hi Ulrich, dnsop, >>>> thank you for your effort in improving DNS. >>>> >>>> This is a follow-up to your proposal on easing the requirements by >>>> RFC4035, which say, in short, that if there's a DS of an algorithm, >>>> there must be a complete DNSKEY set of that algorithm, and if there is a >>>> DNSKEY of an algorithm, the whole zone must be signed by RRSIGs of that >>>> algorithm. >>>> >>>> The counter-proposal is to only require at least one valid >>>> DS-DNSKEY-RRSIG path to sign each RR in the zone. I understand how this >>>> would enable multi-signer setups with the signers supporting different >>>> algorithms, which in turn is beneficial to enable smooth transitions >>>> between such signers. >>>> >>>> Let's suppose we go this way. How do we specify the validator behaviour >>>> when there are algorithm A and B DNSKEYs, just algorithm B RRSIGs, and >>>> the validator only understands algorithm A, but not B? I guess BOGUS >>>> will be no longer proper here, we would probably stick at INSECURE. Am I >>>> correct? >>>> >>>> Now a different scenario. There are algorithm A and B DNSKEYs, the whole >>>> zone is also signed by both alg A and B RRSIGs, and the validator only >>>> understands alg A. Some man-in-the-middle attacker intercepts the >>>> answers by fiddling with the records, while removing algorithm A RRSIGs >>>> from the packets. The validator ends up with INSECURE and lets the >>>> attacker poison some cache... >>>> >>>> With current DNSSEC requirements, it is enough for security if there is >>>> any intersection between the algorithms which the zone is signed by, and >>>> the algorithms supported by the validator, respectively. With your >>>> proposal, it would be required that the validator supports all the >>>> algorithms, which the zone is signed by. >>>> >>>> I agree that in case the zone is signed by just one algorithm >>>> (occasionally being rolled-over to just one different one), these >>>> conditions are equivalent. Fortunately, it did not happen yet (or I'm >>>> not aware of), that the existence of different validators with distinct >>>> sets of supported algorithms forced signers to permanently sign zones >>>> with two algorithms in parallel. The question is, if it remains so for >>>> the future. I can't imagine what would happen in case of a "post-quantum >>>> apocalypse", maybe it wouldn't be a problem, but it might. >>>> >>>> It would also cause the paradox and indeed creepy security quirk, that >>>> if you sign your zone with one more algorithm, which is >>>> cryptographically strong but poorly adopted (perhaps experimental), it >>>> will result in _less_ security. Hardly anyone does this, but if they do, >>>> they will be surprised, I think. >>>> >>>> Just to be clear, I don't want to fight against your ideas. I'm just >>>> pointing at possible problems that could emerge. >>>> >>>> Thanks, >>>> Libor >>>> >>>> _______________________________________________ >>>> DNSOP mailing list >>>> DNSOP@ietf.org >>>> https://www.ietf.org/mailman/listinfo/dnsop >>> >>> _______________________________________________ >>> DNSOP mailing list >>> DNSOP@ietf.org >>> https://www.ietf.org/mailman/listinfo/dnsop >> >> -- >> Mark Andrews, ISC >> 1 Seymour St., Dundas Valley, NSW 2117, Australia >> PHONE: +61 2 9871 4742 INTERNET: marka@isc.org >> > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
- Re: [DNSOP] On removing a pargraph in RFC4035 Mark Andrews
- [DNSOP] On removing a pargraph in RFC4035 libor.peltan
- Re: [DNSOP] On removing a pargraph in RFC4035 Ben Schwartz
- Re: [DNSOP] On removing a pargraph in RFC4035 Ulrich Wisser
- Re: [DNSOP] On removing a pargraph in RFC4035 libor.peltan
- Re: [DNSOP] On removing a pargraph in RFC4035 Ulrich Wisser
- Re: [DNSOP] On removing a pargraph in RFC4035 Ben Schwartz
- Re: [DNSOP] On removing a pargraph in RFC4035 Ulrich Wisser
- Re: [DNSOP] On removing a pargraph in RFC4035 Brian Dickson
- Re: [DNSOP] On removing a pargraph in RFC4035 Mark Andrews