Re: [DNSOP] CD (Re: Whiskey Tango Foxtrot on key lengths...)

Colm MacCárthaigh <colm@allcosts.net> Wed, 02 April 2014 05:24 UTC

Return-Path: <colm@allcosts.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C57B51A0118 for <dnsop@ietfa.amsl.com>; Tue, 1 Apr 2014 22:24:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.077
X-Spam-Level:
X-Spam-Status: No, score=-1.077 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, J_CHICKENPOX_47=0.6, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OOWO3DwORUIe for <dnsop@ietfa.amsl.com>; Tue, 1 Apr 2014 22:24:38 -0700 (PDT)
Received: from mail-ob0-f177.google.com (mail-ob0-f177.google.com [209.85.214.177]) by ietfa.amsl.com (Postfix) with ESMTP id BBB9E1A0116 for <dnsop@ietf.org>; Tue, 1 Apr 2014 22:24:38 -0700 (PDT)
Received: by mail-ob0-f177.google.com with SMTP id wo20so11936978obc.36 for <dnsop@ietf.org>; Tue, 01 Apr 2014 22:24:34 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=QodMoNGLFLIQkDySOUhJlgUsFnNM7iaNpbBRKL0TL6I=; b=kbrtGkPcBGaP1b7GHLWUEx9qlGVzjcjqcn93L+Q71sHicFcMFoZ6fX6COdoNqFIBXw FQBHRB6CdCv5liMTouKU5n9CfLZB7G0CKlT2HKMuZTH0JzWnESElnXLfPneQXXYmX0V6 V5OzkGiP76EFWH24R2coDrlWQ0TFjuHGGdDt97AJ6S8B++iRVGreKKt7ZsRLbbWK/JRW kKK+NRv6BiMmarKHvJ/FUzIrV8t+vCnimX03P4EzdnAsCjdVYJN0PIXpz4Fh06UpXv7c NfLw/mRBBHgCDnbIr+mYDSu0r5z3S4lAsFodSDUm8PkLC6laGNiUbNU6fg9gLSD9oVvm B1pA==
X-Gm-Message-State: ALoCoQmnW9Kt8h4A8bFYTJiD40cuEhYhnY5o+Jsh+ZF5IkDhLsqAUZ01y/1Zhe+M+hnITq+PL3AA
MIME-Version: 1.0
X-Received: by 10.182.24.69 with SMTP id s5mr32744123obf.35.1396416274755; Tue, 01 Apr 2014 22:24:34 -0700 (PDT)
Received: by 10.76.20.164 with HTTP; Tue, 1 Apr 2014 22:24:34 -0700 (PDT)
In-Reply-To: <20140402024919.GA97087@isc.org>
References: <0EA28BE8-E872-46BA-85FD-7333A1E13172@icsi.berkeley.edu> <53345C77.8040603@uni-due.de> <B7893984-2FAD-472D-9A4E-766A5C212132@pch.net> <102C13BE-E45E-437A-A592-FA373FF5C8F0@ogud.com> <474B0834-C16B-4843-AA0A-FC2A2085FEFB@icsi.berkeley.edu> <CAMm+Lwh-G7D5Cjx4NWMOhTjBZd=VVRHiPdK7L1zm-P0QRP8P2Q@mail.gmail.com> <20140401223943.528B71226903@rock.dv.isc.org> <CAAF6GDe=39bmVDOtox+9coaH7R06erm-JUK19ZwPEUVkxepKTg@mail.gmail.com> <20140402003159.B4B631228652@rock.dv.isc.org> <CAAF6GDdLs3V9JMa8jgD_asYqhmt=PCaBAmk4LO0JaX_q6q0UHQ@mail.gmail.com> <20140402024919.GA97087@isc.org>
Date: Tue, 1 Apr 2014 22:24:34 -0700
Message-ID: <CAAF6GDcP77MBBUJbEdQgOqOLh2UHPEOmxYNTaAO-8F=OdLYxOQ@mail.gmail.com>
From: =?ISO-8859-1?Q?Colm_MacC=E1rthaigh?= <colm@allcosts.net>
To: Evan Hunt <each@isc.org>
Content-Type: multipart/alternative; boundary=001a11c2a20c040b1504f60880b6
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsop/tgfS4nIJ94-T9xOS3Fe_XGGyK4M
Cc: Phillip Hallam-Baker <hallam@gmail.com>, "dnsop@ietf.org" <dnsop@ietf.org>, Nicholas Weaver <nweaver@icsi.berkeley.edu>, Matth?us Wander <matthaeus.wander@uni-due.de>, Bill Woodcock <woody@pch.net>
Subject: Re: [DNSOP] CD (Re: Whiskey Tango Foxtrot on key lengths...)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Apr 2014 05:24:43 -0000

On Tue, Apr 1, 2014 at 7:49 PM, Evan Hunt <each@isc.org> wrote:

> On Tue, Apr 01, 2014 at 06:25:12PM -0700, Colm MacC?rthaigh wrote:
> > DNSSEC is a mitigation against spoofed responses, man-in-the-middle
> > interception-and-rewriting and cache compromises. These threats are
> > endpoint and path specific, so it's entirely possible that one of your
> > resolvers (or its path) has been compromised, but not others. If all of
> > your paths have been compromised, then there is no recovery; only
> > detection. But that is always true for DNSSEC.
>
> Consider the scenario in which one authoritative server for a zone
> has been compromised and the others have not, and that one happens to
> have the lowest round-trip time, so it's favored by your resolver.


> If you query with CD=0, a validating resolver detects the problem
> and tries again with another auth server.  It doesn't give up until
> the whole NS RRset has failed.


> If you query with CD=1, you get the bogus data and it won't validate.
>

I don't think this makes much sense for a coherent resolver. If I were
writing a resolver, the behaviour would instead be;  try really hard to
find a valid response, exhaust every reasonable possibility. If it can't
get a valid response, then if CD=1 it's ok to pass back the invalid
response and its supposed signatures - maybe the stub will no better, at
least fail open. If CD=0, then SERVFAIL, fail closed.

Although CD means "checking disabled", I wouldn't actually disable
checking, simply because that's stupid (I don't mean to be impolite, but I
don't have a better word to use here). But by preserving the on-the-wire
semantics of the CD bit, I'd preserve effectiveness as a cache, and pass on
what's needed to validate even the failure cases.


-- 
Colm