IETF Logo Mail Archive

Re: [DNSOP] DNSSEC as a Best Current Practice

Brian Dickson <brian.peter.dickson@gmail.com> Tue, 22 March 2022 21:12 UTC

Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B80F73A059F for <dnsop@ietfa.amsl.com>; Tue, 22 Mar 2022 14:12:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k94M_lzSLjSI for <dnsop@ietfa.amsl.com>; Tue, 22 Mar 2022 14:12:13 -0700 (PDT)
Received: from mail-ed1-x530.google.com (mail-ed1-x530.google.com [IPv6:2a00:1450:4864:20::530]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D112B3A0123 for <dnsop@ietf.org>; Tue, 22 Mar 2022 14:12:12 -0700 (PDT)
Received: by mail-ed1-x530.google.com with SMTP id z92so22289589ede.13 for <dnsop@ietf.org>; Tue, 22 Mar 2022 14:12:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=gkNG8moCnRsNKxE/TRGJUYVcBboPtz/iklKyyyEaWzI=; b=MHKFDfVRlclzfW+CMgJZ+gcUu0nUIwyNO46e7xOXuqQAbJ6ruz5Xi13Ono7pCxpyzQ 5vmFeQQFGb5tESy9i799eyl1uSyCbhghGrjd7vucHZHnl3ST9kWlvZQ3nGrjKUx3RuRB OtxXNwW0qfJaAUwPW4wffZIepepR3mUNMz0sOgTGJH8H8NYJuZBwjxoj0ySpxGQIDOSm Tbg2d3zM/VruHWfMK0dCUSZ3P40Fu8Kxze06RO7hh4pe2DtdAC/pvc304k5WgpEe8AKZ jNjH3UVT/6/pdmBAbN32sZTSLYY4V2+Jbn9F4H68Cg25nV4tpneMwjcs92lf7yJyopWM pFJA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=gkNG8moCnRsNKxE/TRGJUYVcBboPtz/iklKyyyEaWzI=; b=s4ZgVMnO6TRFQUzLhn2a2vOoMrt3TEszf5H6yL0qOMiy05octYO7USCmzzSJbMnliX IY+QjtMvEBcwk6bStqcFN7MA18ySTjlqcNfaGUon7S8Xtw6y7Z9B/JCxdTjWz+jqTvHN tNy1jU8ebEMnkh9K9t04WHp8pyPLXkqcU4i022bR+DsZ8iClim4/SBEoWADc+cDI1ldc u45DM3aEJmYXG1PqCevA+baRsYvilEbcsB+x2XyTRpZpf7D7mgrLalGa1ZcvzqT6Mync c83LNZmETo6B9Mzq+fnnX8RUbV1vFOptkkMfuzoWI33CK6g+Bi2jig1/U9F00/G3SErx YiPw==
X-Gm-Message-State: AOAM531Np7NFAcsoc57HyaKsIwLhCb0sahd7pQHmEUvsyXjcWv9p0PE9 XNHjxG1KEa3n+SauCrQ2c1QPLUiQs/AncGpY4/w=
X-Google-Smtp-Source: ABdhPJzcmDa+tTHoZZ3FZxhpyQXzD2ANWkIEs8yvOHWeys/53vTiE7ep08J3P9HdDUcM0Uc8UzQhwdIS8nnEfaMXQtM=
X-Received: by 2002:aa7:cb4e:0:b0:419:21d2:80a with SMTP id w14-20020aa7cb4e000000b0041921d2080amr19539688edt.404.1647983530771; Tue, 22 Mar 2022 14:12:10 -0700 (PDT)
MIME-Version: 1.0
References: <163bfd78-c21d-084c-9f6d-9d29b80bcbd1@necom830.hpcl.titech.ac.jp> <7B3A5D3D-2E84-45A7-BE5F-3BAC3650E95C@hopcount.ca> <e722a37a-1476-d90b-b4df-e9d4604bea59@necom830.hpcl.titech.ac.jp> <e8566381-d8e8-b99f-67c3-2e89dc9cb85@nohats.ca> <affe488c-d2c4-05a0-69b4-12c2aa97dbfa@necom830.hpcl.titech.ac.jp>
In-Reply-To: <affe488c-d2c4-05a0-69b4-12c2aa97dbfa@necom830.hpcl.titech.ac.jp>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Tue, 22 Mar 2022 14:11:58 -0700
Message-ID: <CAH1iCip7buO_WAteXn24jDics=MOGHFMcRxvbO1O9Z-HyErdAA@mail.gmail.com>
To: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f29cd905dad510dc"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/uFrLPJ_hqDQwMOzPBLBGHIzWju4>
Subject: Re: [DNSOP] DNSSEC as a Best Current Practice
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Mar 2022 21:12:18 -0000

On Tue, Mar 22, 2022 at 7:12 AM Masataka Ohta <
mohta@necom830.hpcl.titech.ac.jp> wrote:

> Paul Wouters wrote:
>
> >> Wrong. DNSSEC as PKI is not cryptographically secure subject to
> >> MitM attacks on CA chains, which is not more difficult than
> >> MitM attacks on ISP chains.
> >
> > I think at this point we have reached a point where your repeated
> > claims lack any merit
>
> So, you ignore diginotar to have demonstrated that PKI to
> blindly trust untrustworthy TTPs is cryptographically
> insecure.
>

This is where your error is introduced. DNSSEC does not involve blind
trust.

Previous statements by you (Ohta-san) in this thread, and observations or
counter-points:

If a resolver correctly knows an IP address of a nameserver of a
> parent zone and the resolver and the nameserver can communicate
> with long enough ID, the resolver can correctly know an IP
> address of a nameserver of a child zone, which is secure enough
> data origin security.
>

The difference between this model (client to server transport security
using IDs) and DNSSEC, is that DNSSEC is resistant to any MITM attacks, so
long as the resolver's root trust anchor is the same as the one published
by ICANN/IANA and used to sign the root zone.

It is correct that the single element is a necessary component of the trust
model for DNSSEC. It is not a dependency within DNSSEC that the endpoint's
connectivity must be transport-secured or impervious to hijack. DNSSEC does
not care where the data lives or how it is retrieved. It protects the data
cryptographically.

 The point is that DNSSEC, or PKI in general, is not cryptographically
> secure merely blindly trusting untrustworthy intermediate systems,
> which means it is against the end to end principle, improperly
> called TTPs (Trusted Third Parties).


I think this is where your argument fails. The trust in DNSSEC is not
blind. The validation which is done by a resolver can be confirmed by an
end-host, along the entire chain (tree) from root to leaf.

In order to achieve complete compromise, the adversary (e.g. state) would
need to compromise every software stack on every host and every resolver,
and block access to every external place that could provide contradictory
results.

Given that the root trust anchor is public, and published on the IANA's web
site with all the appropriate protections, this means anyone can publish
the same information on their own web site, e.g. protected by TLS.

The only way this would not be available to someone under the control of
that adversary, would be the compromise of every CA's cert, or publishing
competing certs for every TLS cert in existence, or to prevent any access
to external sites entirely.

The notion that a state exercising that level of control would also permit
the long-enough ID communication to enable your alternative to function,
does not seem credible.

This devolves down to two possibilities: your method is not viable if the
efforts needed to block use of the Root Trust Anchor are undertaken; or if
the efforts needed to block the Root Trust Anchor are not undertaken (in
their entirety), attempts to replace the Root Trust Anchor are detectable,
which also means the real Root Trust Anchor can be obtained and validated,
and once the latter is done, DNSSEC continues to be cryptographically
secure.

The actual real root trust anchor is not feasible to compromise, nor are
the signing mechanisms involved for signing the root zone. A secured root
zone and root trust anchor makes it impossible to compromise any zone
protected by its parent, with the root zone anchoring those protections.

DNSSEC is not blind trust. The ability to compromise via spoofing requires
compromise of a parent. The root zone cannot feasibly be compromised.
Therefore DNSSEC is secure.

 I concur with the rest of the folks on this thread, this subject thread is
effectively concluded.

This message is mostly for your (Ohta-san's) benefit to understand why
DNSSEC is not in the same category as WebPKI in terms of the trust model
and trust mechanisms.

There is an analogy in infinities:
The rational numbers and real numbers are both infinite, but the infinity
of the real numbers is "uncountable", a larger infinity than the infinity
of the rational numbers, which are "countable".

Brian

v2.23.0 | Report a Bug | By Email