Re: [DNSOP] CNSRRSIG (was: Re: [Ext] draft-fujiwara-dnsop-delegation-information-signer))

Paul Hoffman <paul.hoffman@icann.org> Fri, 11 December 2020 01:49 UTC

Return-Path: <paul.hoffman@icann.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 197593A13B2 for <dnsop@ietfa.amsl.com>; Thu, 10 Dec 2020 17:49:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9XTK-1RJIGQc for <dnsop@ietfa.amsl.com>; Thu, 10 Dec 2020 17:49:06 -0800 (PST)
Received: from ppa5.dc.icann.org (ppa5.dc.icann.org [192.0.46.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9D4303A13B1 for <dnsop@ietf.org>; Thu, 10 Dec 2020 17:49:06 -0800 (PST)
Received: from MBX112-W2-CO-1.pexch112.icann.org (out.mail.icann.org [64.78.33.5]) by ppa5.dc.icann.org (8.16.0.42/8.16.0.42) with ESMTPS id 0BB1n24V008991 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 11 Dec 2020 01:49:02 GMT
Received: from MBX112-W2-CO-1.pexch112.icann.org (10.226.41.128) by MBX112-W2-CO-2.pexch112.icann.org (10.226.41.130) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.721.2; Thu, 10 Dec 2020 17:49:01 -0800
Received: from MBX112-W2-CO-1.pexch112.icann.org ([10.226.41.128]) by MBX112-W2-CO-1.pexch112.icann.org ([10.226.41.128]) with mapi id 15.02.0721.006; Thu, 10 Dec 2020 17:49:01 -0800
From: Paul Hoffman <paul.hoffman@icann.org>
To: Joe Abley <jabley@hopcount.ca>
CC: dnsop <dnsop@ietf.org>
Thread-Topic: [DNSOP] CNSRRSIG (was: Re: [Ext] draft-fujiwara-dnsop-delegation-information-signer))
Thread-Index: AQHWzzofPhRvn9p1EEWsetz0r1t/E6nxhXmAgAAHSoCAAAMGAIAAAtcAgAAByACAAAL8gIAAD9sA
Date: Fri, 11 Dec 2020 01:49:00 +0000
Message-ID: <296E56CC-40CA-4501-AF35-CB3B9CE49869@icann.org>
References: <F3CB048D-F6DB-46D7-A151-E9526FA51F47@icann.org> <A8AECB8C-E6D4-4360-A85F-2525BF001435@hopcount.ca> <9BB8435F-F416-49CF-A232-FDCE526DCDD5@icann.org> <6D93A6AB-FD9F-4BB7-9953-15867984B315@hopcount.ca>
In-Reply-To: <6D93A6AB-FD9F-4BB7-9953-15867984B315@hopcount.ca>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [192.0.32.234]
x-source-routing-agent: Processed
Content-Type: multipart/signed; boundary="Apple-Mail=_0A3C6427-BF7E-4377-84EA-B9F3AD5FFC65"; protocol="application/pkcs7-signature"; micalg=sha-256
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.343, 18.0.737 definitions=2020-12-10_11:2020-12-09, 2020-12-10 signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/uLCqfGJF_IzhQv-ouVN3YzGtX08>
Subject: Re: [DNSOP] CNSRRSIG (was: Re: [Ext] draft-fujiwara-dnsop-delegation-information-signer))
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Dec 2020 01:49:08 -0000

On Dec 10, 2020, at 4:52 PM, Joe Abley <jabley@hopcount.ca> wrote:
> 
> On 10 Dec 2020, at 19:41, Paul Hoffman <paul.hoffman@icann.org> wrote:
> 
>>> "Authenticate authoritative servers" is a bit vague for me. Parent and child are namespace concepts and not relying parties that you'd ordinarily expect to be able to authenticate anything.
>> 
>> A resolver asks a parent what the NS records are for the child. Today, an on-path attacker can change the answer and the resolver would not be the wiser, so the resolvers cannot trust such answers to do things like look up TLSA records. There is a desire for resolvers to be sure that what the child NS records they receive from the parent is what the parent has in its zone for the child so they can use this information to ask for TLSA records.

> Did I read that back correctly?

Somewhat, but not completely.

> The problems that DNSSEC is trying to solve are with identifying inauthentic data ultimately requested by applications. If an intermediate referral response includes an inauthentic NS RRSet with no RRSIGs

or an NS RRset with bogus RRSIGs

> it cannot be identified as inauthentic, but it doesn't really matter because any data that is expected to be signed from the inauthentic servers will fail validation and the application will be protected.
> 
> The problems that dprive is trying to solve concern surveillance opportunities and information leakage. that if an imtermediate referral response includes an inauthentic NS RRSet with no RRSIGs it could cause queries on behalf of an application to be harvested by an untrusted third party at one of those inauthentic servers, which could represent a surveillance opportunity.

That is true so far, but some folks have informally gotten excited about authenticating intermediate referral responses for other reasons. (They can speak for themselves; that's not my use case yet.)

> The proposal is hence to provide a way for an intermediate referral response that includes an inauthentic NS RRSet to be identified as inauthentic so that subsequent queries to the untrusted third party servers can be suppressed.

Again, this is true so far, but others have hinted that they might use the authentication for more.

> I've now typed "inauthentic" enough that I am starting to doubt that it is a word, but "bogus" has a particular and different meaning in DNSSEC so I was trying to avoid it.

You even skipped using "bogus" once above. :-)

--Paul Hoffman