IETF Logo Mail Archive

Re: [DNSOP] Fw: New Version Notification for draft-bellis-dns-recursive-discovery-00

Alex Bligh <alex@alex.org.uk> Wed, 21 October 2009 08:59 UTC

Return-Path: <alex@alex.org.uk>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5D5693A680A for <dnsop@core3.amsl.com>; Wed, 21 Oct 2009 01:59:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.249
X-Spam-Level:
X-Spam-Status: No, score=-1.249 tagged_above=-999 required=5 tests=[AWL=0.750, BAYES_00=-2.599, J_CHICKENPOX_54=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1ZRfvsnKTXKZ for <dnsop@core3.amsl.com>; Wed, 21 Oct 2009 01:59:07 -0700 (PDT)
Received: from mail.avalus.com (mail.avalus.com [217.147.82.63]) by core3.amsl.com (Postfix) with ESMTP id 880303A67A1 for <dnsop@ietf.org>; Wed, 21 Oct 2009 01:59:07 -0700 (PDT)
Received: from [192.168.100.15] (shed [217.147.82.63]) by mail.avalus.com (Postfix) with ESMTPA id BB866C2DA7; Wed, 21 Oct 2009 09:59:14 +0100 (BST)
Date: Wed, 21 Oct 2009 09:59:12 +0100
From: Alex Bligh <alex@alex.org.uk>
To: Florian Weimer <fweimer@bfk.de>, Ray.Bellis@nominet.org.uk
Message-ID: <A0DDFB2F94500799B7F0B37F@Ximines.local>
In-Reply-To: <82zl7luov4.fsf@mid.bfk.de>
References: <OFA656600E.F5229B3D-ON80257650.005247BF-80257650.00527644@nominet.org.uk> <82skde36c9.fsf@mid.bfk.de> <DE23E9BF50E437E2D5CA65C8@Ximines.local> <82ljj61gle.fsf@mid.bfk.de> <200910202329.n9KNT56j048843@drugs.dv.isc.org> <1F61DD04-14A6-4349-8650-9CF27D27C3BC@hopcount.ca> <200910210145.n9L1j8of033780@drugs.dv.isc.org> <8263a9xnem.fsf@mid.bfk.de> <OFD7B965B7.53CC1C17-ON80257656.0028D85C-80257656.002974DF@nominet.org.uk> <82zl7luov4.fsf@mid.bfk.de>
X-Mailer: Mulberry/4.0.8 (Mac OS X)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Cc: Alex Bligh <alex@alex.org.uk>, dnsop@ietf.org, Joe Abley <jabley@hopcount.ca>
Subject: Re: [DNSOP] Fw: New Version Notification for draft-bellis-dns-recursive-discovery-00
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Alex Bligh <alex@alex.org.uk>
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Oct 2009 08:59:08 -0000

--On 21 October 2009 08:34:39 +0000 Florian Weimer <fweimer@bfk.de> wrote:

>>> Mark, I din't think this is true given how the proposed protocol
>>> works.  For a start, you often cannot fetch the DNSKEY RR for ARPA
>>> before running the protocol.
>>
>> Indeed LOCAL.ARPA would need to be unsigned.
>
> Not really.  Why would it need to exist in the public tree at all?
> All we need is agreement from both ICANN and IETF that LOCAL.ARPA is
> reserved and not to be delegated in the official tree.

OK, let's try this one again. LOCAL.ARPA is not delegated at all.
It is unsigned.

Necessarily, ARPA. will have no records for LOCAL.ARPA (except
perhaps pointing at a sink). Each of the individual LOCAL.ARPA
instances run by recursive nameservers have different administrators.
Whilst it would be theoretically possible to sign them, this would
achieve no purpose as anyone operating a recursive nameserver would
need to sign them.

Moreover the queries into DOMAIN.LOCAL.ARPA are going to be made
in an environment where we suspect DNSSEC queries don't work, as
there is, ex hypothesi, possible a misbehaving proxy in the way.
Therefore, queries will likely be made with DO clear (that
should be in the draft too).

So there are two separate security risks: cache poisoning on the
recursive server (this needs addressing and I have some ideas),
and a theoretical Kaminsky style attack on the individual
non-DNSSEC queries to DOMAIN.LOCAL.ARPA. There are some obvious
mitigation strategies here (such as uRPF on customer facing edges
and not taking source IP addresses from critical server ranges
on other edges), but I'm not sure that ultimately this one needs
addressing. Firstly, it can only be used against individual
clients and requires some heuristic knowledge of when the query
is going to be made. Secondly, all you "win" is the ability
to spoof insecure queries. However, it would be possible to
avoid even this, e.g. with a nonce in the QNAME.

-- 
Alex Bligh

v2.38.3 | Report a Bug | By Email | System Status