Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-negative-trust-anchors

[Warren Kumari <warren@kumari.net>]

On Sat, May 9, 2015 at 4:33 PM, Paul Hoffman <paul.hoffman@vpnc.org> wrote:
> On May 9, 2015, at 6:07 AM, Warren Kumari <warren@kumari.net> wrote:
>>> In Section 2, there should be a new paragraph after the first paragraph that describes why the "reasonable attempt" in the first paragraph is needed to determine whether the attacker has partial control of the zone, or is just mounting an on-path attack between all the nameservers and the recursive.
>>
>>
>> DONE?
>> "It is important to confirm that the comains is still under the
>> ownership / control of the legitimate owner of the domain - this is to
>> ensure that disabling validation for a specific domain does not direct
>> users to an address under an attackers control. Contacting the domain
>> owner allows the resolver operator to determine if the issue is a
>> DNSSEC misconfiguration or an attack."
>>
>> I'm not really sure if this addresses your concerns? If not, do you
>> happen to have any suggested text?
>
> Using your, expanding just a bit:
>
> "It is important for the resolver operator to confirm that the domain is still under the
> ownership / control of the legitimate owner of the domain in order to
> ensure that disabling validation for a specific domain does not direct
> users to an address under an attacker's control. Contacting the domain
> owner and telling them the DNSSEC records that the resolver operator is seeing
> allows the resolver operator to determine if the issue is a
> DNSSEC misconfiguration or an attack."
>

DONE.
Oooh, better, thanks....


>>
>>
>>>
>>> In Section 2, it talks about "a popular domain name" but don't say how to determine that. Giving examples of sources of that data would be valuable.
>>
>> DONE.
>> I added: "An example of a list of "top N" websites is the <xref
>> target="Alexa">"Alexa Top 500 Sites on the Web" </xref>"
>>
>> Is this OK?
>
> That's OK, but I would prefer to add in what Scott Rose suggested: ", or a list of the of the most-accessed names in the resolver's cache".



DONE.
Doh! Because I was integrating many comments in one go (and did
your's, and then Scott's) I'd actually included:
"In the case of a validation failure due to misconfiguration of a TLD
or popular domain name (such as a top 100 website), content or
services in the affected TLD or domain could be inaccessible for a
large number of users. In such cases, it may be appropriate to use a
Negative Trust Anchor as soon as the misconfiguration is confirmed. An
example of a list of "top N" websites is the "Alexa Top 500 Sites on
the Web" , another example would be to look through historical query
logs."
but I'd forgotten to go back and note this here.


Anyway, i think I like yours more, so I'm using yours...




>
> --Paul Hoffman



-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf