[DNSOP] Re: [Technical Errata Reported] RFC6781 (6692)

Peter Thomassen <peter@desec.io> Mon, 08 July 2024 22:23 UTC

Return-Path: <peter@desec.io>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 78D22C2392B2; Mon, 8 Jul 2024 15:23:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=desec.io
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lfYLXpNTyi2K; Mon, 8 Jul 2024 15:22:57 -0700 (PDT)
Received: from mail.a4a.de (mail.a4a.de [IPv6:2a01:4f8:10a:1d5c:8000::8]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2EAF8C180B63; Mon, 8 Jul 2024 15:22:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=desec.io; s=20170825; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:From: References:Cc:To:Subject:MIME-Version:Date:Message-ID:Sender:Reply-To: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=NcdwCnpKTzVJBKwF380XzO3GFUfxNr1thUMX3USBSg8=; b=Z1Eklppe8jEQ9mPmkP7ECL5LZ7 5VtBYCxTAwtBvPgdA4cyB7ZGo7+JJiHt5bMT/zTlVJJnrPKxI5h1k/nqZNYUvQarKu6gFEVgxmI5r KHT0ugTKIdaCB5XaUHQ36/nujKi913Ml+oCmlZRaDa+HkeZcVbpmjOnO24WdPf130ZGyq9MOSaBnU omS7n2VDMpMKCiWb6x1xCl6AlZx1Mr84FdkZWaAWWUN0sW1C/PzHGAIoGf/kj0DjDsVZsLtDbOG28 Zf2I8ck4jYN5IbR8uTVZAlVlC0amzKzi4XZSMvmh31jwHqJ64vmpMq/CCpicC3yP5m0S4yuhbE8YG ayLZqshQ==;
Received: from [2a02:8109:9283:8800:7b7b:990b:8f1d:b6e2] by mail.a4a.de with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.93) (envelope-from <peter@desec.io>) id 1sQwl2-00A9Ta-6q; Tue, 09 Jul 2024 00:22:52 +0200
Message-ID: <c8c126da-9940-4db3-bdd5-ee8f5daa667e@desec.io>
Date: Tue, 09 Jul 2024 00:22:50 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Warren Kumari <warren@kumari.net>, Matthijs Mekking <matthijs@pletterpet.nl>
References: <CAHw9_iJrP8_=z+wYPeUT7ErgquKz+4N2N78QfSzOX_d2mqas7w@mail.gmail.com>
Content-Language: en-US
From: Peter Thomassen <peter@desec.io>
In-Reply-To: <CAHw9_iJrP8_=z+wYPeUT7ErgquKz+4N2N78QfSzOX_d2mqas7w@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Message-ID-Hash: LKWLHW3GISQDISP5LZUTA5M2B52V4NQW
X-Message-ID-Hash: LKWLHW3GISQDISP5LZUTA5M2B52V4NQW
X-MailFrom: peter@desec.io
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Paul Wouters <paul@nohats.ca>, tjw.ietf@gmail.com, rwilton@cisco.com, dnsop@ietf.org, benno@nlnetlabs.nl, suzworldwide@gmail.com, RFC Errata System <rfc-editor@rfc-editor.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: [Technical Errata Reported] RFC6781 (6692)
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/voplw-sLcS-6u458reknBGQR2T0>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

Hi Warren,

tl;dr: The erratum is correct, and I think can be verified.

The situation described in the second-to-last paragraph of RFC 6781 Section 4.3.5.1 (and illustrated in Appendix D) amounts to

- adding operator B as a multi-signing party according to RFC 8901 Model,
- removing operator A.

The delegation goes directly from NS_A to NS_B, whereas a permanent multi-signer setup would have both NS_A and NS_B in the delegation. Otherwise, the above is identical to a Model 2 multi-signer configuration.

To evaluate the erratum, it thus helps to think about multi-signer transitions. It turns out these have been analyzed in detail. For example, see page 2 of the IETF 115 DNSOP presentation on Multi-Signer Key Exchange [1], which says:

	DNSKEY responses must contain all keys a validating resolver may need for validation
	[...]
	(RRSIG is always from the same provider [as the DNSKEY RRset])


Perhaps an example helps. If you have two providers, a resolver might fetch the DNSKEY RRset from provider A and some other RRset (e.g., www IN A) from provider B. (In multi-signer, this happens routinely, and in RFC 6781 Section 4.3.5.1 it happens when the delegation switches between the two fetches.) -- Now, what's important is that, at each provider,

1.) the DNSKEY RRset has either provider's ZSK, so that one can validate the "www IN A" RRset with it, regardless of which providers the DNSKEY and A RRset were fetched from;

2.) the DNKSEY RRset itself needs to be validated, which works if it is signed with a key that is represented in the DS RRset. In the situation at hand, there DS records for *both* provider's KSK, so *either one* can be used to validate the DNSKEY RRset. It therefore suffices if each provider serves their own DNSKEY RRSIG.

They only need import each other's ZSKs, but not exchange KSKs or RRSIGs.

This is exactly the point of the erratum.

Best,
Peter


[1]: https://datatracker.ietf.org/meeting/115/materials/slides-115-dnsop-multi-signer-key-exchange-mske-00.pdf


On 6/27/24 16:46, Warren Kumari wrote:
> Hi there WG,
> 
> I am trying to go through and clean up all open Operations Errata.
> 
> I would really appreciate some input / advice from the WG on what I should do here — I've read and reread the thread and the document, and cannot figure out if this Errata is correct or not….
> 
> 
> I'm tempted to mark this as Hold for Document Update, but I'm not sure if that is best.
> 
> Errata: https://www.rfc-editor.org/errata/eid6692 <https://www.rfc-editor.org/errata/eid6692>
> RFC: RFC6781 - "DNSSEC Operational Practices, Version 2" <https://datatracker.ietf.org/doc/rfc6781/>
> 
> Types of Errata: https://www.rfc-editor.org/errata-definitions/ <https://www.rfc-editor.org/errata-definitions/>
> 
> W
> 
> 
> On Fri, Sep 24, 2021 at 3:35 PM, Matthijs Mekking <matthijs@pletterpet.nl <mailto:matthijs@pletterpet.nl>> wrote:
> 
>     I am going to assume that the DNSKEY of this zone is not a trust anchor.
> 
>     So it is going to use the DS RRset, not a cached DNSKEY RRset, to authenticate the child zone's apex DNSKEY RRset (the one from the response). Then from RFC 4035:
> 
>     o The matching DNSKEY RR in the child zone has the Zone Flag bit set, the corresponding private key has signed the child zone's apex DNSKEY RRset, and the resulting RRSIG RR authenticates the child zone's apex DNSKEY RRset.
> 
>     I read this as the cached DNSKEY RRset does not come into play when validating the DNSKEY RRset from the response, and any implementation that does otherwise is not compliant.
> 
>     - Matthijs
> 
>     On 24-09-2021 15:01, Paul Wouters wrote:
> 
>         On Fri, 24 Sep 2021, Matthijs Mekking wrote:
> 
>             Second, I believe the corner case you mentioned is for Figure 15 (the one in Appendix D), and I don't understand the scenario you are describing. What do you mean with "the resolver getting the DNKSEY RRset for NS_B would not contain a valid key for the DNSKEY RRset of NS_B". I think the resolver would get a new DNSKEY RRset with a pre-fetch (or if the DNSKEY RRset was expired from cache) and that would be validated with the DNSKEY from the response.
> 
>         If it has a valid unexpired DNSKEY RRset, and a resolver fetches that DNSKEY RRset again, will it use the cached DNSKEY RRset or the DNSKEY RRset from the fetched record set to validate the signature against the cached DS RRset ? Or is this implementation specific?
> 
>         Paul
> 
>         _______________________________________________
>         DNSOP mailing list
>         DNSOP@ietf.org <mailto:DNSOP@ietf.org>
>         https://www.ietf.org/mailman/listinfo/dnsop <https://www.ietf.org/mailman/listinfo/dnsop>
> 
>     _______________________________________________
>     DNSOP mailing list
>     DNSOP@ietf.org <mailto:DNSOP@ietf.org>
>     https://www.ietf.org/mailman/listinfo/dnsop <https://www.ietf.org/mailman/listinfo/dnsop>
> 
> 
> 
> _______________________________________________
> DNSOP mailing list -- dnsop@ietf.org
> To unsubscribe send an email to dnsop-leave@ietf.org

-- 
Like our community service? 💛
Please consider donating at

https://desec.io/

deSEC e.V.
Kyffhäuserstr. 5
10781 Berlin
Germany

Vorstandsvorsitz: Nils Wisiol
Registergericht: AG Berlin (Charlottenburg) VR 37525