IETF Logo Mail Archive

Re: [DNSOP] SIG(0) useful (and used?)

Shumon Huque <shuque@gmail.com> Thu, 21 June 2018 01:05 UTC

Return-Path: <shuque@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5E5C1130F52 for <dnsop@ietfa.amsl.com>; Wed, 20 Jun 2018 18:05:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w_6KTv6uuRk3 for <dnsop@ietfa.amsl.com>; Wed, 20 Jun 2018 18:05:55 -0700 (PDT)
Received: from mail-yb0-x22b.google.com (mail-yb0-x22b.google.com [IPv6:2607:f8b0:4002:c09::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E9948130EE6 for <dnsop@ietf.org>; Wed, 20 Jun 2018 18:05:54 -0700 (PDT)
Received: by mail-yb0-x22b.google.com with SMTP id e84-v6so578664ybb.0 for <dnsop@ietf.org>; Wed, 20 Jun 2018 18:05:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=YilWRSNhMWZd0Z5QvJmD/+3btc/uy6576KigbS9h+GY=; b=qlo3rPQHQ6vi2RLzVsVEloqdpjFLZITquZdVd7iM+xBu+FRJHcyGVc+7M65ROfsz01 JaNLFCClxaSU+cd3fetJR0rKTP6bqrYUSXTr+EkmH9ePQTzQewcdclvJGb0N1zmqC2og OOZJi3i5hFZuMQdluonfKTGTjU6QQTUFhkH8zeOSZkNut8EFj7u1qtNFFMyaFBZ2IS+r UykfYiADfFjRcLk8v8A2wcwMYuIIkkLa1w1WhIyKh/jVxTP1zDvnd4CrL6SuTPYCua6M ITzoyKPzszEKwfs6M9k2NulnbibZ+FvEgscjI8FTnNU5+aQY+giIppGisJ4izrblXQ5K 0AZw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=YilWRSNhMWZd0Z5QvJmD/+3btc/uy6576KigbS9h+GY=; b=qOAsOa/ovxKKh2GLPAmDGrNDPjbgnWngqYZTo/2njyGwMzDbMw0fdtRhmHE1dTzONW oq6/A6L/9w6ydADtqKAv1C5RctkYObvLkvklK9aBc0ASmZzHofiORywa2Hc4hdShpjsk 3PmlrGd2fVpSYfw2sxSuxYWtPbWAKP0jaW4sP3UMl8R0VAh5ZRTCX1qUk11TkVDOUXhD Ns5JsEzjUghALVLgzBv2CN4SJhWWUnNAzs+RyfKxQQSD0427DQoEgFvqXXIP6ljmEp4f URcMFGVAVbmp69/PHk8Yfe70/th3crTThfuyLI/JIcdjkSQvnJ7NTcq/INHnOOVo1jqi /AXw==
X-Gm-Message-State: APt69E0sH6Y7uS3zSnE/FqpenuU/I3RTCheAnGCz+4EERUyGYYp0JmOw 9UmGFXOxFeUlWQcZXdU2Bc6HK0W/H+AQ9YfLYVo=
X-Google-Smtp-Source: ADUXVKLNxx2VoHUkMtoxVeb6azgq2zO1O+gStMm2/nLSQCVIHBXNyzarYUqWGec0QP6BMhxxZmWtVQakLoCz+NXa7n4=
X-Received: by 2002:a25:8686:: with SMTP id z6-v6mr124064ybk.404.1529543154201; Wed, 20 Jun 2018 18:05:54 -0700 (PDT)
MIME-Version: 1.0
References: <6C8533C2-6510-4A0E-A7EA-50EB83E43A7D@isc.org> <alpine.DEB.2.11.1806192154190.916@grey.csi.cam.ac.uk> <CAHw9_i+KWdEQEyXE3AVKChrnYWOvhdm5uAZHpaz+tATyh0EmJA@mail.gmail.com> <CAJhMdTNqSq9fVpf6MrkJqsghKB40MP3BUBfq7xcGZ6_9W72Ggg@mail.gmail.com>
In-Reply-To: <CAJhMdTNqSq9fVpf6MrkJqsghKB40MP3BUBfq7xcGZ6_9W72Ggg@mail.gmail.com>
From: Shumon Huque <shuque@gmail.com>
Date: Wed, 20 Jun 2018 21:05:42 -0400
Message-ID: <CAHPuVdVtGKjTpAu3ySi_C=Am+7pE-OX_e3M+T1+WGH0AL20oMQ@mail.gmail.com>
To: Joe Abley <jabley@hopcount.ca>
Cc: Warren Kumari <warren@kumari.net>, Tony Finch <dot@dotat.at>, ondrej@isc.org, "dnsop@ietf.org WG" <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000005ff9d2056f1c846f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/w05FuCgw6sS7I5QEoSUW6p925kM>
Subject: Re: [DNSOP] SIG(0) useful (and used?)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Jun 2018 01:05:56 -0000

On Wed, Jun 20, 2018 at 7:30 PM Joe Abley <jabley@hopcount.ca> wrote:

> On Jun 20, 2018, at 19:07, Warren Kumari <warren@kumari.net> wrote:
>
> ​... what I'd alway wanted[0] was to be able to setup my own recursive
> name server somewhere on the Internet, and then only allow myself (and a
> few of my closest friends) to be able to query it.
>
> For this particular use-case, why is SIG(0) better than TSIG?
>

Either might be fine in these small user scenarios.

In the "only Warren" scenario, TSIG is probably simpler. For the "Warren
and few close friends" scenario, it depends on how much he trusts those
friends. If he trusts them not to spoof responses to him (if they are able
to insert themselves as MITM attacker somehow), he could get away with a
single shared symmetric TSIG key. If not, he'd have to provision distinct
TSIG keys for himself, and each of the friends, which is more work, but
still might be manageable if the set of friends is small enough - but
SIG(0) is probably now looking attractive. If Warren and friends are doing
their own validation of responses from the recursive server (note: most
stubs today do not), then spoofing might be less of a concern, but there is
still a lot of unsigned data out there.

Shumon.

v2.23.0 | Report a Bug | By Email