Re: [DNSOP] Fwd: New Version Notification for draft-jabley-dnsop-refer-00.txt
Brian Dickson <brian.peter.dickson@gmail.com> Fri, 12 February 2021 19:38 UTC
Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E55653A0D18 for <dnsop@ietfa.amsl.com>; Fri, 12 Feb 2021 11:38:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0jrhx9BtlPxh for <dnsop@ietfa.amsl.com>; Fri, 12 Feb 2021 11:38:06 -0800 (PST)
Received: from mail-vk1-xa2b.google.com (mail-vk1-xa2b.google.com [IPv6:2607:f8b0:4864:20::a2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 52C5A3A0CF9 for <dnsop@ietf.org>; Fri, 12 Feb 2021 11:38:06 -0800 (PST)
Received: by mail-vk1-xa2b.google.com with SMTP id v66so175954vkd.10 for <dnsop@ietf.org>; Fri, 12 Feb 2021 11:38:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Jjch2MYewfK08yi7iymkmaNgGf6W5+BJyNKFoy0UOBU=; b=CJo5I3DQ6QuBNKKvxH5Q9A9fYeCbzyu9exCHpu9BpEujfpu1FNHqzg24yqp159nbaD i4TG8JIw752F7gnKaoCiaQ29ZOJDsVCrD6lD155Ickz0M46GT6uaw+7WikbVhebgKH0q bVIYs+/7okBnaT997shNt+c4pNV3wodkgI+Gap9bWXYLWw7aD+XL54F0QzgAZWGMPobf HJNpBoQZDtD7fMycH41GzFVqdk4Pg9scobN3qRqe5Ke/rO7/q0FbjhvzvMoZTpHT+ZVL M6FvIpgIlj3d5lrHQUiGIXVKh2FtTbYxV7FSlJk5BtILCuiQhXHAbVdLedB4ERMCFlNg O9rQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Jjch2MYewfK08yi7iymkmaNgGf6W5+BJyNKFoy0UOBU=; b=M+YdDKhDDzaJTC/2Vj456M8IRwokgHqf5ACS2wWI7Ulw1iGAvzmSy21znpAzhft5zh PLavL2DYs3xO1kVUoA4UCmzmXGp9xHgkfWpgb+oFrrzP7LPWDUKnoge2+UDZJ19oMjHO Rfm06vBxlBtNLo5ue38irvwY2HxXW07QG0TKci+o4SP4qxa8OhfPmSOPwsJfmk0JlgQI 5tnZRNMlydVykKqtgEvL1Eeku60Sp25r2G/j57RdM6P/3vjxIR6jDYomed1lBy/YmXkw xfsPighea5xLXYD4PkMKNiB5kXL63i82O4MfQEU3w1NFcopZV639wRX5I/3qBDMk2Qt5 b0bA==
X-Gm-Message-State: AOAM533MZFPaZCQdulkqIAL9cnRTZlgwf9oHAmNxQmeTumbLA/5opHd9 fbEfpKbY8KXGxTH/UNZ0hpfiyctqx61NPB/poC4Wa+oB
X-Google-Smtp-Source: ABdhPJwb7guDKoyNaTai5ODqMlH6T8axvyZdJcNzujE5CKmvG9asqH0lUPqSgApSu9erRysaU06vVoEKSLx7O23keJs=
X-Received: by 2002:a1f:99c2:: with SMTP id b185mr2890811vke.3.1613158685438; Fri, 12 Feb 2021 11:38:05 -0800 (PST)
MIME-Version: 1.0
References: <161314515808.27869.12735398190429691375@ietfa.amsl.com> <A4EE4B99-A7F7-452E-9E3E-10277D15837A@hopcount.ca> <CAHbrMsDiHm+cz+i8QetgVS=KNsoLVJb-XqH1rCrkF3XnTn_zfQ@mail.gmail.com>
In-Reply-To: <CAHbrMsDiHm+cz+i8QetgVS=KNsoLVJb-XqH1rCrkF3XnTn_zfQ@mail.gmail.com>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Fri, 12 Feb 2021 11:37:54 -0800
Message-ID: <CAH1iCio4QzbATxC9B42z==CYq4AdmZ8T0XAXpxJxBzCNX=Vuzw@mail.gmail.com>
To: Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>
Cc: Joe Abley <jabley@hopcount.ca>, dnsop <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000006977da05bb28c6b7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/wCjThJ3237lDCfqJ8ixKlHAwGNg>
Subject: Re: [DNSOP] Fwd: New Version Notification for draft-jabley-dnsop-refer-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Feb 2021 19:38:08 -0000
I like this proposal, look forward to experimenting with this. I'm not sure about how to defend against downgrade attacks, without potentially having to touch some other DNSSEC-specific standards. I admit to not having looked at them again, recently, with this in mind, so the question I'm asking is something that might have an obvious answer. In a signed zone (parent) with a zone cut, which includes a REFER record, with or without the delegation being signed (i.e. with or without a DS record), what would/could protect against a downgrade? I think this may need to be analogous to the handling of signed delegations, if the client (resolver) is DNSSEC-aware, in doing validation. I think NSEC(3) record(s) proving something would be necessary and sufficient, to prove the (non-)existence of NS and/or REFER records, and to include the REFER and RRSIG(REFER) even if RO is not present (possibly stripped). Synthesis of NS from REFER would probably be analogous to synthesis of CNAME from DNAME. I like this a lot, actually. The only question is really uptake by registries/TLDs and the root. Brian On Fri, Feb 12, 2021 at 10:38 AM Ben Schwartz <bemasc= 40google.com@dmarc.ietf.org> wrote: > This is a fun proposal, Joe. (I think it should probably also go to > DPRIVE, although it's mostly the same folks.) > > Regarding the Security Considerations, I would suggest that REFER-aware > recursive resolvers (1) should also implement QNAME minimization, and (2) > should send a REFER query in parallel with any shortened-QNAME query. It > seems to me that should be roughly sufficient to prevent the downgrade > attack (if the parent is signed) without adding latency. > > On Fri, Feb 12, 2021 at 11:08 AM Joe Abley <jabley@hopcount.ca> wrote: > >> Hi all, >> >> I have discovered that without liberal access to bars and hallways at >> in-person IETF meetings, I no longer know how to tell the difference >> between ambition and insanity when it comes to technical proposals. I am >> quite prepared to find out that in this case the needle is at the crazy end >> of the scale. >> >> Happy Friday! >> >> >> Joe >> >>
- [DNSOP] Fwd: New Version Notification for draft-j… Joe Abley
- Re: [DNSOP] Fwd: New Version Notification for dra… Ben Schwartz
- Re: [DNSOP] Fwd: New Version Notification for dra… Brian Dickson
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Wouters
- Re: [DNSOP] Fwd: New Version Notification for dra… Bob Harold
- Re: [DNSOP] New Version Notification for draft-ja… Joe Abley
- Re: [DNSOP] New Version Notification for draft-ja… Paul Wouters
- Re: [DNSOP] New Version Notification for draft-ja… Joe Abley