IETF Logo Mail Archive

Re: [DNSOP] New draft on delegation revalidation

Gavin McCullagh <gmccullagh@gmail.com> Fri, 24 April 2020 22:21 UTC

Return-Path: <gmccullagh@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 29C983A0E15 for <dnsop@ietfa.amsl.com>; Fri, 24 Apr 2020 15:21:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Dr9x-EKBRZRp for <dnsop@ietfa.amsl.com>; Fri, 24 Apr 2020 15:21:52 -0700 (PDT)
Received: from mail-il1-x12c.google.com (mail-il1-x12c.google.com [IPv6:2607:f8b0:4864:20::12c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 16D6C3A0E14 for <dnsop@ietf.org>; Fri, 24 Apr 2020 15:21:52 -0700 (PDT)
Received: by mail-il1-x12c.google.com with SMTP id w6so10817910ilg.1 for <dnsop@ietf.org>; Fri, 24 Apr 2020 15:21:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=b3LOm2s2xCF1azr7IkOHT+UD4KbcGZxr4cVWx9VmzMw=; b=otvKttyJhveQvloDqnzH0iscDuFWJqWC8NsKrMoeWyCOwHpIAfTclvbuuRKmyjUwxK +jjocOXaB3PXROxEHsSBzgVwsENknW1OfHvJkwpL5cG+qx8KUTKyzliApF1MJOMvfuGX bTocA+LWlybtT5fbJ0XMaxLqrx4PWmiDdTtdSZV3DmxsnwSb5Do2D+7ZKdN7wRHUr+Ui ldStobfCksOr0mivuZuWtgxB/woVZPr3Ua8DCliGH0o/Rq9AA3xYvXTc+GnkcUU78v2F Cz3U4Rf20/OEPjUUqZuILqE19YQle4mDyza2cCxTMYoSqrQCKsd332st1gqGyT0PWRbm ax0w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=b3LOm2s2xCF1azr7IkOHT+UD4KbcGZxr4cVWx9VmzMw=; b=RiAiEop7UWOx3BvkHZNo2xKLxHYpHJdIWEuobJssyYkcmJcaa47JIu5EABA2ScYi3i f72eL6QSzj7qE2yG0Y8pWHw/vHhfV3WFA5F/vP1kmV6CmdcUbMo/buq+sxHJnyS7fn60 3pmib2sCwU6fIs6n6O3uE2LMSkWGlvb5vBGOPDpJQerNRfEAZlsKI4Q10PWo1oZRjCgm 99ob7dBIMr8SxBccAcv/NUcOvuDk4ARS6suO1Yb4MBw0L4WuC29pqbLzW7rJL1UMr3Jm y4hmBUCOdfW8S6mkIjA6jOFlWBLL1qIAQW8mo51/iNfS4xJTBDH9tN14n1iioMpLMBQt +fAg==
X-Gm-Message-State: AGi0PuYlLHGW3TUPCLuH/cTOERVT5sv1QWH7R0eFLZvPTQvBwt/Wsce1 dHi0y8P/wb9jcPoGeEr4yan1DSdsmEwDTo5J1jE=
X-Google-Smtp-Source: APiQypLs6VvgyARI2HjBbHQrIIxJ3TBpN79j80VzOHEQL9vUENFd1vNu/w9ubCLKX1xFclxu5C+j9eyZc/UP7R2DIpI=
X-Received: by 2002:a92:5dc4:: with SMTP id e65mr11014509ilg.161.1587766911272; Fri, 24 Apr 2020 15:21:51 -0700 (PDT)
MIME-Version: 1.0
References: <CAHPuVdV9eSCLQOqMF0cq8fHcuSZs7nCgjhHMfMoaV5H=ekbtSA@mail.gmail.com> <CADyWQ+Gugw5ScSGDhDWLvrMQB-nNS+cOAcETQ9ssf2wPMFYq3w@mail.gmail.com> <CA+nkc8DkHaVR91koywh4KMx+-Pmw2gRR1KnuwUcP_j0G+k3S7A@mail.gmail.com> <CAHPuVdWSAX8Ha=djd_6qGC8NvaKAPjnNxu5UX8XW7fwZ6t_U_A@mail.gmail.com> <CA+nkc8DDHsocDkReb1GA1=6d_yau_jXLgwxZRhMFAfdJHaXMiw@mail.gmail.com> <CAHQ5LGpys=rDCDyvoBRW1_p4=V9XRCq+v5+cmqKaWHHbsCTNOA@mail.gmail.com> <CAHPuVdUEWQ+-OU8VTPwbZ8WDN8iTRk7dC0EASJNJVFr4FovaXA@mail.gmail.com>
In-Reply-To: <CAHPuVdUEWQ+-OU8VTPwbZ8WDN8iTRk7dC0EASJNJVFr4FovaXA@mail.gmail.com>
From: Gavin McCullagh <gmccullagh@gmail.com>
Date: Fri, 24 Apr 2020 15:21:39 -0700
Message-ID: <CAHQ5LGq91XKZ0Gxz2LLrXzGKEDAvg-U5A89s9b7pgGyO-25f5g@mail.gmail.com>
To: Shumon Huque <shuque@gmail.com>
Cc: Bob Harold <rharolde@umich.edu>, Tim Wicinski <tjw.ietf@gmail.com>, "dnsop@ietf.org WG" <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000bb8acf05a410cad6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/xplYf6_07kCF_niWYwpV6iyZ6iA>
Subject: Re: [DNSOP] New draft on delegation revalidation
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Apr 2020 22:21:54 -0000

Hi Shumon,

On Wed, Apr 22, 2020 at 12:32 PM Shumon Huque <shuque@gmail.com> wrote:

But appreciating the subtleties of the DNS delegation mechanism involves a
> lot of arcane details that are not easy to understand for anyone. If the
> namespace is a tree, and zones are contiguous subtrees, how do you a
> visualize a zone cut in this data structure? It doesn't cleanly intersect
> any node or edge between nodes, but rather partitions the data sets located
> at a node in a weird, inconsistent fashion. Most apex RRsets live
> authoritatively at the node, but one has a copy in the parent zone, and one
> is authoritative in the parent. It's all very complicated.
>

I agree these things are complicated (and if I'm honest I may be missing
subtleties you aren't), but I don't think ordinary DNS users should need to
understand that level of detail to be able to work with delegations.  We
seem to have a choice here between the user needing to understand "the
parent must point at the child" versus understanding that "the parent must
point at the child which (usually) must point at itself".   Everyone I talk
to outside the DNS community seems to leap to the former conclusion.   I
doubt that will change.


> [a] seems like a definition which could be changed if it was so decided.
>> DS records are totally parent centric for example.  It seems like NS could
>> be too if we declared the in-zone NS to be "informational only".  [...]
>>
>
> Changing (a) properly requires re-designing the DNS delegation mechanism,
> and sounds like a much more ambitious undertaking to me. I am actually
> interested in looking at that myself, because there are certainly
> deficiencies that could be addressed. Since delegation records and glue
> address records are unsigned, they can be spoofed, and DNSSEC should really
> allow us to detect such spoofing once a resolver sees referral data. And
> not (as it now is), after being sent on a wild goose chase to a set of
> rogue servers, and subsequently determining that those servers cannot
> present a DNSKEY RRset that matches the parent DS. Fixing this, requires
> creating a new delegation record type that can be signed in the parent. And
> the TTL issue and delegation revalidation would then have to be assessed by
> looking at both the child NS set and this new delegation record (although
> for secure delegations, the DS set could likely be used in place of the
> latter). And then figuring out the large work of how to deploy it Internet
> wide.
>

I may be missing some subtlety here, but parent-centric resolvers seem to
use the NS records and DS records from the parent zone today just fine.
The DS is signed by the parent and provided in the same response as the
referring NS record.  If the response was spoofed the DS rrsig wouldn't
validate.   If the referring NS record needs to be signed, surely that
should be designed into DNSSEC.  Are you saying you believe that
parent-centric resolvers are insecure?


> You are right that the TTL control issue primarily comes up at the TLD/SLD
> level, but it is certainly not a corner case or that only affects a small
> minority, in my estimation.
>

I didn't mean to suggest the TLD/SLD is a corner case, it obviously
isn't.   I was trying to point out that the non-registrar case is also not
a corner case.   Both are common.  I suppose I am arguing that the case
where: [we have a TLD/SLD managed by an expert DNS operator who understands
how to (and is motivated to) manipulate child-centric resolvers to improve
redelegation safety] is really a corner case.  Perhaps not among the people
on this list, but over all delegations in the world, I'd say it is a very
tiny fraction.  And I'd prefer to optimize to simplify the rest.

There are two categories of unfortunate "surprises" we commonly see due to
>> child centric resolvers.  [...]
>>
>
> I would hope that making resolver behavior consistent would address most
> of this. If all resolvers locked on to the authoritative NS set, then most
> of the surprises would disappear (hopefully).
>

Things will break more reliably, for sure.   And I agree that consistency
is better.   But it likely won't make it any easier for non-DNS geeks to
understand why.

PS How truly intractible is the registry argument?  It seems something like
>> "When an NS change is made, TTL=3600 for the first N hours, then 2 days
>> thereafter." would be a major step forward without drastically increasing
>> complexity.
>>
>
> Based on history to date, it seems to be rather intractable, but I would
> love to be proven wrong. The interfaces that registrars use to update
> delegation records in the registries don't even offer any TTL configuration
> option that I've seen (even if the registries were willing to support it).
> Does the EPP DNS mapping even support setting TTL?
>

That's one way to approach it.   What I was thinking was, if the registries
want to dictate the TTL, that seems understandable.  But in so doing, they
could have a process where they dictate a lowered TTL (of their choice) for
a period after each change, then raise it back up to normal in order to
reduce the impact of mistakes/problems.   A "bake period" essentially.  The
timers would be argued about of course, like all magic numbers, but
something conservative like an hour would seem like a major improvement on
today.  Hypothetically, would you consider that would improve your use
case?

Gavin

v2.23.0 | Report a Bug | By Email