[DNSOP] Re: [Ext] [DNSOP]Requesting final comments on draft-ietf-dnsop-rfc8109bis

Willem Toorop <willem@nlnetlabs.nl> Fri, 07 June 2024 09:14 UTC

Return-Path: <willem@nlnetlabs.nl>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ECD9FC14F700; Fri, 7 Jun 2024 02:14:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nlnetlabs.nl
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E2sm-bpXh_xI; Fri, 7 Jun 2024 02:14:40 -0700 (PDT)
Received: from mout-b-105.mailbox.org (mout-b-105.mailbox.org [195.10.208.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AA919C14F602; Fri, 7 Jun 2024 02:14:38 -0700 (PDT)
Received: from smtp202.mailbox.org (smtp202.mailbox.org [10.196.197.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-b-105.mailbox.org (Postfix) with ESMTPS id 4VwbB122sRz9vfw; Fri, 7 Jun 2024 11:14:33 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nlnetlabs.nl; s=MBO0001; t=1717751673; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references:autocrypt:autocrypt; bh=89zKYoSRylKgCtjzqz5Y6Qwv2FJP3CSA+tzzl6Zpwqo=; b=lXTsjvfeTTUcQsHmwefv+8ecrMkND2uSZzqreVu1bTs1kYmQVR3PeAp48DZ19dMIp0rezg MrkB7UUWvggsJVf3bFKxs/kKZazdZWEmZpknm8cVklTxuNH9HzUo2wtNsMuWLijB3K5D2k c3lJvz/Agx6JZNiUecXlHq/LrX0htoJp0/36xjTIOgXp5qUfv3Wr0cxCFTNCGXAenGmmwK eZqAWPdRIRg3AFRA2jFMXCh/WUF5xeMshep9QELuOoAcygLfaFmRMEavJOYtx1BSFJ5Q2+ k8nAdHfYvT8awZrxNDhaJ79OluFmJ6gOKTnSRkbchFfJ5bJFXWhQYruduuKccA==
Message-ID: <2a5dae5f-271a-4428-9e8f-6930ef0d5c02@nlnetlabs.nl>
Date: Fri, 07 Jun 2024 11:14:31 +0200
MIME-Version: 1.0
To: jabley@strandkip.nl, Tim Wicinski <tjw.ietf@gmail.com>
References: <CADyWQ+HLxyAkhdYsOEQz09ByF5EtuvDMh2oAWb_tt_c7YN+59A@mail.gmail.com> <3B172CF5-F76C-4B21-984D-F19CF5B40F48@icann.org> <CADyWQ+HzeoSZqZh9WCCY6ZfLnmRziFOeUyX7ZdSQmqBw_w1WFA@mail.gmail.com> <6B191946-D3AB-46D4-B2CF-599ECC642B26@strandkip.nl>
Content-Language: en-US
From: Willem Toorop <willem@nlnetlabs.nl>
Autocrypt: addr=willem@nlnetlabs.nl; keydata= xsFNBE1s81EBEACuJzGgccrmYEAzHc//vBq66gH7orM0GtKfQZHh4uR1FMxZXl07WevUYNuB ywTpinU9rpY1Q3S4w6QgNklgpsaHXmbOpyFjJ8FpllV8TRPiXiNrNxTpMnlb6InoszopX69t kBVHTP6cJkNgPx6R4BM0ARqEGQmOL8mAcoWyGVzbsamuGRaia54zs/kc3i9yiqEzRkoQmfwr 7sr49n7gOpmaqXvonOSiUvgEziep77emMcqVa/qZxR1r7KUq85qTNTqsQwl2cQdKS7WwOeuG 6ZIJmJ1bakriKzLBYF5xIHKSYJW0ZA20tNFrVKgTkEjiXvAJh4HlJEIi35tqa/IzWUJSc1ai nhBjxbwSl8BRq5aaPgwB+xXiDqY6BrQW1slvl5TF2A6Xr7JJ0rkH3EZgXxABAZ3WJ3RLwq1z 8jnNYj+UW/mSLsbOtgfOiBhFUXMZneHvVVvz6F6XAtyrejDl5sD2gnzm1VDfK6T6bvLtR7zr kWre0lpycDmgmUKgaEiXzfLvwT9RaWk8GdqU2GG+QOiwf+hT0peDieuodjMr59sUbx7GqVe/ 45rJBRSx+HCl2Jm7Th2Xr0kpStCd7ebVoEq9wpMyu+dM9wOTtibA9P3+9u4rAdimpAdQxEbh WbRNCng2EVhThbqRK3cTZLbtqKaWgAJqa/IQVpL9b5ps8Z4JVQARAQABzSNXaWxsZW0gVG9v cm9wIDx3aWxsZW1AbmxuZXRsYWJzLm5sPsLBjwQTAQIAOQIbIwYLCQgHAwIGFQgCCQoLBBYC AwECHgECF4AWIQTcNO5dskF7zBUeUQDl+PghL3ekmAUCXgm/sAAKCRDl+PghL3ekmLEOD/0W 50GFW5OfS/aZ3k7BfoBgSYEpgs3wUPxFCvkw4LsREcSLSdE9jFfIWh7sGiS1yP/kQGZr/yUn R58nAjGr9exyB90VsgEQqUlbks5nCqQZZrMcZRgHCB0IitYZqewBfl/GON/mqApTEQXgTJS7 0wi66828X7AyCA6kPgUfDl5V/zOE0GKm8ejNtKIIEnscNHUwpNpwTF/EegU6Fo6Ih4/bMvpg RytCgIi1tdmWETeyKjL7ASIGZL0kZkTfhQZV+V5NgToDnMFxPyndvv57Fip2mUSPkAAWRhgq ApL797C/KMpc1mCK43g6gD21KP01e5yz1BnSc09NJ7huLHYDFQKRBCfbUZuJe0KSibpRgmNE YaWT1sxByxqPbTmWDgvRXy4TGhkPm21wLqRACVmymd/KiFHdaB5NzWzrC5C0eWSCs2oziDuy Szf8/71sI8pNwjqBIp/8zA8ZI9AZrCkgzeuEeyKBcjW8O83iJkx2S9CC0KBrryvTi2QwitHX +WxJnGlOFNLQG4fp9/6EDuPUEKgmbqaiooCgDyU4aHYPFpUrHTc8aajahJ29wcXkWkIrm6rB mWzT/+05jyrrMl0HoSmZIqhwgtGHrWw+bnCxBZV2JOynDE0n+z4zh8N4rQ1vvCXu36CcR/62 YFTliLVKowkFtqO+om6DO8MBws/FoYnw/M7BTQRNbPNRARAApOziFbP3grro+2weP9wG0eYk InH0Gwc/x6hSN3iIFHtxaBNOC3U8YI0HMI8Yi5SJrzTx2rG7Uvw5aNCnBcMKNeoCJufSYIkx E41WzPEkqSNidkYoY6jxyDs6ZAFnIR3qqt/FV/93Acux1BMlnPP1sY7G5hUAC7Src8dbmAYV z6mnd43jurMYzESOygROP9yVrGOqKyiEbXf+GQ/o+8OgPs4504Z1BA/xvgZEEPqtn8Wowu/g LzTMOfMIfWsuk0ZCmV/VqfLTpZMCwMvh/qAQAsfrZMjE5fhTtbF668fHIpc4C4357H8y8XZr PXbhhtxYLu3V2pVbfKzbTMpp6Z6bJdIrFXpoyfgoFwkXcJ0zWgAFkPK+Iv16XtD/JDKWlkLo SXhCjBo8g4C7M50hzpy4zo9Na8ECtwpWBCFZ8myF94WZ+TGnP+FZz0rjTIKOZv6E9kivdFtd KxAi1RSQGo5Iwc2ugiBf4hpYyrd7vIwd0yqUqvSVTnaV8Ft8QKOV4H807grdIYkE/NOAu3N7 4uxbFIlChAxYq/ohLBCtbeuyZSOqBA2tIZE5fetHLw2+7Otq+zhrcWZ1SkchbDYp9jYzoCxf 0cEW5GyKaCoWNCblVupcDs20ckKcDVG+peWD+InnD4MSUeizHCMdL5Rt6MMaZVD4hOqWHf33 Wiw+NmrUjLUAEQEAAcLBdgQYAQIAIAIbDBYhBNw07l2yQXvMFR5RAOX4+CEvd6SYBQJeCb+w AAoJEOX4+CEvd6SYnQwQAKUN8F1N3G5rRgdyorRjX9+NEvZSn6sFAZZsngkO1fWny3z9PoGS 9n3OrKdqO2U9NdwvdWELyuFIv+3spd6Mn6DSYLSfqjg9i+YGC3AiQNoRR+VX1FWQ/TatFLpq +o1Lby04sWABhKic6pCxeCPXY2CzE7DSfUtMwBsPheK4JhpQNt6U4+7x24QIHbxcivpTq59V 7fZB8JpUgoN1k7DEAes9MEd1iOKM6ZucKgx1Q3elaS8DjRW7nJl+U9eaufa3BVt3+J3eL3Lr Q6ep4IDNEkQJoOwJytBzVQJcGkE0pdkSjO4jEocsNcQRVTahOazuYVUyYezqHDxUltAJqBux jnyyR2zZayDCoX82+UI0jtubwz1rFMqCdzID8n3PPn0AlmcHAsSNnCv4mIhI+tofc6bndNcu tJZMjoYA1MmEhgx1TStQptAQP/ZRNwV2TZFR20gwQWV1p/5R/GTlP3olNdC9Ojy0AmFMBLZb x7PI75HVJ2wtF8aq7vo2iltEM1k1zhl0Su5Ov/TEBq6JhqD5UzpqJPV6tTz76EEXfx58AxFh fVkytieLXCPI0kQTWfenexd9DUANCoa/TfYIEOi7YHJGYx/DpjfSPfThDxTGfWt0WaMILpOq +YTFA468fQW5xgeVvJlBNry4dT1XXgVbe/H+CN7q7C0Y1Ng11VOfO65X
In-Reply-To: <6B191946-D3AB-46D4-B2CF-599ECC642B26@strandkip.nl>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------usEcN5mqlSWqtsJbIx6OIrPY"
Message-ID-Hash: RSQVCLQKQVUMJKSS42WXAESNCPL7ZARB
X-Message-ID-Hash: RSQVCLQKQVUMJKSS42WXAESNCPL7ZARB
X-MailFrom: willem@nlnetlabs.nl
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Paul Hoffman <paul.hoffman@icann.org>, dnsop <dnsop@ietf.org>, dnsop-chairs <dnsop-chairs@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: [Ext] [DNSOP]Requesting final comments on draft-ietf-dnsop-rfc8109bis
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/y-rufUmRH1DGfAfY58GWC6dS9xc>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

Hi Joe,

Comments inline.

Op 07-06-2024 om 10:33 schreef jabley@strandkip.nl:
> Hi Tim, all,
>
> On Jun 7, 2024, at 01:11, Tim Wicinski<tjw.ietf@gmail.com>  wrote:
>
>> On Wed, Jun 5, 2024 at 12:28 PM Paul Hoffman<paul.hoffman@icann.org>  wrote:
>>
>>> Tim jumped the gun by about an hour: we just submitted the -05. It incorporates the suggested text from below; you can see the diff at:
>>>     https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-rfc8109bis-05
>> I am guilty as charged.  But our comment on we would like people to review the changes.
> 3.3 DNSSEC with Priming Queries
>
> I know perfectly well what "the root NS RRset" is, but it seems like it could be made a little more clear with only a small change as "the apex NS RRset in the root zone", "root zone" being a well-defined term of art whereas "root" as adjective being a bit vague.
>
> More substantially, this section describes a series of vulnerabilities that would be mitigated by signing the ROOT-SERVERS.NET<http://root-servers.net/>  zone.
Unfortunately not. I would say that have the potential to be mitigated 
by a signed root-servers.net one, but at the time of writing, a signed  
root-servers.net zone would have impact. (see: 
https://www.icann.org/en/system/files/files/reduced-risk-redirected-query-traffic-signed-root-name-server-data-22may24-en.pdf 
)
> However, it does not mention that a validating resolver that received a rogue response from an imposter root server has the eventual opportunity to discard signed RRSets whose signatures do not validate; by not mentioning this there is perhaps some danger that a casual reader would infer a greater overall vulnerability resulting from an unsigned ROOT-SERVERS.NET<http://root-servers.net/>  zone than in fact exists.
Agree, we could mention the opportunity. But it requires changes in 
resolver software behavior (see again the above quoted report).
> Including signed RRSets from the ROOT-SERVERS.NET<http://root-servers.net/>  zone in the priming response would result in larger responses,
Signed root server addresses included with the priming response cannot 
help. A resolver cannot determine whether those are authoritatively 
present in the root zone or not (and if they are not they can be 
included without signatures, so an adversary can always replace signed 
root server addresses with spoofed addresses without signatures; see 
section "DNSSEC signed root server addresses in the priming response" in 
the above quoted report: 
https://www.icann.org/en/system/files/files/reduced-risk-redirected-query-traffic-signed-root-name-server-data-22may24-en.pdf#h.tb7mwc7hrt18 
)
> to which in the past there has been some sensitivity. Since a priming query with DO=1 definitely has EDNS(0) as an option this is not a show stopper, but if the previous sensitivites around all of this are no longer a concern I think it would make sense to say so explicitly when speculating about future signatures in that zone.  The chain of trust from a root zone trust anchor through a signed delegation to NET and thence to ROOT-SERVERS.NET<http://root-servers.net/>  would also deserve some scrutiny from the perspective of a priming response which is presumably often landing on an empty cache; the ability to validate those signatures requires queries to be sent to as-yet untrusted root servers. It seems odd not to mention this as something that would need work, given the depth of the other text that is included.
Agree, this needs work. I am working on text within the delegation 
revalidation draft that explicitly addresses this. Perhaps it should be 
referenced from here (but I steel need to update the text and submit the 
new version).
> The final paragraph makes a reference to a naming scheme, presumably referring to the names chosen for root servers (but that could be more clear). The RSSAC wrote quite a large document about this stuff and I certainly don't have all of their conclusions swapped in, but thanks to the late Bill Manning's flash of insight the current scheme features a high degree of name compression already and reducing the single label "ROOT-SERVERS.NET<http://root-servers.net/>" to something smaller is not going to substantially reduce the size of the priming response.

I assume you are referring to RSSAC028. Note that we also did an 
extensive evaluation of those naming schemes and have written that all 
down in another report: 
https://www.icann.org/en/system/files/files/rssac028-implementation-study-report-27sep23-en.pdf

> It feels like part of the solution space here is to consider root-server names that live in the root zone and not in a child zone, which is a different consderation from the naming scheme. Mainly this paragraph reads like a throwaway comment that doesn't include enough depth to be useful. It should at least say something along the lines of "this is complicated".

Unfortunately, as I mentioned above, signed root server addresses 
included with the priming response cannot help. However, revalidating 
the root server addresses would help, so I do think alternative text for 
the last paragraph is needed. How about this:

     "DNSSEC validation of the priming query is valuable when 
root-servers.net zone will be DNSSEC signed *and* resolvers revalidate 
the root server addresses, by following up with direct A and AAAA 
queries for the names of the root NS RRset"

-- Willem

> I realise that at the time of writing it is not before June 14.
>
> Happy to contribute text if other people think that in this particular case I am not completely insane.
>
>
> Joe
> _______________________________________________
> DNSOP mailing list --dnsop@ietf.org
> To unsubscribe send an email todnsop-leave@ietf.org