Re: [DNSOP] DNSSEC Strict Mode
Petr Špaček <pspacek@isc.org> Tue, 23 February 2021 15:59 UTC
Return-Path: <pspacek@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 461533A2C9D for <dnsop@ietfa.amsl.com>; Tue, 23 Feb 2021 07:59:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isc.org header.b=istTFGU4; dkim=pass (1024-bit key) header.d=isc.org header.b=NP+BZyMS
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3M_ykZy2JYEz for <dnsop@ietfa.amsl.com>; Tue, 23 Feb 2021 07:59:55 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6B67C3A0BF1 for <dnsop@ietf.org>; Tue, 23 Feb 2021 07:58:52 -0800 (PST)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 0A5FC3AB01D for <dnsop@ietf.org>; Tue, 23 Feb 2021 15:58:52 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=isc.org; s=ostpay; t=1614095932; bh=LaSqjn7Cdm6ePEoejpuTPV6OpSJINJI1Jqq3pkTaBtI=; h=To:References:From:Subject:Date:In-Reply-To; b=istTFGU4fi0IFyO1iG16DE74EHM8XRUm+kZOsPaJ2/8nsJakQGdENv1rkkSAqI74R 3O6PvLHqokFVD2y2zcsImEfiPdf0Rg2CcA4kWIbnjO8umvnJ82G1qHBwRdPxEoHC2Y vfZr2uSP9aJsy7wr7VS2umzERWMqnT0BGOqR3Fy0=
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id DFA7916006E for <dnsop@ietf.org>; Tue, 23 Feb 2021 15:58:51 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id BF1A1160070 for <dnsop@ietf.org>; Tue, 23 Feb 2021 15:58:51 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.9.2 zmx1.isc.org BF1A1160070
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=05DFB016-56A2-11EB-AEC0-15368D323330; t=1614095931; bh=bkKJ3kqkvCe/dzI68pnQI35qZ84m6wVXwPQ/BYqiLTk=; h=To:From:Subject:Message-ID:Date:MIME-Version:Content-Type: Content-Transfer-Encoding; b=NP+BZyMS+vBJd4WsIywXlCyReVZ/fIq4iClfO8bKSBJ18hCZiVXfRYOWLQPcftX3R +GoyJVmsRrlcI7jZSlH2kUrzO3McCZNh63yFDGNMjIhfm/BD3/6F8QI1mcHGCxF534 rJGoz77l26zVNg/AYqi8N7BeMS91Ysv2sVdRA3A0=
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id PF3kYciKUJ8y for <dnsop@ietf.org>; Tue, 23 Feb 2021 15:58:51 +0000 (UTC)
Received: from [192.168.0.115] (ip-86-49-249-122.net.upcbroadband.cz [86.49.249.122]) by zmx1.isc.org (Postfix) with ESMTPSA id 24D4D16006E for <dnsop@ietf.org>; Tue, 23 Feb 2021 15:58:50 +0000 (UTC)
To: dnsop@ietf.org
References: <CAHbrMsBeCiZ-31hjKvet2UPDPFhdVYpgqR6Kw-WWz1ERgeSFoQ@mail.gmail.com>
From: Petr Špaček <pspacek@isc.org>
Message-ID: <215ab814-d7bc-0d8b-356a-7d5e65191991@isc.org>
Date: Tue, 23 Feb 2021 16:58:47 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.7.1
MIME-Version: 1.0
In-Reply-To: <CAHbrMsBeCiZ-31hjKvet2UPDPFhdVYpgqR6Kw-WWz1ERgeSFoQ@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/zHHh3bcgJPL_eSN2gZ2U72ZZX3k>
Subject: Re: [DNSOP] DNSSEC Strict Mode
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Feb 2021 15:59:57 -0000
On 23. 02. 21 16:08, Ben Schwartz wrote: > Inspired by some recent discussions here (and at DNS-OARC), and hastened > by the draft cut-off, I present for your consideration "DNSSEC Strict > Mode": > https://datatracker.ietf.org/doc/html/draft-schwartz-dnsop-dnssec-strict-mode-00 > <https://datatracker.ietf.org/doc/html/draft-schwartz-dnsop-dnssec-strict-mode-00> > > Abstract: > Currently, the DNSSEC security of a zone is limited by the strength of > its weakest signature algorithm. DNSSEC Strict Mode makes zones as > secure as their strongest algorithm instead. > > The draft has a long discussion about why and how, but the core > normative text is just three sentences: > > The DNSSEC Strict Mode flag appears in bit $N of the DNSKEY flags > field. If this flag is set, all records in the zone MUST be > signed correctly under this key's specified Algorithm. A validator > that receives a Strict Mode DNSKEY with a supported Algorithm > SHOULD reject as Bogus any RRSet that lacks a valid RRSIG with > this Algorithm. Hi Ben, I would appreciate more information about threat model you work with. This > Abstract > > Currently, the DNSSEC security of a zone is limited by the strength > of its weakest signature algorithm. DNSSEC Strict Mode makes zones > as secure as their strongest algorithm instead. is IMHO gravely imprecise: DNSSEC security is as strong as weakest link in (any permissible) chain of trust. In other words, if my parent TLD has 1024 bit RSA and my "secure" zone has 1024 bit RSA + a fancy ECC alg with the new bit set, it still means nothing security-wise. Attacker can get better return on investment by attacking the parent zone. I think it needs discussion if it is worth approaching this problem with single-zone granularity. -- Petr Špaček
- [DNSOP] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] DNSSEC Strict Mode libor.peltan
- Re: [DNSOP] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] DNSSEC Strict Mode libor.peltan
- Re: [DNSOP] DNSSEC Strict Mode Paul Wouters
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Paul Hoffman
- Re: [DNSOP] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] DNSSEC Strict Mode Petr Špaček
- Re: [DNSOP] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Samuel Weiler
- Re: [DNSOP] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Brian Dickson
- Re: [DNSOP] DNSSEC Strict Mode Ralf Weber
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Ulrich Wisser
- Re: [DNSOP] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] [Ext] DNSSEC Strict Mode libor.peltan
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Paul Wouters
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Mark Andrews
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Brian Dickson
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Wes Hardaker
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Mark Andrews
- Re: [DNSOP] [Ext] DNSSEC Strict Mode libor.peltan
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Ulrich Wisser
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Joe Abley
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Paul Hoffman
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Paul Wouters
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Samuel Weiler
- Re: [DNSOP] DNSSEC Strict Mode Viktor Dukhovni
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Mark Andrews
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Paul Hoffman
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Bob Harold
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Viktor Dukhovni
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Viktor Dukhovni
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Ulrich Wisser
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Joe Abley
- [DNSOP] Fwd: [Ext] DNSSEC Strict Mode Ulrich Wisser
- [DNSOP] signalling mandatory DNSSEC in the parent… Jim Reid
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Ulrich Wisser
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Ben Schwartz
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Paul Wouters
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Brian Dickson
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Viktor Dukhovni
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Havard Eidnes
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Mark Andrews
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Ulrich Wisser
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Mark Andrews
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Ulrich Wisser
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Mark Andrews
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Ulrich Wisser
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Ben Schwartz
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Ulrich Wisser
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Brian Dickson
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Ulrich Wisser
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Brian Dickson
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Mark Andrews
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Ulrich Wisser