Re: [DNSSEC-Bootstrapping] [DNSOP] Fwd: New Version Notification for draft-thomassen-dnsop-dnssec-bootstrapping-02.txt
Paul Wouters <paul.wouters@aiven.io> Tue, 09 November 2021 02:29 UTC
Return-Path: <paul.wouters@aiven.io>
X-Original-To: dnssec-bootstrapping@ietfa.amsl.com
Delivered-To: dnssec-bootstrapping@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 31AA23A0D8E for <dnssec-bootstrapping@ietfa.amsl.com>; Mon, 8 Nov 2021 18:29:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=aiven.io
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vd_YBuxMol-k for <dnssec-bootstrapping@ietfa.amsl.com>; Mon, 8 Nov 2021 18:29:11 -0800 (PST)
Received: from mail-ed1-x52b.google.com (mail-ed1-x52b.google.com [IPv6:2a00:1450:4864:20::52b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 617493A0D91 for <dnssec-bootstrapping@ietf.org>; Mon, 8 Nov 2021 18:29:11 -0800 (PST)
Received: by mail-ed1-x52b.google.com with SMTP id f8so70645942edy.4 for <dnssec-bootstrapping@ietf.org>; Mon, 08 Nov 2021 18:29:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aiven.io; s=google; h=date:from:to:cc:subject:in-reply-to:message-id:references :mime-version; bh=h8lsG29WYO8sxiD2DiJcMpvapnNXsQPHikbH+GNX8nw=; b=skmx8Z9/5fr/NRMxEAMbWSIRVdczs7lx3O92xdJGONacFPMwXfAHKXSsXw18xv5eDQ biyHwfE4GWkuJFEnl7esd2pcqMFDesSCj1JofOVA23tLSHDYh7SPxiX4WVNPv4+FKjTn f8fbfm1Optd8xwKkdMs5mcSDibpk4S60QJ+RE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:in-reply-to:message-id :references:mime-version; bh=h8lsG29WYO8sxiD2DiJcMpvapnNXsQPHikbH+GNX8nw=; b=5qQwE7EEtuQAriBmFNv3hILzr7G0MfPbcTypR8Fvf3S+kB+h/KfUlCFNbZbLTbIrcW vg0FwVSYBw0UeakEUncax3hLGWeV9DhtPSd6EKhEg54N+/o81Nx8b50bjjRVr7a2R0w5 78zK/AiCSFMG1NHu2LZjDi40fDfNridwgU5lDzwlDLR0dd2PNRHZo1zGT7qtS3P0uCEZ PaR8YdAWbGfgR8rp6mdt8UZkCQ14thySmZGK8PTYulufoDRSy6IrOptHlDF1DI8gPw7C PJfCLsCo+gn/ijJCYtptpUZ1ZuPxne6zVMjokBTQINyVpUI3HGen5u3Pj4otDXBgLCBB rAHg==
X-Gm-Message-State: AOAM530aesuXc8Gy/9K3+Zo1nnnvNTjLxlnzdb8N+FCwwtFdQKwn9Cdu hNq5H3XSM7GVZ/zXxSY9TICGcdVu/6uVaIFWumw=
X-Google-Smtp-Source: ABdhPJznTQiWaFdBZUSgEXTdiu3y63lG6mKAPrg0qvm0Ps+QPuzvAR/gihpmF4ckNEozzyaGDeRz5Q==
X-Received: by 2002:a17:906:8051:: with SMTP id x17mr5017738ejw.473.1636424946642; Mon, 08 Nov 2021 18:29:06 -0800 (PST)
Received: from bofh.nohats.ca (bofh.nohats.ca. [193.110.157.194]) by smtp.gmail.com with ESMTPSA id qb21sm9395053ejc.78.2021.11.08.18.29.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 08 Nov 2021 18:29:06 -0800 (PST)
Date: Mon, 08 Nov 2021 21:29:02 -0500
From: Paul Wouters <paul.wouters@aiven.io>
To: Peter Thomassen <peter@desec.io>
cc: "dnsop@ietf.org WG" <dnsop@ietf.org>, dnssec-bootstrapping@ietf.org
In-Reply-To: <66e2a81b-b971-cdea-0f40-cfed68be574f@desec.io>
Message-ID: <705c1434-532-6840-8ae4-545bde91822@nohats.ca>
References: <163520620129.17275.16274772439094875607@ietfa.amsl.com> <91154628-0ca3-15d8-c6bd-b71232b2e64b@desec.io> <8d3b2ae-70e3-74b4-40a0-70e848acc4aa@nohats.ca> <66e2a81b-b971-cdea-0f40-cfed68be574f@desec.io>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="1858192029-956301763-1636424946=:261251"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnssec-bootstrapping/yEPFc0nskZgav9SyJvuEco_wfNQ>
X-Mailman-Approved-At: Mon, 08 Nov 2021 18:33:26 -0800
Subject: Re: [DNSSEC-Bootstrapping] [DNSOP] Fwd: New Version Notification for draft-thomassen-dnsop-dnssec-bootstrapping-02.txt
X-BeenThere: dnssec-bootstrapping@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Authenticated Bootstrapping of DNSSEC Delegations <dnssec-bootstrapping.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnssec-bootstrapping>, <mailto:dnssec-bootstrapping-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnssec-bootstrapping/>
List-Post: <mailto:dnssec-bootstrapping@ietf.org>
List-Help: <mailto:dnssec-bootstrapping-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnssec-bootstrapping>, <mailto:dnssec-bootstrapping-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Nov 2021 02:29:16 -0000
On Tue, 9 Nov 2021, Peter Thomassen wrote: >>> This draft introduces automatic bootstrapping of DNSSEC delegations. It >>> uses an in-band method for DNS operators to publish information about the >>> zones they host, per-zone and with authentication. With this protocol, DS >>> provisioning can happen securely and without delay. >> >> I've read the draft, and it is an interesting idea. Some thoughts I had: >> >> - Is it really needed to do hashing? Do we really expect domain names to >> hit the 63 or 255 limit ? > > Regarding hitting length limits: > > - IPv6 reverse DNS hostnames (under ip6.arpa.) already have length 73. But would they hit 255 ? > I wouldn't dare make a prediction about what kind of names could be > introduced in the next decade (think of underscore labels for TLS > identities, perhaps with other parameters encoded in front etc.). Per definition, you can create domain names that are too long to support _underscore labels on top of them. And yet there we did not use hashing either? > I'd rather be conservative on exhausting the available length limits. There is something to be said for keeping thing simple too, and more human debuggable. Hashes don't make that easy. > Other technical considerations: > > - Not hashing creates semantic collisions. Practical example from our > deployment at deSEC: The list of delegations under dedyn.io is long > and changes frequently, so we'd probably like to put bootstrapping > records for children of dedyn.io into a separate zone. > Without hashing, that zone would be dedyn.io._boot.<NS>.If we do > that, then we can't use bootstrapping for dedyn.io itself, because > dedyn.io._boot.<NS> would be an apex name. This collides with the > requirement that bootstrapping records MUST NOT occur at the apex > (where they would signify *that* zone's own DS info). You can't bootstrap in-baliwick anyway, can you? Also if your nameserver name is not in a zone protected by DNSSEC, you cannot use it in this scheme to deploy either I thought? > - This problem generally occurs with public suffixes. For example, > when bootstrapping a TLD, you wouldn't be able to create a separate > bootstrapping zone for its children. Of course, that's an unlikely > case, but I think the protocol should be agnostic about that. You could simply use a different _label for the two cases. I did not like _boot anyway as it is too generic, so perhaps you could use _dnssec_bootstrap and _dnssec_hosted_bootstrap or something similar. > > - Clear datastructures simplify implementation (in my experience). > Hashing leads to a very predictable data structure with always two > labels in front of the underscore label. Also, that label would be > an ENT; all records live at the leaves of the tree. This assumption > cannot be made when the names are simply concatenated (see above). ENT's aren't that great :P For example, with query minimalization on AWS Route53, these have been broken for years. I'd stay away from ENTs. > - When bootstrapping a child with a private parent (e.g. in a corporate > namespace), hashing the child's immediate ancestor gives a privacy > benefit even when NSEC walking is allowed (for discovering pending > bootstrappable names). (Of course, the benefit is limited, and > counterarguments similar to the ones against NSEC3 can be made.) Yeah. > Are there any conceptual downsides of the hashed label that would > outweigh these points? Yes. Speaking of NSEC3, that is super hard for people to grasp. To us experts it is obvious, but all the hashes makes a new person who looks at it pretty confused. I think it would be good in general to try and make it so that operators can debug DNS issues with the dig command, without needing advanced tools. >> - _boot seems too generic a name for this. _dsbootstrap would be better >> and cause less clashing > > Agreed, tracking here: > https://github.com/desec-io/draft-thomassen-dnsop-dnssec-bootstrapping/issues/5 Thanks! >> - I would like to see some text on removing the records too once the >> child gained its DS record. > > There is text on that in the last paragraph on Section 4.1. Should it > be expanded or moved to a more promiment place? I missed that. Perhaps it would be good to give it is own section. We all know now how bad TXT records at the APEX are now, and anything to repeat such a thing again would be good. >> - Should it be explicitly noted that in-bailiwick domains are not >> supported? > > I think that would be good. Tracking here: > https://github.com/desec-io/draft-thomassen-dnsop-dnssec-bootstrapping/issues/6 Thanks. >> - It puts a constraint of the nameserver being in a zone that is DNSSEC >> enabled. This is currently not required (though very often the case >> anyway) > > Yes, prevalence of that is surprisingly high (currently about 25% of > domains in the Tranco 1M toplist). This protocol would be a reason to > increase that number, as are other protocols (such as parameters for > TLS between resolver and auth, as proposed elsewhere). You make me feel old and cynical :) Anyway, it was just a note. I think those DNS hosters that want to secure their customer zones better with DNSSEC will also be running their own domain on their own infrastructure with DNSSEC. So I don't think this is an issue. >> In general, the problem is that we need to make it easier for the DNS >> hoster to enable DNSSEC when their customers are non-technical. I think >> this draft does properly extend RFC 8078 and even think this document >> could deprecate the "Accept after wait" method. However, I do think it >> should still impose a minimum length of publication before accepting, >> so that mistakes similar to the recent slack.com outage can be >> prevented. So change "accept after wait" to "verify, then accept after >> wait". > > While I don't feel strongly, I wonder in how many cases somebody would > really look at that during that extra wait interval. Also, CDS/CDNSKEY > processing already requires checking that updated DS records don't > break resolution. Yes, but if someone accidentally pushes a DNSSEC deployment out and pulls it back in after 5 minutes, you don't want this protocol to have pushed the machinary into production and causing ServFails. Similarly, I find BGP / routing attacks still scary, and attackers can only briefly hold the route hijacks up. So waiting a day would really offer a lot of protection here. Paul
- [DNSSEC-Bootstrapping] Fwd: New Version Notificat… Peter Thomassen
- Re: [DNSSEC-Bootstrapping] [DNSOP] Fwd: New Versi… Paul Wouters
- Re: [DNSSEC-Bootstrapping] [DNSOP] Fwd: New Versi… Peter Thomassen
- Re: [DNSSEC-Bootstrapping] [DNSOP] Fwd: New Versi… Paul Wouters
- Re: [DNSSEC-Bootstrapping] [DNSOP] Fwd: New Versi… Peter Thomassen
- Re: [DNSSEC-Bootstrapping] [DNSOP] Fwd: New Versi… Nils Wisiol
- Re: [DNSSEC-Bootstrapping] [DNSOP] Fwd: New Versi… Paul Wouters
- Re: [DNSSEC-Bootstrapping] [DNSOP] Fwd: New Versi… Peter Thomassen
- Re: [DNSSEC-Bootstrapping] [DNSOP] Fwd: New Versi… Paul Wouters
- Re: [DNSSEC-Bootstrapping] [DNSOP] Fwd: New Versi… Christian Elmerot
- Re: [DNSSEC-Bootstrapping] [DNSOP] Fwd: New Versi… Peter Thomassen
- Re: [DNSSEC-Bootstrapping] [DNSOP] Fwd: New Versi… Peter Thomassen
- Re: [DNSSEC-Bootstrapping] [DNSOP] Fwd: New Versi… Bob Harold