Re: Gen-ART review of draft-ietf-dnsext-dnssec-bis-updates-18

Andrew Sullivan <ajs@anvilwalrusden.com> Tue, 19 June 2012 02:12 UTC

Return-Path: <ajs@anvilwalrusden.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB70C11E80EF; Mon, 18 Jun 2012 19:12:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zVJyys1TpQ9T; Mon, 18 Jun 2012 19:12:24 -0700 (PDT)
Received: from mail.yitter.info (mail.yitter.info [208.86.224.201]) by ietfa.amsl.com (Postfix) with ESMTP id D897C11E80D7; Mon, 18 Jun 2012 19:12:23 -0700 (PDT)
Received: from crankycanuck.ca (69-196-144-227.dsl.teksavvy.com [69.196.144.227]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.yitter.info (Postfix) with ESMTPSA id 53BE91ECB41D; Tue, 19 Jun 2012 02:12:13 +0000 (UTC)
Date: Mon, 18 Jun 2012 22:12:11 -0400
From: Andrew Sullivan <ajs@anvilwalrusden.com>
To: "Richard L. Barnes" <rbarnes@bbn.com>, dnsext@ietf.org
Subject: Re: Gen-ART review of draft-ietf-dnsext-dnssec-bis-updates-18
Message-ID: <20120619021211.GI32683@crankycanuck.ca>
References: <EBFB2D2E-78FF-46D6-B4FF-1F57FB8D769B@bbn.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <EBFB2D2E-78FF-46D6-B4FF-1F57FB8D769B@bbn.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Cc: draft-ietf-dnsext-dnssec-bis-updates@tools.ietf.org, IESG <iesg@ietf.org>, ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Jun 2012 02:12:24 -0000

Hi,

I'm the shepherd for this draft.  Thanks for the review.  Some
follow-up inline.

On Fri, May 25, 2012 at 05:02:28PM -0400, Richard L. Barnes wrote:
> 
> MAJOR:
> 
> 4.1.  
> It's not clear what the threat model is that this section is
> designed to address.  If the zone operator is malicious, then it can
> simulate the necessary zone cut and still prove the non-existence of
> records in the child zone.

The problem here is not a malicious parent operator, but "an NSEC or
NSEC3 RR from an ancestor zone".  In the original specification, an
attacker could use such an RR to prove the non-existence of some name
in a subordinate zone.  That was the problem.  (Remember, in DNS there
is a good chance that you are not talking to an authoritative server.)
If you have suggestions on ways to make that clearer, it'd be welcome.
The editors tried to come up with compact examples that would be
anything other than mystifying, and were unsuccessful.  

> 5.10.  
> I find the recommendation of the "Accept Any Success" policy
> troubling.  It deals very poorly with compromise (and other
> roll-over scenarios): Suppose there are two trust anchors, one for
> example.com and one for child.example.com.  If the private key
> corresponding to the TA for child.example.com is compromised, but
> the validator continues to trust it, this negates the benefit
> provided by the parent (example.com) facilitating a rollover.
> Suggest an alternative policy, "Highest Signer": Out of the set of
> keys configured as TAs, the validator only uses a key as a TA (for
> purposes of validation) if there does not exist a DNSSEC path from
> it to any other TA.  This policy seems like more work to enforce
> (because you have to do more backward chaining), but ISTM that the
> validator should have the necessary DNSSEC records anyway, so it's
> just a matter a couple of quick checks.

First, the Working Group debated this matter at considerable length,
several times.  The Accept Any Success policy provides greater
robustness in the face of configuration errors, and is more likely to
lead to continued resolution.  We believe, based on experience so far,
that such configuration errors are vastly more likely than key
compromise.  If we are to reopen this, we will need to go back to the
WG again.  

Note that Appendix C does discuss other options and 5.10 explicitly
suggests that this be configurable; but, because the biggest problem
we have is resolution failure in the face of mucked up configurations,
the consensus was that Accept Any Success was the best default.  That
could, of course, change in future, at which time an update to the
document would be advisable.

The suggestion for "Highest Signer" is interesting but has never to my
knowledge been previously mooted in relation to this draft.  I
therefore think that including it in particular would require some
review.  I don't know of any implementation that currently uses that
approach, either (but since there are vast gaps in my knowledge even
of what's on my desk, it wouldn't surprise me to learn that there were
some).  Do you know of any?  If not, it seems to me that it would be a
good idea to have some fielded experience with the approach before
recommending it as default.  It's an intriguing idea, however, and
seems to me to be worth pursuing.  I'm just not sure it should be in
this draft.  I personally think it would be premature to recommend it
as default, but if you take your position very firmly I am prepared to
take the question up with the Working Group.

Thanks again for the review.

Best regards,

A

-- 
Andrew Sullivan
ajs@anvilwalrusden.com