Re: Practical issues deploying DNSSEC into the home.
Joe Abley <jabley@hopcount.ca> Tue, 10 September 2013 20:44 UTC
Return-Path: <jabley@hopcount.ca>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D55D511E81DB for <ietf@ietfa.amsl.com>; Tue, 10 Sep 2013 13:44:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WIRxOTuhMv-L for <ietf@ietfa.amsl.com>; Tue, 10 Sep 2013 13:44:47 -0700 (PDT)
Received: from mail-ie0-x233.google.com (mail-ie0-x233.google.com [IPv6:2607:f8b0:4001:c03::233]) by ietfa.amsl.com (Postfix) with ESMTP id 053BB11E8137 for <ietf@ietf.org>; Tue, 10 Sep 2013 13:44:46 -0700 (PDT)
Received: by mail-ie0-f179.google.com with SMTP id e14so2953808iej.38 for <ietf@ietf.org>; Tue, 10 Sep 2013 13:44:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hopcount.ca; s=google; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=HAampNqqKxnD5Iw7jHBYuPoCjI4PX096beYcmOlyr6s=; b=VOf/ub+NJvHnNBFIjstVd8Jk2kp23WSev6qChiKPU3eSan2TXjPMPDLtaHa0ocBloX i6/j+ipQuv7gSOcXyFaTaneF5pBXhCRw6fi4A1vp7DX66mpGjRl+NdebQ82m07de/IJp QZRAxuv/9QR/Ii6Rgjo6Ngl4FiuzgX3QAMfdg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=HAampNqqKxnD5Iw7jHBYuPoCjI4PX096beYcmOlyr6s=; b=YnOoVVWWU8JWPCaE60AaCrOv0/fwHPMsXQcm0pkPyjcIoBDl0u3p6aFa1yMWs93apg Z1jdJw3pK8VvYfhSmVQDdwCJgRiA0eSAgPE8A63lMtfU6qWLx7tkHmi2mfqhHod6EpCD KmkrdA6MRy87CYkY8ZQGTzoyIW6xhO1PlRpoN/q4aDRRaQ9/QpEm/+82rB8x+mkRW70m 9fStmu8E34y1A/FTTeIJOgCZ24d3dpqcanLc1RwBFsm+8Z5DAZNPLoep1ZpYsG/jheQV W7Pf1Gz/+7E01GznsiZ9s7JmQ9/B9HXGHG9I0tYI8W+hqf6VpjWLad/a9W9LFonKkjMh NOyQ==
X-Gm-Message-State: ALoCoQnS9nyZAxUxv9L7QKbLq8+AVyrk5h856GYudw//ZCdioJzGzYFwV0K7hdIOrM6s08teNUoF
X-Received: by 10.50.124.10 with SMTP id me10mr11318242igb.40.1378845885367; Tue, 10 Sep 2013 13:44:45 -0700 (PDT)
Received: from [10.254.50.227] ([64.235.96.2]) by mx.google.com with ESMTPSA id f5sm2269144igc.4.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 10 Sep 2013 13:44:44 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
Subject: Re: Practical issues deploying DNSSEC into the home.
From: Joe Abley <jabley@hopcount.ca>
In-Reply-To: <13097.1378832326@sandelman.ca>
Date: Tue, 10 Sep 2013 16:44:43 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <1C380467-2071-43EF-A803-3FA0357F2D40@hopcount.ca>
References: <CAGhGL2APj-XfuMUHgLsELnZRbRNCLrjMBxFBtcg4zx+5SG7Bag@mail.gmail.com> <alpine.LFD.2.10.1309101205120.4683@bofh.nohats.ca> <13097.1378832326@sandelman.ca>
To: Michael Richardson <mcr+ietf@sandelman.ca>
X-Mailer: Apple Mail (2.1508)
Cc: ietf@ietf.org, dns-security@lists.tislabs.com
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Sep 2013 20:44:48 -0000
On 2013-09-10, at 12:58, Michael Richardson <mcr+ietf@sandelman.ca> wrote: >> But I'm still thinking of a scheme involving insecure ntp lookups for >> pool.ntp.org, then using inception times of RRSIGs of TLDs to narrow >> down the current time. Of course, all of that is vulnerable to replay >> attacks. > > I think that the best bet is to just turn off the time part of the DNSSEC > validation until the time is considered sane. That's what we propose, in essence, in draft-jabley-dnsop-validator-bootstrap: 3. Summary of Approach A validator that has no valid trust anchor initialises itself as follows. 3.1. Initial State A validator in its initial state is capable of sending and receiving DNS queries and responses, but is not capable of validating signatures received in responses. A validator must confirm that its local clock is sufficiently accurate before trust anchors can be established, and before processing of DNSSEC signatures can proceed. Discussion of timing considerations can be found in Section 4. 3.2. Trust Anchor Retrieval Once the local clock has been synchronised, a validator may proceed to gather candidate trust anchors for consideration. Discussion of trust anchor retrieval can be found in Section 5. 3.3. Trust Anchor Selection Once a set of candidate trust anchors has been obtained, a validator attempts to find one trust anchor in the set which is appropriate for use. This process involves verification of cryptographic signatures, and is discussed in Section 6. 3.4. Full Operation The validator now has an accurate trust anchor for the root zone, and is capable of validating signatures on responses from the DNS. We specify clock sync before trust anchor retrieval because trust anchors are published in a bundle with date ranges within which they should be considered suitable for use. Clock sync before validation makes sense for reasons already mentioned. Joe
- Re: Practical issues deploying DNSSEC into the ho… Russ Housley
- Re: Practical issues deploying DNSSEC into the ho… Joe Abley
- Practical issues deploying DNSSEC into the home. Jim Gettys
- Re: Practical issues deploying DNSSEC into the ho… Paul Wouters
- Re: Practical issues deploying DNSSEC into the ho… Joe Abley
- Re: Practical issues deploying DNSSEC into the ho… Phillip Hallam-Baker
- Re: [DNSOP] Practical issues deploying DNSSEC int… Ted Lemon
- Re: Practical issues deploying DNSSEC into the ho… SM
- Re: Practical issues deploying DNSSEC into the ho… Michael Richardson
- Re: Practical issues deploying DNSSEC into the ho… Tony Finch
- Re: Practical issues deploying DNSSEC into the ho… Joe Abley
- Re: Practical issues deploying DNSSEC into the ho… Olafur Gudmundsson
- Re: Practical issues deploying DNSSEC into the ho… Brian E Carpenter
- Re: Practical issues deploying DNSSEC into the ho… David Morris
- Re: Practical issues deploying DNSSEC into the ho… Olafur Gudmundsson
- Re: [DNSOP] Practical issues deploying DNSSEC int… Olafur Gudmundsson
- Re: [DNSOP] Practical issues deploying DNSSEC int… Olafur Gudmundsson
- Re: [DNSOP] Practical issues deploying DNSSEC int… Evan Hunt
- Re: [DNSOP] Practical issues deploying DNSSEC int… Dickson, Brian
- Re: [DNSOP] Practical issues deploying DNSSEC int… Nicholas Weaver
- Re: [DNSOP] Practical issues deploying DNSSEC int… Paul Wouters
- Re: [DNSOP] Practical issues deploying DNSSEC int… Phillip Hallam-Baker
- Re: [DNSOP] Practical issues deploying DNSSEC int… Joe Abley
- Re: [DNSOP] Practical issues deploying DNSSEC int… Phillip Hallam-Baker
- Re: [DNSOP] Practical issues deploying DNSSEC int… Randy Presuhn
- Re: [DNSOP] Practical issues deploying DNSSEC int… Phillip Hallam-Baker
- Re: [DNSOP] Practical issues deploying DNSSEC int… Masataka Ohta
- Re: [DNSOP] Practical issues deploying DNSSEC int… Tony Finch
- Re: [DNSOP] Practical issues deploying DNSSEC int… Arturo Servin
- Re: [DNSOP] Practical issues deploying DNSSEC int… Masataka Ohta
- Re: [DNSOP] Practical issues deploying DNSSEC int… Theodore Ts'o
- Re: [DNSOP] Practical issues deploying DNSSEC int… Masataka Ohta
- Re: [DNSOP] Practical issues deploying DNSSEC int… Tony Finch
- Re: [DNSOP] Practical issues deploying DNSSEC int… Ted Lemon
- Re: [DNSOP] Practical issues deploying DNSSEC int… Theodore Ts'o
- Re: [DNSOP] Practical issues deploying DNSSEC int… Nicholas Weaver
- Re: [DNSOP] Practical issues deploying DNSSEC int… Nicholas Weaver
- Re: [DNSOP] Practical issues deploying DNSSEC int… Paul Wouters
- Re: [DNSOP] Practical issues deploying DNSSEC int… Paul Wouters
- Re: [DNSOP] Practical issues deploying DNSSEC int… Ted Lemon
- Re: [DNSOP] Practical issues deploying DNSSEC int… Paul Wouters
- Re: [DNSOP] Practical issues deploying DNSSEC int… Ted Lemon
- Re: [DNSOP] Practical issues deploying DNSSEC int… Theodore Ts'o
- Re: [DNSOP] Practical issues deploying DNSSEC int… Ted Lemon
- Re: [DNSOP] Practical issues deploying DNSSEC int… Ted Lemon
- Re: [DNSOP] Practical issues deploying DNSSEC int… Phillip Hallam-Baker
- Re: [DNSOP] Practical issues deploying DNSSEC int… Phillip Hallam-Baker
- Re: [DNSOP] Practical issues deploying DNSSEC int… Masataka Ohta
- Re: [DNSOP] Practical issues deploying DNSSEC int… Masataka Ohta
- Re: [DNSOP] Practical issues deploying DNSSEC int… David Morris
- Re: [DNSOP] Practical issues deploying DNSSEC int… Eliot Lear
- Re: [DNSOP] Practical issues deploying DNSSEC int… Dickson, Brian
- Re: [DNSOP] Practical issues deploying DNSSEC int… robert bownes
- Re: [DNSOP] Practical issues deploying DNSSEC int… Nicholas Weaver
- Re: [DNSOP] Practical issues deploying DNSSEC int… Glen Wiley
- Re: [DNSOP] Practical issues deploying DNSSEC int… Martin Rex
- Re: [DNSOP] Practical issues deploying DNSSEC int… Masataka Ohta
- Re: [DNSOP] Practical issues deploying DNSSEC int… Masataka Ohta
- Re: [DNSOP] Practical issues deploying DNSSEC int… Masataka Ohta
- Re: [DNSOP] Practical issues deploying DNSSEC int… Jim Gettys
- Re: [DNSOP] Practical issues deploying DNSSEC int… Masataka Ohta