IETF Logo Mail Archive

Re: Practical issues deploying DNSSEC into the home.

Joe Abley <jabley@hopcount.ca> Tue, 10 September 2013 20:44 UTC

Return-Path: <jabley@hopcount.ca>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D55D511E81DB for <ietf@ietfa.amsl.com>; Tue, 10 Sep 2013 13:44:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WIRxOTuhMv-L for <ietf@ietfa.amsl.com>; Tue, 10 Sep 2013 13:44:47 -0700 (PDT)
Received: from mail-ie0-x233.google.com (mail-ie0-x233.google.com [IPv6:2607:f8b0:4001:c03::233]) by ietfa.amsl.com (Postfix) with ESMTP id 053BB11E8137 for <ietf@ietf.org>; Tue, 10 Sep 2013 13:44:46 -0700 (PDT)
Received: by mail-ie0-f179.google.com with SMTP id e14so2953808iej.38 for <ietf@ietf.org>; Tue, 10 Sep 2013 13:44:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hopcount.ca; s=google; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=HAampNqqKxnD5Iw7jHBYuPoCjI4PX096beYcmOlyr6s=; b=VOf/ub+NJvHnNBFIjstVd8Jk2kp23WSev6qChiKPU3eSan2TXjPMPDLtaHa0ocBloX i6/j+ipQuv7gSOcXyFaTaneF5pBXhCRw6fi4A1vp7DX66mpGjRl+NdebQ82m07de/IJp QZRAxuv/9QR/Ii6Rgjo6Ngl4FiuzgX3QAMfdg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=HAampNqqKxnD5Iw7jHBYuPoCjI4PX096beYcmOlyr6s=; b=YnOoVVWWU8JWPCaE60AaCrOv0/fwHPMsXQcm0pkPyjcIoBDl0u3p6aFa1yMWs93apg Z1jdJw3pK8VvYfhSmVQDdwCJgRiA0eSAgPE8A63lMtfU6qWLx7tkHmi2mfqhHod6EpCD KmkrdA6MRy87CYkY8ZQGTzoyIW6xhO1PlRpoN/q4aDRRaQ9/QpEm/+82rB8x+mkRW70m 9fStmu8E34y1A/FTTeIJOgCZ24d3dpqcanLc1RwBFsm+8Z5DAZNPLoep1ZpYsG/jheQV W7Pf1Gz/+7E01GznsiZ9s7JmQ9/B9HXGHG9I0tYI8W+hqf6VpjWLad/a9W9LFonKkjMh NOyQ==
X-Gm-Message-State: ALoCoQnS9nyZAxUxv9L7QKbLq8+AVyrk5h856GYudw//ZCdioJzGzYFwV0K7hdIOrM6s08teNUoF
X-Received: by 10.50.124.10 with SMTP id me10mr11318242igb.40.1378845885367; Tue, 10 Sep 2013 13:44:45 -0700 (PDT)
Received: from [10.254.50.227] ([64.235.96.2]) by mx.google.com with ESMTPSA id f5sm2269144igc.4.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 10 Sep 2013 13:44:44 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
Subject: Re: Practical issues deploying DNSSEC into the home.
From: Joe Abley <jabley@hopcount.ca>
In-Reply-To: <13097.1378832326@sandelman.ca>
Date: Tue, 10 Sep 2013 16:44:43 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <1C380467-2071-43EF-A803-3FA0357F2D40@hopcount.ca>
References: <CAGhGL2APj-XfuMUHgLsELnZRbRNCLrjMBxFBtcg4zx+5SG7Bag@mail.gmail.com> <alpine.LFD.2.10.1309101205120.4683@bofh.nohats.ca> <13097.1378832326@sandelman.ca>
To: Michael Richardson <mcr+ietf@sandelman.ca>
X-Mailer: Apple Mail (2.1508)
Cc: ietf@ietf.org, dns-security@lists.tislabs.com
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Sep 2013 20:44:48 -0000

On 2013-09-10, at 12:58, Michael Richardson <mcr+ietf@sandelman.ca> wrote:

>> But I'm still thinking of a scheme involving insecure ntp lookups for
>> pool.ntp.org, then using inception times of RRSIGs of TLDs to narrow
>> down the current time. Of course, all of that is vulnerable to replay
>> attacks.
> 
> I think that the best bet is to just turn off the time part of the DNSSEC
> validation until the time is considered sane.

That's what we propose, in essence, in draft-jabley-dnsop-validator-bootstrap:

3.  Summary of Approach

   A validator that has no valid trust anchor initialises itself as
   follows.

3.1.  Initial State

   A validator in its initial state is capable of sending and receiving
   DNS queries and responses, but is not capable of validating
   signatures received in responses.

   A validator must confirm that its local clock is sufficiently
   accurate before trust anchors can be established, and before
   processing of DNSSEC signatures can proceed.  Discussion of timing
   considerations can be found in Section 4.

3.2.  Trust Anchor Retrieval

   Once the local clock has been synchronised, a validator may proceed
   to gather candidate trust anchors for consideration.  Discussion of
   trust anchor retrieval can be found in Section 5.

3.3.  Trust Anchor Selection

   Once a set of candidate trust anchors has been obtained, a validator
   attempts to find one trust anchor in the set which is appropriate for
   use.  This process involves verification of cryptographic signatures,
   and is discussed in Section 6.

3.4.  Full Operation

   The validator now has an accurate trust anchor for the root zone, and
   is capable of validating signatures on responses from the DNS.

We specify clock sync before trust anchor retrieval because trust anchors are published in a bundle with date ranges within which they should be considered suitable for use.

Clock sync before validation makes sense for reasons already mentioned.


Joe

v2.23.0 | Report a Bug | By Email