Re: [dnsext] Last Call: <draft-ietf-dnsext-dnssec-bis-updates-18.txt> (Clarifications and Implementation Notes for DNSSECbis) to Proposed Standard
Mark Andrews <marka@isc.org> Sun, 20 May 2012 23:00 UTC
Return-Path: <marka@isc.org>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A1D6621F85AF; Sun, 20 May 2012 16:00:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.299
X-Spam-Level:
X-Spam-Status: No, score=-2.299 tagged_above=-999 required=5 tests=[AWL=0.300, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uJiqViHhWn7n; Sun, 20 May 2012 16:00:25 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) by ietfa.amsl.com (Postfix) with ESMTP id E8A4221F8597; Sun, 20 May 2012 16:00:24 -0700 (PDT)
Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "mail.isc.org", Issuer "RapidSSL CA" (not verified)) by mx.pao1.isc.org (Postfix) with ESMTPS id C7453C95AA; Sun, 20 May 2012 23:00:12 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (unknown [IPv6:2001:470:1f00:820:f9c1:59cf:bb40:d253]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by bikeshed.isc.org (Postfix) with ESMTPSA id 67889216C36; Sun, 20 May 2012 23:00:12 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (Postfix) with ESMTP id 1E51A20C6C42; Mon, 21 May 2012 09:00:08 +1000 (EST)
To: ietf@ietf.org
From: Mark Andrews <marka@isc.org>
References: <20120517210122.19283.4263.idtracker@ietfa.amsl.com>
Subject: Re: [dnsext] Last Call: <draft-ietf-dnsext-dnssec-bis-updates-18.txt> (Clarifications and Implementation Notes for DNSSECbis) to Proposed Standard
In-reply-to: Your message of "Thu, 17 May 2012 14:01:22 MST." <20120517210122.19283.4263.idtracker@ietfa.amsl.com>
Date: Mon, 21 May 2012 09:00:07 +1000
Message-Id: <20120520230008.1E51A20C6C42@drugs.dv.isc.org>
Cc: dnsext@ietf.org, IETF-Announce <ietf-announce@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 20 May 2012 23:00:25 -0000
I am repeating what I have said earlier during WGLS that Section 5.9., Always set the CD bit on Queries, contains bad advice on how to set the CD bit. The setting of CD make little difference if all the machines involved are being correctly managed. In that case all responses will successfully validate. However if there is a off path attacker or one or more of the authorititive sources is returning stale records the setting of CD is critical to ensuring that the ultimate client can get the necessary records to ensure that the responses it gets validate. When there is a non-validating stub resolver all queries from that client come in with CD=0 and a validating recursive server try multiple authoritative servers until it gets a answer which validates as secure or insecure, in other words it rejects answers from attackers or from authoritative servers that return stale data. Now take a validating validating stub resolver, if all queries from that client come in the CD=1, them the recursive server returns the answer from upstream immediately without filtering out bad responses. If there is a off path attacker or if there is a stale authoritative server then there is no way to ensure that the stub client will ever get a answer that will validate. It can continue to re-query forever but there is no requirement for the recursive server to try a different authoritative source or to wait for a valid response from a authoritive source. A similar problem arises when a recursive server is talking through a second recursive server. The server is no longer talking to the authoritative servers directly and can't recover from getting answers that do not validate. Now sending CD=0 has its own set of problems caused by stale trust anchors and clocks being out of sync so I am not suggesting that we always send CD=0 queries either when incoming queries are sent with CD=0. Stub resolvers and recursive servers talking through other recursive servers need to be prepared to ask queries with both CD=0 and CD=1. CD=1 when talking to authoritative servers, CD=0 when talking to recursive servers falling back to CD=1 on SERVFAIL to handle stale trust anchors and out of sync clocks unless the incoming query was received with CD=1 in which case you MUST make CD=1 upstream queries. Now if the recursive server is not validating, validating down stream clients are vulnerable to all the failure modes caused by sending CD=1 queries. Fixing this will require protocol extensions to pass trust anchors, and maybe current time, along with the query and having on demand validation performed using those values in the recursive server for this client. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
- Re: [dnsext] Last Call: <draft-ietf-dnsext-dnssec… Mark Andrews