IETF Logo Mail Archive

Re: [IPsec] Benjamin Kaduk's Yes on draft-ietf-ipsecme-split-dns-14: (with COMMENT)

Tero Kivinen <kivinen@iki.fi> Sun, 18 November 2018 11:14 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C79BA12F1AC; Sun, 18 Nov 2018 03:14:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.621
X-Spam-Level:
X-Spam-Status: No, score=-0.621 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FUZZY_XPILL=2.799, RCVD_IN_DNSWL_MED=-2.3, SPF_NEUTRAL=0.779, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9YdsfoYB42Dy; Sun, 18 Nov 2018 03:14:48 -0800 (PST)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 73550127148; Sun, 18 Nov 2018 03:14:47 -0800 (PST)
Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id wAIBEewM002684 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sun, 18 Nov 2018 13:14:40 +0200 (EET)
Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id wAIBEepX017981; Sun, 18 Nov 2018 13:14:40 +0200 (EET)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <23537.18848.15817.35029@fireball.acr.fi>
Date: Sun, 18 Nov 2018 13:14:40 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: Paul Wouters <paul@nohats.ca>
Cc: "Waltermire, David A. (Fed)" <david.waltermire=40nist.gov@dmarc.ietf.org>, "ipsec@ietf.org" <ipsec@ietf.org>, "ipsecme-chairs@ietf.org" <ipsecme-chairs@ietf.org>, "draft-ietf-ipsecme-split-dns@ietf.org" <draft-ietf-ipsecme-split-dns@ietf.org>, Benjamin Kaduk <kaduk@mit.edu>, The IESG <iesg@ietf.org>
In-Reply-To: <alpine.LRH.2.21.1811170111570.1682@bofh.nohats.ca>
References: <154233104861.10051.7593212496190352066.idtracker@ietfa.amsl.com> <SN6PR09MB326474D2688D48194948243BF0DD0@SN6PR09MB3264.namprd09.prod.outlook.com> <alpine.LRH.2.21.1811170111570.1682@bofh.nohats.ca>
X-Mailer: VM 8.2.0b under 25.1.1 (x86_64--netbsd)
X-Edit-Time: 25 min
X-Total-Time: 33 min
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/GyBVqQcXewGrw_KRJ2r3ppqjtA0>
Subject: Re: [IPsec] Benjamin Kaduk's Yes on draft-ietf-ipsecme-split-dns-14: (with COMMENT)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 18 Nov 2018 11:14:50 -0000

Paul Wouters writes:
> On Fri, 16 Nov 2018, Waltermire, David A. (Fed) wrote:
> 
> > One comment on your COMMENT wearing chair and shepherd hats:
> >
> >> We have to use DNS presentation format for the DS records and not wire
> >> format?
> >
> > The group was "split" on this question. We did a hum, with most
> > responding in the room that they either did not care or had a
> > slight preference for presentation format. This is why it is this
> > way. 
> 
> Note that we did not use humming as a vote. The humming gave an idea of
> the room that the disadvantage of IKE software needing to understand and
> convert wire to/from presentation format only to prevent "string
> overflow errors" was not worth the trouble of forcing a wire format,
> especially since IKE just relays this information to another
> application, and this API almost certainly uses presentation format
> (for example, unbound-control)

Actually the text in section 2.2 is confusing. It is claiming that

   This attribute lists the corresponding internal DNSSEC
   trust anchor in the DNS presentation format of a DS record as
   specified in [RFC4034].

The format we use for DS records is not presentation format, nor is it
wire format.

In section 3.2 we see that we are using Wire format for DNSKEY Key
Tag, DNSKEY Alg and Digest Type, but presentation format for Digest
Data.

I.e., we do split the DNSKEY Key Tag, DNSKEY Alg, and Digest type
fields out from the presentation format and encode them as 16- and
8-bit integers in wire format, but then for the Digest Data, which in
wire format would be just binary blob, we use Presentation format of
the DS, i.e., hexadecimal with all kind of parenthesis, comments,
escaping mechanisms and newlines.

I myself would have been much more happy with wire format also for
Digest Data, but authors wanted to allow things like:

     INTERNAL_DNSSEC_TA(1270,8,1,"( 506AD3A656  ; comments
		D14D9246558 ; in file
		77628FFD6A98D7A847E ) ; more")

Which is then encoded as:

                       1                   2                   3
   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-----------------------------+-------------------------------+
   |R|   Attribute Type 0x19       |      Length 0x48              |
   +-+-----------------------------+---------------+---------------+
   | DNSKEY Key Tag 0x04  0xf6     |DNSKEY Alg 0x8 |Digest Type 0x1|
   +-------------------------------+---------------+---------------+
   |  0x28 "("        0x20 " "        0x35 "5"        0x30 "0"     |
   |  0x36 "6"        0x41 "A"        0x44 "D"        0x33 "3"     |
   |  0x41 "A"        0x36 "6"        0x35 "5"        0x36 "6"     |
   |  0x20 " "        0x20 " "        0x2B ";"        0x20 " "     |
   |  0x63 "c"        0x6f "o"        0x6d "m"        0x6d "m"     |
   |  0x65 "e"        0x6e "n"        0x74 "t"        0x73 "s"     |
   |  0x0a "\n"       0x09 "\t"       0x09 "\t"       0x44 "D"     |
   |  0x31 "1"        0x34 "4"        0x44 "D"        0x39 "9"     |
   |              ...                                              |
   +---------------------------------------------------------------+

and so on, instead of:

     INTERNAL_DNSSEC_TA(1270,8,1,0x506AD3A656D14D924655877628FFD6A98D7A847E)

with DS wire format encoding for Digest Data would result following
attribute:

                       1                   2                   3
   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-----------------------------+-------------------------------+
   |R|   Attribute Type 0x19       |      Length 0x1c              |
   +-+-----------------------------+---------------+---------------+
   | DNSKEY Key Tag 0x04  0xf6     |DNSKEY Alg 0x8 |Digest Type 0x1|
   +-------------------------------+---------------+---------------+
   |  0x50            0x6a            0xd3            0xa6         |
   |  0x56            0xd1            0x4d            0x92         |
   |  0x46            0x55            0x87            0x76         |
   |  0x28            0xff            0xd6            0xa9         |
   |  0x8d            0x7a            0x84            0x7e         |
   +---------------------------------------------------------------+
-- 
kivinen@iki.fi

v2.23.0 | Report a Bug | By Email