IETF Logo Mail Archive

Re: Last Call: 'Minimally Covering NSEC Records and DNSSEC On-line Signing' to Proposed Standard

Geoffrey Sisson <geoff@nominet.org.uk> Mon, 05 December 2005 15:13 UTC

From: Geoffrey Sisson <geoff@nominet.org.uk>
Subject: Re: Last Call: 'Minimally Covering NSEC Records and DNSSEC On-line Signing' to Proposed Standard
Date: Mon, 05 Dec 2005 15:13:31 +0000
Lines: 69
References: <a06200705bfb667a0af2d@[10.31.32.96]>
Cc: namedroppers@ops.ietf.org, iesg@ietf.org
X-From: owner-namedroppers@ops.ietf.org Mon Dec 05 16:27:29 2005
Return-path: <owner-namedroppers@ops.ietf.org>
X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on psg.com
X-Spam-Level:
X-Spam-Status: No, score=-1.3 required=5.0 tests=AWL,BAYES_00,BIZ_TLD autolearn=no version=3.1.0
X-IronPort-AV: i="3.99,217,1131321600"; d="scan'208"; a="2044817:sNHT25839152"
To: Edward Lewis <Ed.Lewis@neustar.biz>
In-Reply-To: <a06200705bfb667a0af2d@[10.31.32.96]>
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
X-Message-ID:
Message-ID: <20140418072122.2560.82436.ARCHIVE@ietfa.amsl.com>

Edward Lewis <Ed.Lewis@neustar.biz> wrotes:

> At 10:53 -0500 11/22/05, The IESG wrote:
> >http://www.ietf.org/internet-drafts/draft-ietf-dnsext-dns-name-p-s-01.txt
> 
> #   This document describes two methods:
> #
> #   1.  An ``absolute method'', which returns the immediate predecessor
> #       or successor of a domain name such that no valid DNS name could
> #       exist between that DNS name and the predecessor or successor.
> #
> #   2.  A ``modified method'', which returns a predecessor and successor
> #       which are more economical in size and computation.  This method
> #       is restricted to use with zones consisting exclusively of owner
> #       names that contain no more than one label more than the owner
> #       name of the apex, where the longest possible owner name (i.e. one
> #       with a maximum length left-most label) would not exceed the
> #       maximum DNS name length.  This is, however, the type of zone for
> #       which the technique of online signing is most likely to be used.
> 
> I have two comments to make on this.
> 
> One is that I think it's unwise to design a standard part of the 
> protocol based on the data content of the zone.  I'm referring to the 
> sentiment in the last sentence of the quoted section.  This is not a 
> concrete comment, just a design guideline, and it is less important 
> than my next comment.

Note that -ietf-dnsext-dns-name-p-s has been requested for publication
as Experimental, so it's not part of the protocol.  The described
methods are provided as an aid to implementors and are not normative.

> Keeping in mind that we discourage (or should, I recall talking about 
> this) caches from being used to speak authoritatively about data and 
> the behavior of negative caches, does it really matter if the NSEC 
> contents are "true?"  Especially when what is "true" can change with 
> dynamic update.
> 
> My point here is, perhaps the modified method is all that is needed, 
> regardless of the kind of data in the zone.  Can we get away with one 
> approximately good method instead of having to define two exacting 
> methods?  Can't we simplify this?

The "modified method" would be quite broken for some types of zones,
e.g. ones with lots of deeply-nested empty non-terminals.  For example:

    $ORIGIN 5.6.8.1.4.4.e164.arpa.

    1.1.2.2.3.3 IN NAPTR <blah>

    9.9.2.2.3.3 IN NAPTR <blah>

    . . .

When using the modified method, a query with a QNAME of
4.4.2.2.3.3.5.6.8.1.4.4.e164.arpa. would produce this response:

    2\255{62}.5.6.8.1.4.4.e164.arpa. IN NSEC 3\000.5.6.8.1.4.4.e164.arpa. ...

This would potentially deny the existence of quite a few existing DNS
names, substantially increasing it's utility for replay attacks.

Geoff

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.23.0 | Report a Bug | By Email