IETF Logo Mail Archive

Re: [dnsext] WGLC: draft-ietf-dnsext-dnssec-bis-updates-16

"Blacka, David" <davidb@verisign.com> Mon, 12 March 2012 20:36 UTC

Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5133B11E80C5; Mon, 12 Mar 2012 13:36:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1331584614; bh=tE0B3shmBrbiKVkYRTRcB0xuxfLZn7LH4u8Uqux7/wg=; h=From:To:Date:Message-ID:References:In-Reply-To:MIME-Version:Cc: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Type:Sender; b=NzubDR1nOYFi0uCeGbExL3roXMeA/O8isqYxSRjNJBmPZ+B1v7f6mtt1+z7dqIGbf xHFphO4LB6xCQ6yagFJgfNekBC1ObSUQTa+H/SIHt7854VEnX+YCm2AvRAMtz4wQA8 d0JHL17dX34b+Xe8f6QSXaZIyqQKeJ/+nRv7JNJg=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F27E611E80B1 for <dnsext@ietfa.amsl.com>; Mon, 12 Mar 2012 13:36:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.546
X-Spam-Level:
X-Spam-Status: No, score=-6.546 tagged_above=-999 required=5 tests=[AWL=0.053, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4bvfXhqriuaF for <dnsext@ietfa.amsl.com>; Mon, 12 Mar 2012 13:36:51 -0700 (PDT)
Received: from exprod6og110.obsmtp.com (exprod6og110.obsmtp.com [64.18.1.25]) by ietfa.amsl.com (Postfix) with ESMTP id 4EC9A11E80C5 for <dnsext@ietf.org>; Mon, 12 Mar 2012 13:36:51 -0700 (PDT)
Received: from osprey.verisign.com ([216.168.239.75]) (using TLSv1) by exprod6ob110.postini.com ([64.18.5.12]) with SMTP ID DSNKT15eYOUd65Enomxx02I4IxfnkLpBD29+@postini.com; Mon, 12 Mar 2012 13:36:51 PDT
Received: from dul1wnexcn03.vcorp.ad.vrsn.com (dul1wnexcn03.vcorp.ad.vrsn.com [10.170.12.113]) by osprey.verisign.com (8.13.6/8.13.4) with ESMTP id q2CKaiHO013398; Mon, 12 Mar 2012 16:36:47 -0400
Received: from dul1wnexcn04.vcorp.ad.vrsn.com ([10.170.12.139]) by dul1wnexcn03.vcorp.ad.vrsn.com with Microsoft SMTPSVC(6.0.3790.4675); Mon, 12 Mar 2012 16:36:44 -0400
Received: from BRN1WNEXCAS02.vcorp.ad.vrsn.com ([10.173.152.206]) by dul1wnexcn04.vcorp.ad.vrsn.com with Microsoft SMTPSVC(6.0.3790.4675); Mon, 12 Mar 2012 16:36:43 -0400
Received: from BRN1WNEXMBX01.vcorp.ad.vrsn.com ([::1]) by brn1wnexcas02.vcorp.ad.vrsn.com ([::1]) with mapi id 14.02.0247.003; Mon, 12 Mar 2012 16:36:43 -0400
From: "Blacka, David" <davidb@verisign.com>
To: Mohan Parthasarathy <suruti94@gmail.com>
Thread-Topic: [dnsext] WGLC: draft-ietf-dnsext-dnssec-bis-updates-16
Thread-Index: AQHM1zdYhpCbZbKrbEeeiLsTMPAht5YhbICAgEY4fgCAAA9KgA==
Date: Mon, 12 Mar 2012 20:36:42 +0000
Message-ID: <EEDF4AC3-DB88-4EE5-A974-A6457357C9F4@verisign.com>
References: <20120120054939.GD4365@mail.yitter.info> <CACU5sDnS-3V26yKyvTGObR67H2LPiBjWxCZAbMpHPZrgXJeNFg@mail.gmail.com> <alpine.BSF.2.00.1203121532490.39342@fledge.watson.org>
In-Reply-To: <alpine.BSF.2.00.1203121532490.39342@fledge.watson.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.173.152.4]
MIME-Version: 1.0
X-OriginalArrivalTime: 12 Mar 2012 20:36:43.0436 (UTC) FILETIME=[D60186C0:01CD008F]
Cc: Samuel Weiler <weiler@watson.org>, DNSEXT Working Group <dnsext@ietf.org>
Subject: Re: [dnsext] WGLC: draft-ietf-dnsext-dnssec-bis-updates-16
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============1147232778155567482=="
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org

On Mar 12, 2012, at 3:41 PM, Samuel Weiler wrote:

> On Fri, 27 Jan 2012, Mohan Parthasarathy wrote:
> 
>> - Section 4.4 Insecure Delegation proofs last sentence is very
>> confusing. An example as to what attack this is describing would be
>> helpful to the implementer.
> 
> Here's an example of the attack we're trying to avoid.  Consider a signed zone that contains the names:
>  alfa.example.com.
> and
>  bravo.alfa.example.com.
> 
> alfa.example.com is NOT a delegation.  Instead, it has this NSEC record:
> 
> 	alfa.example.com. 86400 IN NSEC host.example.com. (
> 		A MX RRSIG NSEC TYPE1234 )
> 
> The quesion is: could an attacker use this NSEC record in reply to a query for bravo.alfa.example.com, replying with either a spoofed bravo.alfa.example.com or even claiming the name doesn't exist?  Under the old rules, read literally, that attack would work: the NSEC does not have a DS or SOA bit.  It also does not have an NS bit, but the rules did not say to check for that.

Actually, the question is: could an attacker use this NSEC record to spoof away actual signed records for alfa.example.com.  The attacker could return:

  ANSWER:
  AUTHORITY:
     alfa.example.com IN NS my.bad.server.
     alfa.example.com IN NS my.other.bad.server.
     alfa.example.com IN NSEC bravo.alfa.example.com A MX RRSIG NSEC TYPE1234
     alfa.example.com IN RRSIG NSEC …
  ADDITIONAL:
     ...

This looks superficially like a normal insecure delegation.  The NSEC record verifies and proves that there is no DS RRset.  The attacker then, on my.bad.server, can return whatever it likes for alfa.example.com A, or other types.

Thus, 4.4 says that you MUST check that the NS bit is set.

> 
> The forthcoming -17 has that section somewhat reworked.  There still is no example in.  Let us know if you really want that.
> 
> (note: the error is also broken, since bravo.alfa.example.com sorts before host.example.com.  maybe there are multiple ways to catch this attack.)
> 
>> - The "Security Considerations" section says:
>> 
>>    This document adds two cryptographic features to the core DNSSEC protocol.
>> 
>>   Is this referring to the algorithms mentioned in section 2.2 (
>> which actually lists three)  or something else ?
> 
> clarified.
> 
> -- Sam
> 
> _______________________________________________
> dnsext mailing list
> dnsext@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsext

--
David Blacka                          <davidb@verisign.com> 
Principal               Verisign Infrastructure Engineering





_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext

v2.23.0 | Report a Bug | By Email