IETF Logo Mail Archive

Re: [dnsext] Issues in WGLC of dnssec-bis-updates

Mark Andrews <marka@isc.org> Wed, 08 February 2012 23:05 UTC

Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 50A2111E8080; Wed, 8 Feb 2012 15:05:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1328742342; bh=L4wLQd/+h9qV4bCP23mhAq/dP4yajQ01uMBOyoCvUn4=; h=To:From:References:In-reply-to:Date:Message-Id:Cc:Subject:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: MIME-Version:Content-Type:Content-Transfer-Encoding:Sender; b=IhLAXN05eIziW4FMrcORmB4vzVC5fDfywA//nn6RqqG2LKB8XitvI1nrU3rF721rC lSta4cfz/+IaM/itlmSolA3rmLKbaLmI1Fi1ZLHdmBtjC1CNOfd4H3OhlBiLiWIS4y hyj03g6a11J4hO+3+C6VFjOWj6mKd5bUb/CC9HPg=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F224211E8080 for <dnsext@ietfa.amsl.com>; Wed, 8 Feb 2012 15:05:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.554
X-Spam-Level:
X-Spam-Status: No, score=-2.554 tagged_above=-999 required=5 tests=[AWL=0.045, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8YO1K5nx82eL for <dnsext@ietfa.amsl.com>; Wed, 8 Feb 2012 15:05:40 -0800 (PST)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [IPv6:2001:500:60::65]) by ietfa.amsl.com (Postfix) with ESMTP id 9DFB121F8562 for <dnsext@ietf.org>; Wed, 8 Feb 2012 15:05:32 -0800 (PST)
Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "bikeshed.isc.org", Issuer "ISC CA" (verified OK)) by mx.ams1.isc.org (Postfix) with ESMTPS id 84E2C5F98E5; Wed, 8 Feb 2012 23:05:16 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (unknown [IPv6:2001:470:1f00:820:3981:7370:f4ed:515c]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by bikeshed.isc.org (Postfix) with ESMTPSA id 486D3216C6A; Wed, 8 Feb 2012 23:05:14 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (Postfix) with ESMTP id 2440F1D0601B; Thu, 9 Feb 2012 10:05:11 +1100 (EST)
To: Mohan Parthasarathy <suruti94@gmail.com>
From: Mark Andrews <marka@isc.org>
References: <20120207151820.GE9478@crankycanuck.ca> <4F31449C.9040604@nlnetlabs.nl> <a06240801cb570a945202@192.168.128.143> <CACU5sD=bUC9bC_OW4SeH2h6DPM+d3+-JkZyz=6u=dpmj+7rVjw@mail.gmail.com> <4F3232B6.3060505@nlnetlabs.nl> <CACU5sDk8zGPF-w5BpBG21tNW1s0mpCEUP=YBaoZXhmbHT-+u-A@mail.gmail.com>
In-reply-to: Your message of "Wed, 08 Feb 2012 10:45:46 -0800." <CACU5sDk8zGPF-w5BpBG21tNW1s0mpCEUP=YBaoZXhmbHT-+u-A@mail.gmail.com>
Date: Thu, 09 Feb 2012 10:05:10 +1100
Message-Id: <20120208230511.2440F1D0601B@drugs.dv.isc.org>
Cc: dnsext@ietf.org
Subject: Re: [dnsext] Issues in WGLC of dnssec-bis-updates
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org

In message <CACU5sDk8zGPF-w5BpBG21tNW1s0mpCEUP=YBaoZXhmbHT-+u-A@mail.gmail.com>,
 Mohan Parthasarathy writes:
> On Wed, Feb 8, 2012 at 12:30 AM, W.C.A. Wijngaards <wouter@nlnetlabs.nl> wr=
> ote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Hi Mohan,
> >
> > The definition of indeterminate was wrong in RFC4035, and you now seem
> > to think DNSSEC is riddled with downgrade. =A0There is no downgrade,
> > because the security-states are the outcome of the chain-of-trust
> > algorithm, not implemented from its definitions in RFC4035.
> >
> Okay, after reading your response and re-reading 4035 and 4033, I
> think 4033 definitions for Bogus, Insecure and Indeterminate capture
> the discussion below more clearly.
> 
>  <snip>
> 
> > On 02/07/2012 08:51 PM, Mohan Parthasarathy wrote:
> >> On Tue, Feb 7, 2012 at 9:14 AM, Edward Lewis <Ed.Lewis@neustar.biz> wrot=
> e:
> >>> At 16:34 +0100 2/7/12, W.C.A. Wijngaards wrote:
> >>>
> >>>> insecure, or bogus. =A0Note that with the root trust anchor the
> >>>> indeterminate state no longer occurs, since we know everything is
> >>>> covered by that trust anchor.
> >>>
> >>>
> >>> I disagree with that.
> >>>
> >>> The Internet that we usually think about as being the only one is what I
> >>> call the "global public Internet". =A0For the global public Internet, t=
> he DNS
> >>> in common use does have a trust anchor for it's root zone so the assert=
> ion
> >>> holds for the majority of cases, but then again only for recursive serv=
> ers
> >>> that have the trust anchor.
> >>>
> >>> There are other inter-networks that use the DNS protocol. =A0In at leas=
> t one
> >>> of these, DNSSEC has not been deployed.
> >>>
> >>> And, you can stretch this to the case of a recursive server, on the glo=
> bal
> >>> public Internet, that does not have the root anchor configured - and may
> >>> have another anchor. =A0To such a server, validating some DNS data is
> >>> impossible (incalculable).
> >>>
> >>> The protocol cannot be defined assuming one particular mode of operatio=
> n.
> >>>
> >> Before getting to define this precisely, we should try to understand
> >> the different cases that can occur and see whether we all agree on the
> >> error status for the different cases.
> >
> > Why data cannot be fetched is not a factor in the end result. =A0This
> > simplifies the cases to: cannot get the proper DNSSEC data, can get
> > proper DNSSEC data but it's invalid, can get proper DNSSEC data and it's
> > ok. =A0And the results are bogus, bogus, secure. =A0If you find an insecu=
> re
> > delegation it is insecure. =A0If there is no applicable trust anchor, the
> > result is indeterminate (that is effectively just like insecure).
> >
> 
> Ok, Bogus, Secure and Insecure applies only when there is an
> applicable trust anchor. When it is absent, it is indeterminate. That
> simplifies a lot.

Absolutely wrong.

Step 1 of validation.
Is there a potential covering trust anchor?
	Yes.  Goto step 2.
	No.  Mark as insecure.

Step 2 ....

>  <snip>
> >>
> >> 1) We get some DNSSEC RRs back but can't validate. Just being able to
> >> partially validate without tracing back to the trust anchor is equally
> >> bad as not being able to validate the signatures.
> >
> > Yes, that is bogus in today's implementations.
> >
> >> 2) We get no DNSSEC RRs back. This could be a problem in the path or
> >> the zone is not signed. We can't tell the difference without some
> >> extra configuration.
> >
> > You can tell the difference because the chain-of-trust is signed itself,
> > and this extends from the trust anchor to the data you just got, and
> > thus you know if this zone is signed or not. =A0And thus in your question,
> > the unsigned zone is ok(insecure), and the signed-zone-missing-DNSSEC
> > RRs is not ok(bogus).
> >
> >> How does it help the application to make this more fine grained ?
> >
> > No, the application just wants all bogus data to be removed. =A0Data that
> > is secure and data that is not DNSSEC signed is what it wants. =A0Because
> > of the chain-of-trust the validator knows which parts of the space below
> > a trust anchor is signed (and must have DNSSEC available) and which part
> > is unsigned. =A0This property could be the cause that made insecure and
> > indeterminate terms exist, as indeterminate is not really processed but
> > simply the absence of a covering trust anchor, just like in the case
> > where you had no trust anchors at all. =A0But then insecure needs
> > processing: you have to validate the chain of trust from the trust
> > anchor to the insecure-delegation point, and only then can you conclude
> > that the data is insecure. =A0This is something internal to the DNSSEC
> > validator, and not particularly impressive to the application, that
> > likely just wants to know if the data was DNSSEC-signed (if so: secure
> > or bogus) or if the data was not DNSSEC-signed (as determined with the
> > configured set of trust anchors).
> >
> That was very useful discussion.
> 
> regards
> mohan
> 
> > Best regards,
> > =A0 Wouter
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v2.0.15 (GNU/Linux)
> > Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/
> >
> > iQIcBAEBAgAGBQJPMjK2AAoJEJ9vHC1+BF+NxVUQAIyQ4nPk7Syogn9uh4z890yJ
> > kmPxslbpvHru47OxKd0tYvozldnP32z1+JToGSZR8qRU+w9SAQLutnFkqCU28x95
> > QUAot8G157kxZT95zhdjVqpbyUYDYwKKUY4jqplq4IuyIm1ewEOcwAS8Sak1o9Gr
> > 17Xs4aCpl55QmTCZAlP+r6SwCDY738Py9I51BJhifAB9HdkT6XK1+bsbMSiFhG+o
> > koICUhKaLDthmFvBrHBVCiW4xD5uk8ww2jlMNXv2LaRT05tfVjLC0EfboFn3kEkg
> > +c39M8Bm4GlkQvB1Wr37AEPn/m0PYbsC2lOEQL/04QRGiAcDTtjo4bzzsKb6yFFi
> > cWg8mUsldcSikZB+YFVS0RRLGcKCWhOVHxxMqKlA/IdzBU02JiGaYqZU9SKaakkc
> > 8AEFJkQdUYerh4BPeiwlzpy4uS3kiJU7A8hKnQSIuRR1xo7r28NKuvrxLnw5b3es
> > kExf4pyb5zitBPx6c0ERQ1SJrw9VU3DipJb6dY/QW5uceHvfJlYQiXN6nGGKUkvw
> > FlupnGef8TvHvgnHieiD9t3WRh+7WNKdMCs627U/Ym8VC0gcTXK3WORMdwrAVq7j
> > I7wEkXH4ms9sJD09ZGysNjlRylKvMzHlxxIjl3kpFmvGwus//BxMq8GCT+08cJ9Z
> > 5AOnYo5AWqWqa8nipilZ
> > =3DdpSm
> > -----END PGP SIGNATURE-----
> > _______________________________________________
> > dnsext mailing list
> > dnsext@ietf.org
> > https://www.ietf.org/mailman/listinfo/dnsext
> _______________________________________________
> dnsext mailing list
> dnsext@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsext
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org
_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext

v2.23.0 | Report a Bug | By Email