Re: [dnsext] Validator assumptions: what algorithms need to properly sign a zone?
Edward Lewis <Ed.Lewis@neustar.biz> Mon, 26 March 2012 09:44 UTC
Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 06AEC21F85FB; Mon, 26 Mar 2012 02:44:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1332755051; bh=Pa0cV3uOGXFHiLN5Zip5xaNCUnSQe5/wMUXGUNhyo+c=; h=Mime-Version:Message-Id:In-Reply-To:References:Date:To:From:Cc: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Transfer-Encoding:Content-Type:Sender; b=EdX/DHj+uGMKmS7PkT4tcgFELV6Vdkn3cq1u8uROIfkluBJzXERZAPMVN9RFpBtpv zGZt/0zWaxSUDClbxyxk+FNyjO7tapChjAoVd1WobKiMSM4kJjI84OTrjuE768mPdM 4NYEkp5cuGp4ksC/EktH4nEaf+yw3/bEesKbo3Q4=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 20FD921F8600 for <dnsext@ietfa.amsl.com>; Mon, 26 Mar 2012 02:44:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.599
X-Spam-Level:
X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hJYV3MK4gTzJ for <dnsext@ietfa.amsl.com>; Mon, 26 Mar 2012 02:44:09 -0700 (PDT)
Received: from stora.ogud.com (stora.ogud.com [66.92.146.20]) by ietfa.amsl.com (Postfix) with ESMTP id C296821F85FB for <dnsext@ietf.org>; Mon, 26 Mar 2012 02:44:08 -0700 (PDT)
Received: from dhcp-45d4.meeting.ietf.org (nyttbox.md.ogud.com [10.20.30.4]) by stora.ogud.com (8.14.4/8.14.4) with ESMTP id q2Q9i5fj062537; Mon, 26 Mar 2012 05:44:06 -0400 (EDT) (envelope-from Ed.Lewis@neustar.biz)
Received: from [130.129.69.212] by dhcp-45d4.meeting.ietf.org (PGP Universal service); Mon, 26 Mar 2012 11:44:06 +0200
X-PGP-Universal: processed; by dhcp-45d4.meeting.ietf.org on Mon, 26 Mar 2012 11:44:06 +0200
Mime-Version: 1.0
Message-Id: <a06240800cb95e2032ad8@[130.129.69.212]>
In-Reply-To: <4F6C99CB.7080806@ogud.com>
References: <4F6C99CB.7080806@ogud.com>
Date: Mon, 26 Mar 2012 11:43:47 +0200
To: Olafur Gudmundsson <ogud@ogud.com>
From: Edward Lewis <Ed.Lewis@neustar.biz>
X-Scanned-By: MIMEDefang 2.72 on 10.20.30.4
Cc: "<dnsext@ietf.org>" <dnsext@ietf.org>
Subject: Re: [dnsext] Validator assumptions: what algorithms need to properly sign a zone?
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org
At 11:42 -0400 3/23/12, Olafur Gudmundsson wrote: >Both positions are arguable, but it is bad for resolver vendors to >be put in this position to argue with customers why they disagree on >the right answer, and DNSSEC operators need a strong message what is >allowed. I disagree. There should be no argument. A validator needs to be as liberal as possible in building a secure "chain" to a trust anchor. Liberal means using as many valid options as possible including jumping algorithms. Liberal does not mean bending the rules, accepting invalid signatures nor accepting expired signatures. The reason for the need to be liberal is that DNSSEC is an "add on" which inherently makes the underlying system more brittle. By declaring once valid states of the DNS protocol to be dead states (SERVFAIL) DNSSEC is choking off parts of the protocol. To correct for that, at least in the name of reliability, resiliency, and availability, DNSSEC has to be as liberal (rugged is another word) as possible. Looking at the example, the A2 signatures would be consider not germane by any validator that lacks an A2 trust anchor that was the key doing the A2 signing. The lack of A1 signatures would mean any validator could rightly assume that something removed the signatures ("rightly assume" is not equal to "be right in assuming") and treat the response as suspect/invalid *if not* for the presence of a valid chain via the B1 algorithm. A valid chain is harder to construct that an invalid one. Make it it harder for a malicious agent by recognizing that fact. Don't make it trivial to cause a denial of service. >In the case of a validator that supports A but not B SERVFAIL is the >right answer as the zone is not properly signed for that algorithm. That is true. In this case, the validator's failure to speak algorithm B is a testament to a lack of ruggedness. >Some people in this working group have argued that use/order of algorithms >should be local policy and it is outside the documents scope to talk about >this, others argue that will lead to unpredictability in resolution status. Everything is trumped by local policy. And if local policy is not rely on an algorithm, that is a fact of life. DNSSEC does not guarantee the data will get though, it guarantees that is what is received can be tested. (Positive, validation isn't guaranteed, just that the receiver will have the means to test.) >Doodle poll available at: > http://www.doodle.com/7v5vmzvaerb2n8sb Filled in the poll, but still reject voting. ;) -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NeuStar You can leave a voice message at +1-571-434-5468 2012...time to reuse those 1984 calendars! _______________________________________________ dnsext mailing list dnsext@ietf.org https://www.ietf.org/mailman/listinfo/dnsext
- [dnsext] Validator assumptions: what algorithms n… Olafur Gudmundsson
- Re: [dnsext] Validator assumptions: what algorith… Samuel Weiler
- Re: [dnsext] Validator assumptions: what algorith… Samuel Weiler
- Re: [dnsext] Validator assumptions: what algorith… Tony Finch
- Re: [dnsext] Validator assumptions: what algorith… Olafur Gudmundsson
- Re: [dnsext] Validator assumptions: what algorith… Mark Andrews
- Re: [dnsext] Validator assumptions: what algorith… Mark Andrews
- Re: [dnsext] Validator assumptions: what algorith… Mark Andrews
- Re: [dnsext] Validator assumptions: what algorith… Edward Lewis
- Re: [dnsext] Validator assumptions: what algorith… Tony Finch
- Re: [dnsext] Validator assumptions: what algorith… Edward Lewis