Re: [dnsext] WGLC: draft-ietf-dnsext-dnssec-bis-updates-16
Mohan Parthasarathy <suruti94@gmail.com> Tue, 13 March 2012 17:38 UTC
Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6192521E8043; Tue, 13 Mar 2012 10:38:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1331660306; bh=UEo5gVbQqBhDwZ0rpZoQpR3D4dyMdE2dD1mKnTRgRWA=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:From:To:Cc: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Type:Content-Transfer-Encoding:Sender; b=cDP3V5F4TUhkIS1RmHggfTfseWVUqbOd4FOPmmnsUVgoQhispMH6N8Bv+v4ePV1Pe H39Nwr1tJ2EMncakP4atOG/hX4ZuLi0Cl+iSByy8jshHO8DsqFbKSntKul/xaOUL9b LbBE0GiVdgavEqLdqiX2+ntGray7IZWiQ8jS7wlw=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 07A1D21E8050 for <dnsext@ietfa.amsl.com>; Tue, 13 Mar 2012 10:38:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.501
X-Spam-Level:
X-Spam-Status: No, score=-3.501 tagged_above=-999 required=5 tests=[AWL=0.098, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Dbm+93aFSF-9 for <dnsext@ietfa.amsl.com>; Tue, 13 Mar 2012 10:38:21 -0700 (PDT)
Received: from mail-gx0-f172.google.com (mail-gx0-f172.google.com [209.85.161.172]) by ietfa.amsl.com (Postfix) with ESMTP id 1A2B921E8040 for <dnsext@ietf.org>; Tue, 13 Mar 2012 10:38:21 -0700 (PDT)
Received: by ggmi1 with SMTP id i1so941967ggm.31 for <dnsext@ietf.org>; Tue, 13 Mar 2012 10:38:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=a3IoWWCJMmAHX4dr8uKvoX3cE23Pi6CcznrxgHqeKDY=; b=YOzV89sN4LvN6M9/JcFnBYr7hG3dcJlxO6FJRcVdFtQLClwPC7gncl/qJ4JOYxUW3Q fYpCD6EsckxzeCHOHSFJNkEDOGVs8BLpAXEt4i7NC7q7YKmqmqfgO63eigFJJ2aNjQAH bANpb44hy6HiufhwjjRq+sNzb6KtTtw4f3T9NRK2FV4DDy4q5BsXQibLYp2IlF64vNgN 5omZK2IMkcgB/N/6cP05eWr/MCd1SNRGxV9hRo+8WTNlP5KgCAIVdUm5IWJrEhfP/6OE DdQ4BUKxrrmB95CY1zsCFC8wfmW+s8PsATbOoy1DbEjL7ElTN+Hqhh+Ko05mSlerVCSz N5Cg==
MIME-Version: 1.0
Received: by 10.224.184.10 with SMTP id ci10mr84427qab.4.1331660300614; Tue, 13 Mar 2012 10:38:20 -0700 (PDT)
Received: by 10.229.234.67 with HTTP; Tue, 13 Mar 2012 10:38:20 -0700 (PDT)
In-Reply-To: <alpine.BSF.2.00.1203121532490.39342@fledge.watson.org>
References: <20120120054939.GD4365@mail.yitter.info> <CACU5sDnS-3V26yKyvTGObR67H2LPiBjWxCZAbMpHPZrgXJeNFg@mail.gmail.com> <alpine.BSF.2.00.1203121532490.39342@fledge.watson.org>
Date: Tue, 13 Mar 2012 10:38:20 -0700
Message-ID: <CACU5sDk_O5jxu5ejbTqcRRrFRYd05JaXaTBCW071bq5CVz=O5g@mail.gmail.com>
From: Mohan Parthasarathy <suruti94@gmail.com>
To: Samuel Weiler <weiler@watson.org>
Cc: DNSEXT Working Group <dnsext@ietf.org>
Subject: Re: [dnsext] WGLC: draft-ietf-dnsext-dnssec-bis-updates-16
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org
On Mon, Mar 12, 2012 at 12:41 PM, Samuel Weiler <weiler@watson.org> wrote: > On Fri, 27 Jan 2012, Mohan Parthasarathy wrote: > >> - Section 4.4 Insecure Delegation proofs last sentence is very >> confusing. An example as to what attack this is describing would be >> helpful to the implementer. > > > Here's an example of the attack we're trying to avoid. Consider a signed > zone that contains the names: > alfa.example.com. > and > bravo.alfa.example.com. > > alfa.example.com is NOT a delegation. Instead, it has this NSEC record: > > alfa.example.com. 86400 IN NSEC host.example.com. ( > A MX RRSIG NSEC TYPE1234 ) > > The quesion is: could an attacker use this NSEC record in reply to a query > for bravo.alfa.example.com, replying with either a spoofed > bravo.alfa.example.com or even claiming the name doesn't exist? Under the > old rules, read literally, that attack would work: the NSEC does not have a > DS or SOA bit. It also does not have an NS bit, but the rules did not say > to check for that. > When proving that the delegation is not secure (which is what this section is talking about), the NSEC record has to match the name that is being looked up. If the names don't match, then it can't be a delegation. David's response clarified this. > The forthcoming -17 has that section somewhat reworked. There still is no > example in. Let us know if you really want that. > This is the new text: Without this check, an attacker could reuse an NSEC or NSEC3 RR matching a non-delegation name to spoof an unsigned delegation at that name. This would claim that an existing signed RRset (or set of signed RRsets) is below an unsigned delegation, thus not signed and vulnerable to further attack. Though the text is improved, it is easy to understand if you read this text along with the example. -mohan > (note: the error is also broken, since bravo.alfa.example.com sorts before > host.example.com. maybe there are multiple ways to catch this attack.) > > >> - The "Security Considerations" section says: >> >> This document adds two cryptographic features to the core DNSSEC >> protocol. >> >> Is this referring to the algorithms mentioned in section 2.2 ( >> which actually lists three) or something else ? > > > clarified. > > -- Sam > _______________________________________________ dnsext mailing list dnsext@ietf.org https://www.ietf.org/mailman/listinfo/dnsext
- [dnsext] WGLC: draft-ietf-dnsext-dnssec-bis-updat… Andrew Sullivan
- Re: [dnsext] WGLC: draft-ietf-dnsext-dnssec-bis-u… Mark Andrews
- Re: [dnsext] WGLC: draft-ietf-dnsext-dnssec-bis-u… Andrew Sullivan
- Re: [dnsext] WGLC: draft-ietf-dnsext-dnssec-bis-u… Edward Lewis
- Re: [dnsext] WGLC: draft-ietf-dnsext-dnssec-bis-u… W.C.A. Wijngaards
- Re: [dnsext] WGLC: draft-ietf-dnsext-dnssec-bis-u… Mohan Parthasarathy
- Re: [dnsext] WGLC: draft-ietf-dnsext-dnssec-bis-u… Mark Andrews
- Re: [dnsext] WGLC: draft-ietf-dnsext-dnssec-bis-u… Mohan Parthasarathy
- Re: [dnsext] WGLC: draft-ietf-dnsext-dnssec-bis-u… Mark Andrews
- Re: [dnsext] WGLC: draft-ietf-dnsext-dnssec-bis-u… Mohan Parthasarathy
- Re: [dnsext] WGLC: draft-ietf-dnsext-dnssec-bis-u… Mark Andrews
- Re: [dnsext] WGLC: draft-ietf-dnsext-dnssec-bis-u… Warren Kumari
- Re: [dnsext] WGLC: draft-ietf-dnsext-dnssec-bis-u… Michael StJohns
- Re: [dnsext] WGLC: draft-ietf-dnsext-dnssec-bis-u… Samuel Weiler
- Re: [dnsext] WGLC: draft-ietf-dnsext-dnssec-bis-u… Matthijs Mekking
- Re: [dnsext] WGLC: draft-ietf-dnsext-dnssec-bis-u… Paul Hoffman
- Re: [dnsext] WGLC: draft-ietf-dnsext-dnssec-bis-u… Samuel Weiler
- Re: [dnsext] WGLC: draft-ietf-dnsext-dnssec-bis-u… Samuel Weiler
- Re: [dnsext] WGLC: draft-ietf-dnsext-dnssec-bis-u… Samuel Weiler
- Re: [dnsext] WGLC: draft-ietf-dnsext-dnssec-bis-u… Samuel Weiler
- Re: [dnsext] WGLC: draft-ietf-dnsext-dnssec-bis-u… Blacka, David
- Re: [dnsext] WGLC: draft-ietf-dnsext-dnssec-bis-u… Samuel Weiler
- Re: [dnsext] WGLC: draft-ietf-dnsext-dnssec-bis-u… Mark Andrews
- Re: [dnsext] WGLC: draft-ietf-dnsext-dnssec-bis-u… Mohan Parthasarathy
- Re: [dnsext] WGLC: draft-ietf-dnsext-dnssec-bis-u… Samuel Weiler
- Re: [dnsext] WGLC: draft-ietf-dnsext-dnssec-bis-u… Mark Andrews