IETF Logo Mail Archive

Re: [dnsext] Forgery resilience and meeting in Stockholm

Otmar Lendl <lendl@nic.at> Wed, 20 May 2009 15:03 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-namedroppers-archive-gleetwall6@core3.amsl.com
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8BCBC3A67EF; Wed, 20 May 2009 08:03:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.765
X-Spam-Level:
X-Spam-Status: No, score=-0.765 tagged_above=-999 required=5 tests=[AWL=-0.011, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_EQ_AT=0.424, RCVD_IN_DNSWL_LOW=-1, RDNS_NONE=0.1, SARE_MLH_Stock1=0.87]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v5iZAu1nQmer; Wed, 20 May 2009 08:03:00 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 3810D3A6FCB; Wed, 20 May 2009 08:02:55 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1M6nFi-0006as-Jp for namedroppers-data0@psg.com; Wed, 20 May 2009 14:58:42 +0000
Received: from [88.198.34.164] (helo=mail.bofh.priv.at) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <lendl@nic.at>) id 1M6nFM-0006Z1-KC for namedroppers@ops.ietf.org; Wed, 20 May 2009 14:58:28 +0000
Received: from [10.10.0.243] (nat.labs.nic.at [83.136.33.3]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.bofh.priv.at (Postfix) with ESMTP id 24D4E554013; Wed, 20 May 2009 16:58:18 +0200 (CEST)
Message-ID: <4A141A88.1060700@nic.at>
Date: Wed, 20 May 2009 16:58:16 +0200
From: Otmar Lendl <lendl@nic.at>
User-Agent: Thunderbird 2.0.0.21 (Windows/20090302)
MIME-Version: 1.0
To: Andrew Sullivan <ajs@shinkuro.com>
CC: namedroppers@ops.ietf.org
Subject: Re: [dnsext] Forgery resilience and meeting in Stockholm
References: <20090508181422.GH2372@shinkuro.com>
In-Reply-To: <20090508181422.GH2372@shinkuro.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>

A bit late, but whatever, here is my input:

Andrew Sullivan wrote:
> 
> 1.  Do nothing, and take all energy that might be devoted to this
> effort and direct it towards DNSSEC deployment.

no.

> 2.  Adopt draft-wijngaards-dnsext-resolver-side-mitigation-01.txt, and
> include in it recommendations to do nothing else except what that
> document contains.  Remove from section 3 any strategies we do not
> want to adopt.  (Note that this latter condition entails decisions
> about the next two options.)

Wouter's draft is a good summary, especially the re-query for RRSETs
learned from the Auth section. Definitely adopt it.

> 3.  Adopt draft-vixie-dnsext-dns0x20-00.  If we do (2), then perhaps
> this gets included in that document, or perhaps it proceeds as part of
> a set of documents.  Let's leave the editorial process issues out of
> the discussion, and just focus on whether we want to include this
> strategy in the tool box.

Just try to get the server side written down somewhere. That doesn't add
any cost, and leaves the option to do the client part open.

> 4.  Adopt draft-hubert-ulevitch-edns-ping-01.txt.  As in (3), this
> might be included as part of (2) or processed individually, but that
> doesn't matter.

The draft as it stands is far from perfect, but the generic idea that we
should try to somehow extend the query-ID is a very worthwhile one.

IMHO there are a few different aspects to this:

* The server-side is rather trivial, the only question is whether to
  go for a stateless or a stateful design on the server.

* Use a new pseudo-RR or go for an EDNS0 option.

What I'm really missing is a clear cut description on the client side
algorithm and fall-back strategies.

These huge email threads here have included both interesting schemes and
assertions that this is impossible to get right. That's not good basis for
a decisions, I'd really like to have a concrete proposal on the algorithm
so that any attacks against it can be properly documented and examined.

As with 0x20, I'm not sure whether we shouldn't split it up in a short
and relatively painless (and not just informational) spec on what that
extended qID looks on the wire and what the server-side is supposed to do,
and an informational/experimental draft on how this can be leveraged to
increase the security by the client.

/ol
-- 
// Otmar Lendl <lendl@nic.at>, T: +43 1 5056416 - 33, F: - 933 //

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.23.0 | Report a Bug | By Email