IETF Logo Mail Archive

Re: [dnsext] Issues in WGLC of dnssec-bis-updates

Mohan Parthasarathy <suruti94@gmail.com> Wed, 08 February 2012 18:45 UTC

Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B0FF21F85F7; Wed, 8 Feb 2012 10:45:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1328726749; bh=yu1rKdoCEJNgpOu9NwoMj1DMa2vhThkWIFzFmUaGO3c=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:From:To:Cc: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Type:Content-Transfer-Encoding:Sender; b=iGVdp74l/z0S8pKua8CAPXC+kLtZMYBiozIWR1EZRe30jnOED9ZxuSmPX4KndLczJ M6S7rFpP4ZmP1nFQA2Wrq61+jlBgGxt2XpCbA7dOcTTb3kre/IwN49vSZtf/nAyjIQ BmKvx9lqtuccIYW6YTZymGJd5fWZ9zb2AJuM+4m8=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B43C721F85FB for <dnsext@ietfa.amsl.com>; Wed, 8 Feb 2012 10:45:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.459
X-Spam-Level:
X-Spam-Status: No, score=-3.459 tagged_above=-999 required=5 tests=[AWL=0.140, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aOK7BjCPh3cL for <dnsext@ietfa.amsl.com>; Wed, 8 Feb 2012 10:45:47 -0800 (PST)
Received: from mail-qy0-f172.google.com (mail-qy0-f172.google.com [209.85.216.172]) by ietfa.amsl.com (Postfix) with ESMTP id 7607721F85F7 for <dnsext@ietf.org>; Wed, 8 Feb 2012 10:45:47 -0800 (PST)
Received: by qcsg13 with SMTP id g13so573048qcs.31 for <dnsext@ietf.org>; Wed, 08 Feb 2012 10:45:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=gT+q8yVahPfoLXKtWAb9GCAS3V5QxlFvJnTwR7HIj9A=; b=iuGe86+e2h8l4PzD0dUGdi+cCkOQgOQ4EU3+mt2O1UQTGGuX/DkZwt8EJEqt5Q+iN+ KR8vjYsUmqUA39xyzaG8A+C/Ub0LsJzI/u72ez+9MV7sRielJXhE9W9ilfnfNy8hK6Cb V8YoTV2v/q+aCXVIs6w8u1b0BCh9Lc0utErxY=
MIME-Version: 1.0
Received: by 10.224.33.14 with SMTP id f14mr4590973qad.49.1328726747027; Wed, 08 Feb 2012 10:45:47 -0800 (PST)
Received: by 10.229.20.193 with HTTP; Wed, 8 Feb 2012 10:45:46 -0800 (PST)
In-Reply-To: <4F3232B6.3060505@nlnetlabs.nl>
References: <20120207151820.GE9478@crankycanuck.ca> <4F31449C.9040604@nlnetlabs.nl> <a06240801cb570a945202@192.168.128.143> <CACU5sD=bUC9bC_OW4SeH2h6DPM+d3+-JkZyz=6u=dpmj+7rVjw@mail.gmail.com> <4F3232B6.3060505@nlnetlabs.nl>
Date: Wed, 08 Feb 2012 10:45:46 -0800
Message-ID: <CACU5sDk8zGPF-w5BpBG21tNW1s0mpCEUP=YBaoZXhmbHT-+u-A@mail.gmail.com>
From: Mohan Parthasarathy <suruti94@gmail.com>
To: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
Cc: dnsext@ietf.org
Subject: Re: [dnsext] Issues in WGLC of dnssec-bis-updates
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org

On Wed, Feb 8, 2012 at 12:30 AM, W.C.A. Wijngaards <wouter@nlnetlabs.nl> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Mohan,
>
> The definition of indeterminate was wrong in RFC4035, and you now seem
> to think DNSSEC is riddled with downgrade.  There is no downgrade,
> because the security-states are the outcome of the chain-of-trust
> algorithm, not implemented from its definitions in RFC4035.
>
Okay, after reading your response and re-reading 4035 and 4033, I
think 4033 definitions for Bogus, Insecure and Indeterminate capture
the discussion below more clearly.

 <snip>

> On 02/07/2012 08:51 PM, Mohan Parthasarathy wrote:
>> On Tue, Feb 7, 2012 at 9:14 AM, Edward Lewis <Ed.Lewis@neustar.biz> wrote:
>>> At 16:34 +0100 2/7/12, W.C.A. Wijngaards wrote:
>>>
>>>> insecure, or bogus.  Note that with the root trust anchor the
>>>> indeterminate state no longer occurs, since we know everything is
>>>> covered by that trust anchor.
>>>
>>>
>>> I disagree with that.
>>>
>>> The Internet that we usually think about as being the only one is what I
>>> call the "global public Internet".  For the global public Internet, the DNS
>>> in common use does have a trust anchor for it's root zone so the assertion
>>> holds for the majority of cases, but then again only for recursive servers
>>> that have the trust anchor.
>>>
>>> There are other inter-networks that use the DNS protocol.  In at least one
>>> of these, DNSSEC has not been deployed.
>>>
>>> And, you can stretch this to the case of a recursive server, on the global
>>> public Internet, that does not have the root anchor configured - and may
>>> have another anchor.  To such a server, validating some DNS data is
>>> impossible (incalculable).
>>>
>>> The protocol cannot be defined assuming one particular mode of operation.
>>>
>> Before getting to define this precisely, we should try to understand
>> the different cases that can occur and see whether we all agree on the
>> error status for the different cases.
>
> Why data cannot be fetched is not a factor in the end result.  This
> simplifies the cases to: cannot get the proper DNSSEC data, can get
> proper DNSSEC data but it's invalid, can get proper DNSSEC data and it's
> ok.  And the results are bogus, bogus, secure.  If you find an insecure
> delegation it is insecure.  If there is no applicable trust anchor, the
> result is indeterminate (that is effectively just like insecure).
>

Ok, Bogus, Secure and Insecure applies only when there is an
applicable trust anchor. When it is absent, it is indeterminate. That
simplifies a lot.

 <snip>
>>
>> 1) We get some DNSSEC RRs back but can't validate. Just being able to
>> partially validate without tracing back to the trust anchor is equally
>> bad as not being able to validate the signatures.
>
> Yes, that is bogus in today's implementations.
>
>> 2) We get no DNSSEC RRs back. This could be a problem in the path or
>> the zone is not signed. We can't tell the difference without some
>> extra configuration.
>
> You can tell the difference because the chain-of-trust is signed itself,
> and this extends from the trust anchor to the data you just got, and
> thus you know if this zone is signed or not.  And thus in your question,
> the unsigned zone is ok(insecure), and the signed-zone-missing-DNSSEC
> RRs is not ok(bogus).
>
>> How does it help the application to make this more fine grained ?
>
> No, the application just wants all bogus data to be removed.  Data that
> is secure and data that is not DNSSEC signed is what it wants.  Because
> of the chain-of-trust the validator knows which parts of the space below
> a trust anchor is signed (and must have DNSSEC available) and which part
> is unsigned.  This property could be the cause that made insecure and
> indeterminate terms exist, as indeterminate is not really processed but
> simply the absence of a covering trust anchor, just like in the case
> where you had no trust anchors at all.  But then insecure needs
> processing: you have to validate the chain of trust from the trust
> anchor to the insecure-delegation point, and only then can you conclude
> that the data is insecure.  This is something internal to the DNSSEC
> validator, and not particularly impressive to the application, that
> likely just wants to know if the data was DNSSEC-signed (if so: secure
> or bogus) or if the data was not DNSSEC-signed (as determined with the
> configured set of trust anchors).
>
That was very useful discussion.

regards
mohan

> Best regards,
>   Wouter
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.15 (GNU/Linux)
> Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/
>
> iQIcBAEBAgAGBQJPMjK2AAoJEJ9vHC1+BF+NxVUQAIyQ4nPk7Syogn9uh4z890yJ
> kmPxslbpvHru47OxKd0tYvozldnP32z1+JToGSZR8qRU+w9SAQLutnFkqCU28x95
> QUAot8G157kxZT95zhdjVqpbyUYDYwKKUY4jqplq4IuyIm1ewEOcwAS8Sak1o9Gr
> 17Xs4aCpl55QmTCZAlP+r6SwCDY738Py9I51BJhifAB9HdkT6XK1+bsbMSiFhG+o
> koICUhKaLDthmFvBrHBVCiW4xD5uk8ww2jlMNXv2LaRT05tfVjLC0EfboFn3kEkg
> +c39M8Bm4GlkQvB1Wr37AEPn/m0PYbsC2lOEQL/04QRGiAcDTtjo4bzzsKb6yFFi
> cWg8mUsldcSikZB+YFVS0RRLGcKCWhOVHxxMqKlA/IdzBU02JiGaYqZU9SKaakkc
> 8AEFJkQdUYerh4BPeiwlzpy4uS3kiJU7A8hKnQSIuRR1xo7r28NKuvrxLnw5b3es
> kExf4pyb5zitBPx6c0ERQ1SJrw9VU3DipJb6dY/QW5uceHvfJlYQiXN6nGGKUkvw
> FlupnGef8TvHvgnHieiD9t3WRh+7WNKdMCs627U/Ym8VC0gcTXK3WORMdwrAVq7j
> I7wEkXH4ms9sJD09ZGysNjlRylKvMzHlxxIjl3kpFmvGwus//BxMq8GCT+08cJ9Z
> 5AOnYo5AWqWqa8nipilZ
> =dpSm
> -----END PGP SIGNATURE-----
> _______________________________________________
> dnsext mailing list
> dnsext@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsext
_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext

v2.23.0 | Report a Bug | By Email