[secdir] secdir review of draft-ietf-dnsop-nsec-aggressiveuse
Sandra Murphy <sandy@tislabs.com> Tue, 28 March 2017 16:34 UTC
Return-Path: <sandy@tislabs.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C2637120724; Tue, 28 Mar 2017 09:34:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VP3qpkn_TIXJ; Tue, 28 Mar 2017 09:34:38 -0700 (PDT)
Received: from walnut.tislabs.com (walnut.tislabs.com [192.94.214.200]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 679E2126DFB; Tue, 28 Mar 2017 09:34:35 -0700 (PDT)
Received: from nova.tislabs.com (unknown [10.66.1.77]) by walnut.tislabs.com (Postfix) with ESMTP id C36FB28B0041; Tue, 28 Mar 2017 12:34:33 -0400 (EDT)
Received: from [127.0.0.1] (localhost.localdomain [127.0.0.1]) by nova.tislabs.com (Postfix) with ESMTP id 2AE6A1F8036; Tue, 28 Mar 2017 12:34:33 -0400 (EDT)
From: Sandra Murphy <sandy@tislabs.com>
X-Pgp-Agent: GPGMail
Content-Type: multipart/signed; boundary="Apple-Mail=_FC2E29DD-1191-43F4-99A0-C3D82E427BCC"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Date: Tue, 28 Mar 2017 12:34:32 -0400
Message-Id: <F8D0F7F4-414B-44A4-B6D0-428D506D97C7@tislabs.com>
To: secdir@ietf.org, draft-ietf-dnsop-nsec-aggressiveuse@ietf.org, dnsops-chairs@ietf.org, The IETF <ietf@ietf.org>
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
X-Mailer: Apple Mail (2.2104)
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/IVUaV4kVys9SUVT4bNDzuYeQMWs>
Subject: [secdir] secdir review of draft-ietf-dnsop-nsec-aggressiveuse
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Mar 2017 16:34:41 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document suggests that resolvers should use NSEC/NSEC3 proof of non-existence for a domain name in a received query to generate a negative reply, rather than relying on the current spec of an exact match to the domain name. Generating positive replies from wildcard answers is also suggested. The motivation is improvements in latency for queriers and improvements in bandwidth and CPU load on recursive resolvers and validation servers. I have no serious objections about the draft. I am curious about my thought that an attacker might find this of benefit, as they can learn of non-existence in just one query, rather than every name in a NSEC denied range. I know zone walking is a concern to some, but I do not know if ease of determining non-existence is also a concern. Section 7 explicitly spells out the changes to RFC4035 are explicitly spelled out as to what is removed and what replaces it. Section 5 is not so clearly delineated. The last paragraph of 5., nothing in 5.1 or 5.2, and the last paragraph of 5.3 use SHOUD/MUST/MAY kinds of language. For the paragraphs that don’t - should they? For the paragraphs that do, is this additional behavior or a replacement for existing spec (i.e. like the section 7 update to RFC4035). If a replacement, a replacement of what? If not, where do the new paragraphs fit? The following is a sequential set of comments, not in importance order. page 3 This document updates RFC 4035 to allow recursive resolvers to use NSEC/NSEC3 resource records to synthesize negative answers from the information they have in the cache. re: recursive resolvers - is the technique not applicable to stub resolvers? (I do see references to stub resolver caches in a web search, but you can’t trust the web.) [RFC8020], and [I-D.vixie-dnsext-resimprove] proposes first steps to using NXDOMAIN information for more effective caching. This takes this technique further. Unless rfc8020 and the vixie draft are the same thing (don’t think so), should be “propose”. Too many uses of “this” in that last sentence - I presume you mean This draft takes those previous techniques further. page 4 If a validating resolver receives a query for cat.example.com, it contacts its resolver (which may be itself) Maybe If a validating resolver receives a query for cat.example.com, it contacts its recursive resolver (which may be itself) About: and also has privacy implications (e.g: typos leak out further than necessary). Does it also make certain explorations easier, where someone can find out a range that does not exist by doing just one query rather than query every name in the range? Or is that sort of exploration already prevented by other techniques? If a query is received for leek.example.org, it contacts its resolver (which may be itself) I suggest “the resolver contacts its <recursive> resolver” - the query is not doing the contacting. page 6 section 5.1 and 5.2 say “resolver can immediately return” - is this meant to specify new behavior, should they have SHOULD/MAY/MUST kinds of words? page 7 Section 5 of [RFC2308] states that the maximum number of negative cache TTL value is 3 hours (10800). I don’t find a maximum in RFC2308. I do find: Values of one to three hours have been found to work well and would make sensible a default. Did I miss something? “the maximum number of negative cache TTL value is” - a bit twisty. Did you mean something like: Section 5 of [RFC2308] states that the maximum negative cache TTL value is” otherwise, I’d think “number of … values”, but even so I don’t think there are multiple values here. Are there? page 9 <truly nitty> The text says Thanks to Mark Andrews for providing the helpful notes for implementors provided in Appendix B. The authors would like to specifically thank … Mark Andrews also provided the helpful notes for implementors (https://www.ietf.org/mail- archive/web/dnsop/current/msg18332.html) which we made into Appendix B. Perhaps you intended to thank him twice? No problem, just wondering. —Sandy
- [secdir] secdir review of draft-ietf-dnsop-nsec-a… Sandra Murphy
- Re: [secdir] secdir review of draft-ietf-dnsop-ns… Warren Kumari
- Re: [secdir] secdir review of draft-ietf-dnsop-ns… Sandra Murphy