[secdir] Fwd: SECDIR review of draft-ietf-dnsop-dns-zone-digest-09
Donald Eastlake <d3e3e3@gmail.com> Sun, 13 September 2020 01:53 UTC
Return-Path: <d3e3e3@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C45E3A08B2; Sat, 12 Sep 2020 18:53:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.838
X-Spam-Level:
X-Spam-Status: No, score=-1.838 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_FREEMAIL_DOC_PDF=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SK4XgPtxIDxl; Sat, 12 Sep 2020 18:53:25 -0700 (PDT)
Received: from mail-il1-x143.google.com (mail-il1-x143.google.com [IPv6:2607:f8b0:4864:20::143]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0FA463A08AF; Sat, 12 Sep 2020 18:53:25 -0700 (PDT)
Received: by mail-il1-x143.google.com with SMTP id y9so4669966ilq.2; Sat, 12 Sep 2020 18:53:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=uYqqgwi9XeJvidFUfEmcxLrurD0n7RxNV+L3syRgPjU=; b=t6UFjfYwiAfFgOit/gD5ldRKP2E3RnUrZxvkmlpqLHEE47kx7DK9Qr0OySAl+qgVWu 1XV5EqXg/Cd151vZ/ggXx/w1Mq7YJiRpoLsBjvWfxIceDn4bSTbUwKvh6r7kfOwA+pny BY/pxKIuUh+y92hoDA4ewnyEjKKRpnIPcO6sk2xiQEFn3kskPJGkYFuhQPgQF+QJmq1p wtTN2367R1fP/ZMEpbUaXGRGu39mmUn+VufnTRoUUOI1ufh69P+zhO5RrzN6m9ez9K6U qZVVcLRXQJDieCugRyV9NRgMBabh6eqO1kpSuBZKr/elzAnpZ/fCLl+ospfshZqUhy8a JONA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=uYqqgwi9XeJvidFUfEmcxLrurD0n7RxNV+L3syRgPjU=; b=mWAWO/MgdSExE71vAqTER3WuzYzB/V9l1rnPZMooI0zCM6w0lZXHKPao8zisQBr7TZ mKqE0Is9FySns522CjArcQg2ZulaX8KlCltFOWCrXtcvEh3JqaYTL7naQARQxS//tGdl wMzP3WylYRDhTbN7MsmEvamY5ZbqspDAK6kuhL+1jIPZ5/uozotuv+rx/9XosMFY6qjY i8m8P5oS5ILz6AH8DJOUi7hJmAbjtI3KTcN8/5Jbye+BUc7ulNeHwFXjjmIxt+SojZhU ZZm20x1SBZExcVDFK2hvsY0cLTBlO7DFvQWHgrS9UNmORu7ci2wyWshr+Y1ILPhGOpww OnVA==
X-Gm-Message-State: AOAM532aiJm0OJRfCMNxYL6biuL37jN/qoVkaQbsz3vrcsqmWECoLvxU hQua6ciR1rNVlZsT0NYpAZSWMVf5lhlTuEHWJaI1wKmqw+U=
X-Google-Smtp-Source: ABdhPJwwv0blzcI1n06DgjbSbwlugPzikBu1Ta5aSvxEltZYiMTDJ+i2UhvNJ+hhSVufDOyX5gmFIWBzGpxYHj+iVgg=
X-Received: by 2002:a92:a111:: with SMTP id v17mr7610552ili.83.1599962002132; Sat, 12 Sep 2020 18:53:22 -0700 (PDT)
MIME-Version: 1.0
References: <CAF4+nEGaCJ0Y+_Q9Q+HbbBWCcOgzH-rLG+OoP5d-LxXtmCYqNQ@mail.gmail.com>
In-Reply-To: <CAF4+nEGaCJ0Y+_Q9Q+HbbBWCcOgzH-rLG+OoP5d-LxXtmCYqNQ@mail.gmail.com>
From: Donald Eastlake <d3e3e3@gmail.com>
Date: Sat, 12 Sep 2020 21:53:08 -0400
Message-ID: <CAF4+nEHXrK1Got=CsfhpW_v8Z3i3dZKsRXUABiGcfHWzQ01yQQ@mail.gmail.com>
To: "iesg@ietf.org" <iesg@ietf.org>, draft-ietf-dnsop-dns-zone-digest.all@ietf.org
Cc: secdir <secdir@ietf.org>
Content-Type: multipart/mixed; boundary="000000000000cab08505af282ed1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/RYS_YRmcHvwEauT-6UhvtqSJ9-8>
Subject: [secdir] Fwd: SECDIR review of draft-ietf-dnsop-dns-zone-digest-09
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Sep 2020 01:53:27 -0000
Trying again with the correct subject line. Sorry, Donald =============================== Donald E. Eastlake 3rd +1-508-333-2270 (cell) 2386 Panoramic Circle, Apopka, FL 32703 USA d3e3e3@gmail.com ---------- Forwarded message --------- From: Donald Eastlake <d3e3e3@gmail.com> Date: Sat, Sep 12, 2020 at 1:20 PM Subject: SECDIR review of draft-ietf-dnsop-dns-zone-review-09 To: iesg@ietf.org <iesg@ietf.org>, <draft-ietf-dnsop-dns-zone-digest.all@ietf.org> Cc: secdir <secdir@ietf.org> I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. Document editors and WG chairs should treat these comments just like any other last call comments. The summary of the review is Ready with Issues. Notwithstanding that I have a lot of comments below, I think the idea in this draft is a good one and look forward to its approval by the IESG. SECURITY ISSUES 1) The document claims that the presence of ZONEMD enables someone holding the zone data to be able to determine its "authenticity" even in the absence of DNSSEC. While it is not clear exactly what is meant by "authenticity", I think this is misleading. I think that, at best, without DNSSEC, you can test the data's "integrity". This is still useful to protect again corruption and errors. But as I understand it, "authenticity" takes a lot more machinery to test, such as the DNSSEC mechanisms. OLD (Section 1) It allows a receiver of the zone to verify the zone's authenticity, especially when used in combination with DNSSEC. NEW It allows a receiver of the zone to verify the zone's integrity and, when used in combination with DNSSEC, its authenticity. There is a similar problem with the first paragraph of Section 6.1. 2) The minimum size of the Digest Field, 1 octet, seems too small. Typical minimum size for such a field in IETF protocols seems to be 96 bits or 12 octets, so that, at least with a strong hash function, you have a reasonable resistance against brute force attacks. Also, while it is fairly obvious, you might want to mention how a receiver determines the length of the Digest Field. OLD (Section 2.2.4) The Digest field must not be empty. NEW The Digest Field MUST NOT be shorter than 12 octets. If it is, the ZONEMD RR containing that short digest cannot be used to verify a zone. The length of the digest field is determined by deducting the fixed size of the Serial, Scheme, and Hash Algorithm fields from the RDATA size in the ZONEMD RR header. 3) SHA384 / algorithm agility -- here are some thoughts/comments on SHA384 and algorithm agility: 3a) SHA384 is a strong hash algorithm and is excellent for integrity checking and the like but initially I was wondering if an algorithm with a cryptographically stronger structure would be better if one is trying to protect against active adversaries, even if the hash were shorter. For example, HMAC-SHA2-256 which takes about as much computation as SHA2-384. (Could be keyed by the "ZONEMD" concatenated with the zone name.) But on further thought, DNSSEC strengthens things a lot. ZONEMD will be covering not just the SOA serial but also the Signature Expiration and Inception fields in the DNSSEC signatures. So, while I haven't done a deep analysis, the more I think about it the more it seems like a strong straightforward hash like SHA2-384 is OK. 3b) The draft lists only SHA2-384 but never says that it MUST be implemented. Although it's fairly obvious, it seems to me the draft should explicitly say that somewhere. 3c) The draft never says how long the Digest Field should be when you use SHA384 -- presumably 48 bytes -- and what to do if the Digest Field is the wrong length -- presumably not use the ZONEMD for validation. (Presumably just add some text to 5.C. in Section 4.) 3c) SHA2-384 is just SHA2-512 with some different initialization values and with the 512 bit output truncated to 384. Thus the incremental effort of providing SHA2-512 in tiny if you have SHA2-384 (and vice versa). So, if SHA2-384 is mandatory, then you might as well make SHA2-512 mandatory also since you get it for probably <1% incremental effort. Having two mandatory algorithms with some people using one and some the other would provide some real confidence that implementations were actually looking at the Hash Algorithm Field, could handle Digest Fields of different length, etc., and the algorithm agility mechanisms might actually work. It currently looks a bit like only lip service is being paid to algorithm agility. 3d) On algorithm agility generally: There is a reasonable provision in the ZONEMD RR for a hash algorithm identifier. But, given that this is Standards Track I would have expected there to be hash algorithms specified of different types with one a MUST implement and one a SHOULD implement -- possible more but at least that. Blake or SHA3 would be example of a different algorithm type from SHA2. But I admit that SHA2-384/512 is very strong and a break in it significant enough to make much difference seems very unlikely. 4) There is no mention of local policy. If at some point there are multiple hash algorithms and/or schemes specified (which could include private use algorithms and schemes), a ZONEMD zone validator would likely need a local policy as to which algorithm/scheme digest it will pay attention to. See, for example, the first paragraph of Section 4 which assumes any good digest should be good enough to validate the zone for any verifier. 5) I'm not sure about the choice of "resilience" and "fragility" in Section 6.3 without a bit more context as, at first, they seem contradictory. See attached for one suggestion on this. It is great that examples are included but I did not check them for correctness. IANA CONSIDERATIONS A number of points: 6. For both the Scheme and Hash Algorithm registries: 6a. Value 255 should be listed as Reserved. 6b. Values 2-239 should be listed as Unassigned. 6c. Having a "RESERVED" mnemonic seems odd, I don't think I've seen it before. People usually just put a hyphen in the mnemonic column. 6d. In the rightmost "Reference Column", for things like Reserved or Private Use, the usual thing is to either just put a hyphen ("-") or to just say "[this document]". I don't think I have seen RFC 8126 given as a reference. 6e. Actually, 240-254 seems like a lot of values for Private Use. Why would you need 15 private hash algorithms within one administrative area? If you think there are going to be lots of private/proprietary hashes (national vanity crypto?) that get used moderately widely, there should be a provision for "vendor specific" hash algorithms where the "Digest Field" actually starts with a "vendor" identifier. 7. I don't think all the references to RFC 8126 are needed. These are all standard IANA terms. It would seem adequate to rename the "Requirements Language" section to "Terminology" and add one sentence saying "The terms Private Use, Reserved, Unassigned, and Specification Required are to be interpreted as defined in [RFC8126]." Then all other references to 8126 can be deleted. (You might need some DNS related entries in a Terminology section anyway. I have significant DNS background so I didn't feel any need for acronyms to be explained or the like but that might not be true of a general reader.) GENERAL 8. Sub-optimal ordering/grouping 8a. The sentence immediately before the Section 1.1 header, which give the implementation requirement for ZONEMD, seems a little confusing right after the preceding paragraph on DNSSEC. I think the sentence should be moved up before the DNSSEC paragraph. 8b. In Section 1.1 on Motivation, I think only the first paragraph is reasonably described by the section title. All of the rest of 1.1 is "1.2 Alternative Approaches" or something like that. 9. Chronological terminology I don't like all of the occurrences of "currently" or "at this time" in the document. How likely are these phrases to be true 20 years after this is published as an RFC? In many cases, this can be replaced by using "herein" or the like except in Section 7 (Performance Considerations) where some specific year or part of a year could be given. 10. There are a number of instances of "must", "must not", or "recommended" that I think should be in all capital letters. See attached markup. 11. Verbosity The document has a generally conversational style with some empty filler words that don't add anything scattered here and there. While this is all a matter of taste, I suggest the following: 11a. All occurrences of "certainly" and "Note that" should be eliminated. 11b Instead of saying "x can be used to y" or "x is designed to do y" just say "x does y" or the like. 11b. There are three statements in three different parts of the draft (Sections 2., 3.1, and 4.) to the effect that "When multiple ZONEMD RRs are present, each must specify a unique Scheme and Hash Algorithm tuple." I'm not sure what the best thing to do about this is but as long as the validation section makes it clear that such redundant occurrences mean none of them validate the zone, you are OK. 11c. See other instances of what I think is unnecessary wordiness and suggested changes in the attached. 12. Having an Implementation Status section (Section 10) is good while a draft is going through the approval process, but I think it is, as indicated in RFC 7942, inappropriate in a resulting standards track RFC. Furthermore, all of the disclaimer text given in RFC 7942 is missing here. So, I believe similar disclaimer text should be added and the RFC Editor should be requested to drop this section before publication. TYPOS 13. The only actual typo kind of errors I found were "the the" -> "the" in Section 7.1 and "can not" -> "cannot" in Section 4. ATTACHMENT Taking into account the above and to make other editorial suggestions, I have done an editing pass over the draft the results of which are attached. I hope you find it helpful. Thanks, Donald =============================== Donald E. Eastlake 3rd +1-508-333-2270 (cell) 2386 Panoramic Circle, Apopka, FL 32703 USA d3e3e3@gmail.com
- [secdir] SECDIR review of draft-ietf-dnsop-dns-zo… Donald Eastlake
- [secdir] Fwd: SECDIR review of draft-ietf-dnsop-d… Donald Eastlake
- Re: [secdir] SECDIR review of draft-ietf-dnsop-dn… Wessels, Duane
- Re: [secdir] SECDIR review of draft-ietf-dnsop-dn… Donald Eastlake
- Re: [secdir] SECDIR review of draft-ietf-dnsop-dn… Wessels, Duane
- Re: [secdir] SECDIR review of draft-ietf-dnsop-dn… Donald Eastlake
- Re: [secdir] SECDIR review of draft-ietf-dnsop-dn… Benjamin Kaduk
- Re: [secdir] SECDIR review of draft-ietf-dnsop-dn… Donald Eastlake