[secdir] Secdir early review of draft-ietf-dnsop-compact-denial-of-existence-04
Brian Weis via Datatracker <noreply@ietf.org> Tue, 30 July 2024 23:51 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: secdir@ietf.org
Delivered-To: secdir@ietfa.amsl.com
Received: from [10.244.2.81] (unknown [104.131.183.230]) by ietfa.amsl.com (Postfix) with ESMTP id 91FA0C151069; Tue, 30 Jul 2024 16:51:03 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Brian Weis via Datatracker <noreply@ietf.org>
To: secdir@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 12.19.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <172238346320.1988233.11549951810315868557@dt-datatracker-659f84ff76-9wqgv>
Date: Tue, 30 Jul 2024 16:51:03 -0700
Message-ID-Hash: GJ577NSRMRRTGWPM6LUGYV67VZ7Q7R2M
X-Message-ID-Hash: GJ577NSRMRRTGWPM6LUGYV67VZ7Q7R2M
X-MailFrom: noreply@ietf.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-secdir.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: dnsop@ietf.org, draft-ietf-dnsop-compact-denial-of-existence.all@ietf.org
X-Mailman-Version: 3.3.9rc4
Reply-To: Brian Weis <bew.stds@gmail.com>
Subject: [secdir] Secdir early review of draft-ietf-dnsop-compact-denial-of-existence-04
List-Id: Security Area Directorate <secdir.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/SMBp-9OPyOplxT1ZOtUXG2LULYo>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Owner: <mailto:secdir-owner@ietf.org>
List-Post: <mailto:secdir@ietf.org>
List-Subscribe: <mailto:secdir-join@ietf.org>
List-Unsubscribe: <mailto:secdir-leave@ietf.org>
Reviewer: Brian Weis Review result: Has Nits I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. The summary of the review is Has Nits. This document adds a “Compact Denial of Existence in DNSSEC” method to a couple of existing “denial of existence” methods using DNSSEC (i.e., NSEC and NSEC3). Denial of Existence means “proving that a DNS name or record type does not exist”. It does this by returning a dynamically signed DNS response with this information. A new RR type (NXNAME) is defined in the document, which is returned by a server with the “denial of existence” declaration. This method is said to be smaller in size and requires less cryptographic computing than the previous methods, including when those methods dynamically sign updates. With the caveat that I am not very familiar with DNS protocols, this document seems to have generally considered the security ramifications of the method. The risks of on-line signing of DNS records are covered. Additionally, the document states that this method “prevents adversaries from enumerating the entire contents of DNS zones by walking NSEC chains”. Security Considerations also mentions that some security tools rely on particular return codes to detect non-existent domain names, and their current method may be impacted by this change. This is unfortunate, but I suspect that there was no clean way to accommodate those semantics in this design. It is noted that if security tools support this new method that they will be relying on signed data rather than the unsigned header to obtain the same information. Also, the document describes an optional header flag which a resolver that returns a different status. This seems to be intended to aid security tools, but perhaps if they’ve updated their tool to send a new header flag they would also be able to update it to accept the main method described in this document. Is theres another practical reason for this optional feature? Or are the semantics of a resolver understanding both the old and new main methods just complicated and this makes it easier for them? I’m a little confused by this statement in Section 4 (Response Code Restoration): “For non-existent names, implementations should try wherever possible, to preserve the response code value of 3 (NXDOMAIN). This is generally possible for non-DNSSEC enabled queries, namely those which do not set the DNSSEC_OK EDNS flag (DO bit).” I believe this is describing a case where the response does not include DNSSEC. Based on the name of the document that it was concerned only with a DNSSEC response, so it’s not clear to me why this suggestion needs to be made. One general suggestion is that it might be helpful for the RFC Editor if there was an explicit note somewhere warning them that Section 6.2 contains an (RFC TBD) self-reference that they’ll need to resolve.
- [secdir] Secdir early review of draft-ietf-dnsop-… Brian Weis via Datatracker
- [secdir] Re: Secdir early review of draft-ietf-dn… Shumon Huque
- [secdir] Re: Secdir early review of draft-ietf-dn… Brian Weis