Re: [secdir] SECDIR review of draft-ietf-dnsop-dns-zone-digest-09
"Wessels, Duane" <dwessels@verisign.com> Tue, 15 September 2020 15:38 UTC
Return-Path: <dwessels@verisign.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD2563A0995; Tue, 15 Sep 2020 08:38:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Er-U_w-4KcMi; Tue, 15 Sep 2020 08:38:34 -0700 (PDT)
Received: from mail4.verisign.com (mail4.verisign.com [69.58.187.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3345E3A098E; Tue, 15 Sep 2020 08:38:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=20309; q=dns/txt; s=VRSN; t=1600184314; h=from:to:cc:date:message-id:references:in-reply-to: mime-version:subject; bh=d5KCEC7c1loZfaoTmyRqPhMKAEn4mKHM/Ke2jv8ZT+w=; b=Gc0xf0JNjU5iz3BQrp5whLt6+sDke0C9YbvnXGWTyhEq+UObXrEAsPwL 9r1K7/teufaBPfbcsKylKffleZp8ML9vefYric8+L8jSbH5SkjczzQgz8 8Y7W6DxBj0aujPYNZbtESV0ZQAn9u2Kt27Z4PCO0AjVTmySHQ/WYzqkjr E4KMLq4dBb8M0EQx8WJdewLC6x7giqSONqBA77wVj2JE9aGb+sT6LhlVw MeEgO3hyIoaYWVGtkWKjumrq43W5Hm5aZ8EQQcyyCiJVEevb3gx8PA/BT RPWTdG5i2KVKHtRVEVpRFqM0oSlPaWHfgzVOFq4gRDveJefw72eBRN60Y w==;
IronPort-SDR: 9+/35tGZojSp8rwYJyJBqy4FmdUgIia0quEfYe14yoMr5tkX6Wx6Gy9U69ieinC6T0Bk4gWyfx UIjucbmltRAIVgyvLOstB4mIiLyzI2AryE3alcY8sCvv2y4u4xY7/W4Bq9lHVrdS1NkDjjPSrR uevRARxrGTya8wdpgs1mT8uIZm1xfYDXjinwg7Zk/Mqq0SAfZjHXZmHt40NgG6plcF4XjP0SLz QUHz/cBPC5pHTr8tpOzpWPhGbdc3F7jyAXK6AamwFHaDpqJKTiMmexJ63olBW92Lp7tnQ3RVhu eiE=
X-IronPort-AV: E=Sophos; i="5.76,430,1592884800"; d="p7s'?scan'208"; a="2882277"
IronPort-PHdr: 9a23:/U/gBByzF4HnVIzXCy+O+j09IxM/srCxBDY+r6Qd0usSLvad9pjvdHbS+e9qxAeQG9mCtLQc06GL4+igATVGvc/f9ihaMdRlbFwssY0uhQsuAcqIWwXQDcXBSGgEJvlET0Jv5HqhMEJYS47UblzWpWCuv3ZJQk2sfQV6Kf7oFYHMks+5y/69+4HJYwVPmTGxfa5+IA+5oAnMtMQam5duJro+xhbJoXZDZuBayX91KV6JkBvw+8a98IR//yhMvv4q6tJNX7j9c6kkV7JTES4oM3oy5M3ltBnDSRWA634BWWgIkRRGHhbI4gjiUpj+riX1uOx92DKHPcLtVrA7RS6i76ZwRxD2jioMKiM0/3vWisx0i6JbvQ6hqhliyIPafI2ZKPxzdb7bcNgHR2ROQ9xRWjRBDI2icoUPE+QPM+VWr4b/oFUOrAexCga3CePg1jNIg2X73a0m3+g/FwzNwQwuH8gJsHTRtNj5OqcdXv6uzKnT0zrDa+hW1S/g44bGbxAuu/eMUqx+fcHMzkQgCg3EgUuLqYz+ITyV0v8NvnOF7+V+T+KvinUnqwB+ojip3Msjlo7JhocMx13C6C52z5o7K8eiR05nfd6rDoFQtyeCOoZ3Rs4uX31ktSYnxrAFpJO2fycExZQ6yxDfd/CKboiF7xzsWuuTITl0mXxodryxiRu280WuxO/xWte63VhKsCZIlMTHuH4K1xzW8MeHS/1981+g2TmRywDT5PtIIUcularULZMq370+loILvEjeAiP6glj6ga2Ye0k+5+Sl6+rqbq/pq5KYL4N4lx3yPr4zlsG9Heg0KBUCUmeY9OimybHu/kv0S6hQgPIsiKnWqpXaKNwepq6+HgBazJ4u6w26Dze6yNQYmmQHLE5ddBKHkYfpP1bOLejlAPmjm1qgjTdkyejJMLLgHpnBMGLPkKn9crZ68U5c0BA/wspC6J5OFLEBOunzWknruNPECR85NhS4w+fhCNpjyoMTQX+DDrODPK/Ps1KF6PgjL/SMaYIbojrwJPwo6+brjXAjmF8deaep3YEQaHC9BvlpPkuYbmT3gtcaD2gKuhE+Qff0iFKcSz5TZm2yX6Mz5jE9Eo6pEYDDRoW1jLybwCi7BoFWZnxBCl2UDHjleZuLVvkSZy+cOcJhnTkEWqKgS48lzx2hqAj6y79/JOrO5iIYrY7j1MRy5+DLlBE96yd0D8uG3mGMUW50gm0ISyUx3KBlrkx30k2D3rRgg/xECdxT4OtEXRogNZHGwex6F8n+WgPfcdeVRlaqW8ipATcqTtI2298CeltyG9O5jhza3iuqBLkVmKKSCJMp86Lc0Gb+J91hy3rczqYhi10mT9BONWK4mq5/+RLfB4nTk0WWj6yqb7gT3DbR9GefymqDpFpYXxBsXqrYXHAffFDbrdXn6UPeQb+iE7MnMhFOyZ3KFqwfRtrvhFFKDNrqI8jaamG80zO8XhvTy+ikY4/jemFb1yLYXhsqiQcWqDy5OBMlCyO65yryETVoGBinN0/z/PJlpXegZlE51QCRbkJnkbGy/0hG1rSnV/oP0+dc628aoDJuEQPl0g==
X-IPAS-Result: A2FCAAAE32Bf/zGZrQpdAxkBAQEBAQEBAQEBAQEBAQEBAQESAQEBAQEBAQEBAQEBQIFPgxosgQgKlUAmg3qGEpAogWkEBwEBAQEBAQEBAQQEASUKBAEBAoRJAoIhJTgTAgMBAQsBAQEFAQEBAQEGAwEBAQKGRQyCNyJ7gQMBAQEBAQEBAQEBAQEBAQEBAQEBFgJDVRIBAR0BAQEBAgEnUgULAgEIDgMDAQIBFRkCHxEdCAIEDgUOgxgBgksDDhEemU6aZnSBATOIKw2CFAoGgTiBU4R4hR4lgTmBQj6BEScMEIFPfj6CGkICgRhGGAkBHgiDA4ItBItIhDYEByQJigmLTI98N1EDB4JlhEGCX4FSi2FphQkemn2FcZ1EgmeOToNaAgQCBAUCFYFrgXtwFRohKgGCCgEBMj4SFwINjigCAReIYoVCdDQDAgYKAQEDCY4MLYEGMQFfAQE
Received: from BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) by BRN1WNEX02.vcorp.ad.vrsn.com (10.173.153.49) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1979.3; Tue, 15 Sep 2020 11:38:31 -0400
Received: from BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d]) by BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d%4]) with mapi id 15.01.1979.003; Tue, 15 Sep 2020 11:38:31 -0400
From: "Wessels, Duane" <dwessels@verisign.com>
To: Donald Eastlake <d3e3e3@gmail.com>
CC: "iesg@ietf.org" <iesg@ietf.org>, "draft-ietf-dnsop-dns-zone-digest.all@ietf.org" <draft-ietf-dnsop-dns-zone-digest.all@ietf.org>, secdir <secdir@ietf.org>
Thread-Topic: [EXTERNAL] SECDIR review of draft-ietf-dnsop-dns-zone-digest-09
Thread-Index: AQHWi3ZE5xMDPmexIk+d7zxnprv/mA==
Date: Tue, 15 Sep 2020 15:38:31 +0000
Message-ID: <D0617842-4E1A-43A1-9933-9C8737B4F4F4@verisign.com>
References: <CAF4+nEGaCJ0Y+_Q9Q+HbbBWCcOgzH-rLG+OoP5d-LxXtmCYqNQ@mail.gmail.com> <CAF4+nEHXrK1Got=CsfhpW_v8Z3i3dZKsRXUABiGcfHWzQ01yQQ@mail.gmail.com>
In-Reply-To: <CAF4+nEHXrK1Got=CsfhpW_v8Z3i3dZKsRXUABiGcfHWzQ01yQQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3445.104.15)
x-originating-ip: [10.170.148.18]
Content-Type: multipart/signed; boundary="Apple-Mail=_7D80AD86-88C6-4582-B6B1-062F891B026B"; protocol="application/pkcs7-signature"; micalg="sha-256"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/bxUz8463sCDNIgEuTnX85CdhB-g>
Subject: Re: [secdir] SECDIR review of draft-ietf-dnsop-dns-zone-digest-09
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Sep 2020 15:38:37 -0000
Thanks Don for the extensive review! tl;dr, we did accept most/many of your suggestions already, except these items may warrant further discussion: - minimum digest length - more hash algorithms than SHA-384 - local policy when verifying multiple digests - implementation status section More responses inline below. DW > On Sep 12, 2020, at 6:53 PM, Donald Eastlake <d3e3e3@gmail.com> wrote: > > Trying again with the correct subject line. > > Sorry, > Donald > =============================== > Donald E. Eastlake 3rd +1-508-333-2270 (cell) > 2386 Panoramic Circle, Apopka, FL 32703 USA > d3e3e3@gmail.com > > ---------- Forwarded message --------- > From: Donald Eastlake <d3e3e3@gmail.com> > Date: Sat, Sep 12, 2020 at 1:20 PM > Subject: SECDIR review of draft-ietf-dnsop-dns-zone-review-09 > To: iesg@ietf.org <iesg@ietf.org>, > <draft-ietf-dnsop-dns-zone-digest.all@ietf.org> > Cc: secdir <secdir@ietf.org> > > > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the > IESG. Document editors and WG chairs should treat these comments just > like any other last call comments. > > The summary of the review is Ready with Issues. > > Notwithstanding that I have a lot of comments below, I think the idea > in this draft is a good one and look forward to its approval by the > IESG. > > > SECURITY ISSUES > > 1) The document claims that the presence of ZONEMD enables someone > holding the zone data to be able to determine its "authenticity" even > in the absence of DNSSEC. While it is not clear exactly what is meant > by "authenticity", I think this is misleading. I think that, at best, > without DNSSEC, you can test the data's "integrity". This is still > useful to protect again corruption and errors. But as I understand it, > "authenticity" takes a lot more machinery to test, such as the DNSSEC > mechanisms. > > OLD (Section 1) > It allows a receiver of the > zone to verify the zone's authenticity, especially when used in > combination with DNSSEC. > > NEW > It allows a receiver of the > zone to verify the zone's integrity and, when used in > combination with DNSSEC, its authenticity. A good change, thanks. > > There is a similar problem with the first paragraph of Section 6.1. Accepted your text in that section as well. > > 2) The minimum size of the Digest Field, 1 octet, seems too small. > Typical minimum size for such a field in IETF protocols seems to be 96 > bits or 12 octets, so that, at least with a strong hash function, you > have a reasonable resistance against brute force attacks. Also, while > it is fairly obvious, you might want to mention how a receiver > determines the length of the Digest Field. > > OLD (Section 2.2.4) > The Digest field must not be empty. > > NEW > The Digest Field MUST NOT be shorter than 12 octets. If it is, the > ZONEMD RR containing that short digest cannot be used to verify a > zone. The length of the digest field is determined by deducting the > fixed size of the Serial, Scheme, and Hash Algorithm fields from the > RDATA size in the ZONEMD RR header. I'm not necessarily opposed to a minimum digest size. Do you envision any complications with private use algorithms though? It seems a little strange to allow private use algorithms whose digest value could be anything, but requiring a minimum size (which could then simply be padded I know). > > 3) SHA384 / algorithm agility > -- here are some thoughts/comments on SHA384 and algorithm agility: > > 3a) SHA384 is a strong hash algorithm and is excellent for integrity > checking and the like but initially I was wondering if an algorithm with a > cryptographically stronger structure would be better if one is trying > to protect against active adversaries, even if the hash were shorter. > For example, HMAC-SHA2-256 which takes about as much computation as > SHA2-384. (Could be keyed by the "ZONEMD" concatenated with the zone > name.) But on further thought, DNSSEC strengthens things a lot. ZONEMD > will be covering not just the SOA serial but also the Signature > Expiration and Inception fields in the DNSSEC signatures. So, while I > haven't done a deep analysis, the more I think about it the more it > seems like a strong straightforward hash like SHA2-384 is OK. Understood. > > 3b) The draft lists only SHA2-384 but never says that it MUST be > implemented. Although it's fairly obvious, it seems to me the draft > should explicitly say that somewhere. Agreed. Thanks for the text. > > 3c) The draft never says how long the Digest Field should be when you > use SHA384 -- presumably 48 bytes -- and what to do if the Digest > Field is the wrong length -- presumably not use the ZONEMD for > validation. (Presumably just add some text to 5.C. in Section 4.) Added. > > 3c) SHA2-384 is just SHA2-512 with some different initialization > values and with the 512 bit output truncated to 384. Thus the > incremental effort of providing SHA2-512 in tiny if you have SHA2-384 > (and vice versa). So, if SHA2-384 is mandatory, then you might as well > make SHA2-512 mandatory also since you get it for probably <1% > incremental effort. Having two mandatory algorithms with some people > using one and some the other would provide some real confidence that > implementations were actually looking at the Hash Algorithm Field, > could handle Digest Fields of different length, etc., and the > algorithm agility mechanisms might actually work. It currently looks a > bit like only lip service is being paid to algorithm agility. In an earlier version of the draft, four algorithms were defined, although none "past" SHA-384. There was a (Oct 2018) discussion to make SHA-384 the mandatory algorithm and drop all the weaker ones. I'm not necessarily opposed to adding more mandatory-to-implement algorithms if there is working group consensus about that, but it feels like a pretty significant and late change? > > 3d) On algorithm agility generally: There is a reasonable provision in > the ZONEMD RR for a hash algorithm identifier. But, given that this > is Standards Track I would have expected there to be hash algorithms > specified of different types with one a MUST implement and one a > SHOULD implement -- possible more but at least that. Blake or SHA3 > would be example of a different algorithm type from SHA2. But I admit > that SHA2-384/512 is very strong and a break in it significant enough > to make much difference seems very unlikely. Same as above. > > 4) There is no mention of local policy. If at some point there are > multiple hash algorithms and/or schemes specified (which could include > private use algorithms and schemes), a ZONEMD zone validator would > likely need a local policy as to which algorithm/scheme digest it will > pay attention to. See, for example, the first paragraph of Section 4 > which assumes any good digest should be good enough to validate the > zone for any verifier. The draft-ietf-dnsop-dns-zone-digest-00 version did have the following text that spoke to this: > It is RECOMMENDED that implementations maintain a (possibly > configurable) list of supported Digest Type algorithms ranked from > most to least preferred. It is further RECOMMENDED that recipients > use only their most preferred algorithm that is present in the zone > for digest verification. > > As a matter of local policy, the recipient MAY require that all > supported and present Digest Type algorithms verify the zone. There was a thread on DNSOP where we had agreement to take those two paragraphs out: https://mailarchive.ietf.org/arch/msg/dnsop/RFCklH7Lx00bL-tOVRCAc0j5ftw/ > > 5) I'm not sure about the choice of "resilience" and "fragility" in > Section 6.3 without a bit more context as, at first, they seem > contradictory. See attached for one suggestion on this. Suggestion accepted. > > It is great that examples are included but I did not check them for > correctness. > > > IANA CONSIDERATIONS > > A number of points: > > 6. For both the Scheme and Hash Algorithm registries: > 6a. Value 255 should be listed as Reserved. > 6b. Values 2-239 should be listed as Unassigned. > 6c. Having a "RESERVED" mnemonic seems odd, I don't think I've seen it > before. People usually just put a hyphen in the mnemonic column. > 6d. In the rightmost "Reference Column", for things like Reserved or > Private Use, the usual thing is to either just put a hyphen ("-") or > to just say "[this document]". I don't think I have seen RFC 8126 > given as a reference. Thanks, the tables have been changed per your suggestions. > 6e. Actually, 240-254 seems like a lot of values for Private Use. Why > would you need 15 private hash algorithms within one administrative > area? If you think there are going to be lots of private/proprietary > hashes (national vanity crypto?) that get used moderately widely, > there should be a provision for "vendor specific" hash algorithms > where the "Digest Field" actually starts with a "vendor" identifier. It seemed a reasonable amount to us, but if others think it should be smaller that shouldn't be a problem. > > 7. I don't think all the references to RFC 8126 are needed. These are > all standard IANA terms. It would seem adequate to rename the > "Requirements Language" section to "Terminology" and add one sentence > saying "The terms Private Use, Reserved, Unassigned, and Specification > Required are to be interpreted as defined in [RFC8126]." Then all > other references to 8126 can be deleted. (You might need some DNS > related entries in a Terminology section anyway. I have significant > DNS background so I didn't feel any need for acronyms to be explained > or the like but that might not be true of a general reader.) > Thanks, this has been fixed. > > GENERAL > > 8. Sub-optimal ordering/grouping > > 8a. The sentence immediately before the Section 1.1 header, which give > the implementation requirement for ZONEMD, seems a little confusing > right after the preceding paragraph on DNSSEC. I think the sentence > should be moved up before the DNSSEC paragraph. > > 8b. In Section 1.1 on Motivation, I think only the first paragraph is > reasonably described by the section title. All of the rest of 1.1 is > "1.2 Alternative Approaches" or something like that. Done. > > 9. Chronological terminology > > I don't like all of the occurrences of "currently" or "at this time" > in the document. How likely are these phrases to be true 20 years > after this is published as an RFC? In many cases, this can be replaced > by using "herein" or the like except in Section 7 (Performance > Considerations) where some specific year or part of a year could be > given. Done. > > 10. There are a number of instances of "must", "must not", or > "recommended" that I think should be in all capital letters. See > attached markup. Done. > > 11. Verbosity > > The document has a generally conversational style with some empty > filler words that don't add anything scattered here and there. While > this is all a matter of taste, I suggest the following: > > 11a. All occurrences of "certainly" and "Note that" should be > eliminated. > > 11b Instead of saying "x can be used to y" or "x is designed to do y" > just say "x does y" or the like. > > 11b. There are three statements in three different parts of the draft > (Sections 2., 3.1, and 4.) to the effect that > "When multiple ZONEMD RRs are present, each > must specify a unique Scheme and Hash Algorithm tuple." > I'm not sure what the best thing to do about this is but as long as > the validation section makes it clear that such redundant occurrences > mean none of them validate the zone, you are OK. > > 11c. See other instances of what I think is unnecessary wordiness and > suggested changes in the attached. Done. > > 12. Having an Implementation Status section (Section 10) is good while > a draft is going through the approval process, but I think it is, as > indicated in RFC 7942, inappropriate in a resulting standards track > RFC. Furthermore, all of the disclaimer text given in RFC 7942 is > missing here. So, I believe similar disclaimer text should be added > and the RFC Editor should be requested to drop this section before > publication. The authors feel it could be useful, even though it is expected to become out-of-date. Looks like some other published RFCs have kept their Implementation Status sections, sometimes as an appendix? > > > TYPOS > > 13. The only actual typo kind of errors I found were "the the" -> > "the" in Section 7.1 and "can not" -> "cannot" in Section 4. > > > ATTACHMENT > > Taking into account the above and to make other editorial suggestions, > I have done an editing pass over the draft the results of which are > attached. I hope you find it helpful. > Thank you, we did find it very helpful.
- [secdir] SECDIR review of draft-ietf-dnsop-dns-zo… Donald Eastlake
- [secdir] Fwd: SECDIR review of draft-ietf-dnsop-d… Donald Eastlake
- Re: [secdir] SECDIR review of draft-ietf-dnsop-dn… Wessels, Duane
- Re: [secdir] SECDIR review of draft-ietf-dnsop-dn… Donald Eastlake
- Re: [secdir] SECDIR review of draft-ietf-dnsop-dn… Wessels, Duane
- Re: [secdir] SECDIR review of draft-ietf-dnsop-dn… Donald Eastlake
- Re: [secdir] SECDIR review of draft-ietf-dnsop-dn… Benjamin Kaduk
- Re: [secdir] SECDIR review of draft-ietf-dnsop-dn… Donald Eastlake