[Trans] ***SPAM*** 8.1 (5) Re: Re: DNSSEC also needs CT

[Daniel Kahn Gillmor <dkg@fifthhorseman.net>]

On 05/13/2014 11:24 AM, Nico Williams wrote:
> On Tue, May 13, 2014 at 9:58 AM, Ben Laurie <benl@google.com> wrote:
>> On 13 May 2014 15:53, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote:
>>> So if Alice registers example.co.uk, she wants to do misissuance review
>>> for that zone.  But in a DNSSEC context, she needs to do misissuance
>>> review of the parent zones as well.  That is, she wants to ensure that
>>> .uk is not publishing spoofed records about the .co.uk nameservers and
>>> zone signing keys (how does she know if a change in DNSSEC records at
>>> this layer is a legitimate change?).
>>
>> I don't get why Alice would want to do this - all Alice cares is that
>> example.co.uk is correctly issued, right?
> 
> To detect MITM attacks by uk. on her peers.

Yes, this is why Alice should care.   Note that "peers" means
"communication partners", and not "other registrants within the .co.uk
public registry".

> Of course, given
> caching... it's going to be very difficult for uk. to mount a targeted
> MITM attack on Alice's peers.

I'm not convinced that DNS caching is necessarily protective in the case
of an attacker who controls the network.

> That's not the case with the PKI
> because there's no lookup process there, so no caching.

There are discussions of DNSSEC information being stored and shipped in
X.509 certificate credentials, which would also bypass the DNS caching
infrastructure.

> Still, it
> seems reasonable for Alice to check uk.'s log.  Besides, the cost of
> doing so is marginal: in general the closer to the root in DNSSEC the
> lower the log volume (what do we call this?) will be.

So what is Alice checking in .uk's log, or the root zone's log?  How
does Alice know whether a change in (for example) the delegation for
co.uk is correct/acceptable or not?

I think Alice wants to look at the following things from looking at the
logs for .uk:

 0) ensure that she knows all valid possible .co.uk delegations,
including their log info (there's a time window of concern here -- i
think she cares about it from when she first registered the domain to
the present.  if she has already reviewed up to time T, can she just
then search from T+1 to the present?  or is there some concern about
backfill?)

 1) for the logs of each of those delegations, she needs to review them
for the presence of delegations of example.co.uk (evidence of a
malicious zone cut), or records from within the example.co.uk zone
itself (evidence of malicious data, like glue records, which could be
served from the parent zone directly).

so in order to detect misissuance in a DNSSEC CT model, Alice would need
to review the logs of every zone above hers in the hierarchy.  does that
sound right?

> Right, . won't want to share a log with com., no doubt.  But that's
> not an answer to Daniel's question, which is about whether Alice's
> auditing job is easier or harder in the DNSSEC case compared to the
> PKI case.  IMO it's easier; I explained my answer separately.

I can see the argument for it being cheaper in the DNSSEC case.

I do wonder what we can then *do* about a detected misissuance in
DNSSEC, though.

For CAs in the X.509 CT, what we can do is encourage browser vendors to
drop that CA from their trusted root store (e.g. the diginotar "death
sentence").

for DNSSEC, it sounds like we'd need to threaten to drop the whole zone,
which seems unlikely.  Are there other recourses that could be taken by
an "interested party" who detects misissuance of one of their zones?

	--dkg