Re: [Trans] [dane] CT for DNSSEC
Wei Chuang <weihaw@google.com> Fri, 17 March 2017 16:31 UTC
Return-Path: <weihaw@google.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F21281294F9 for <trans@ietfa.amsl.com>; Fri, 17 Mar 2017 09:31:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dw9JyUlv2CMR for <trans@ietfa.amsl.com>; Fri, 17 Mar 2017 09:31:46 -0700 (PDT)
Received: from mail-ot0-x230.google.com (mail-ot0-x230.google.com [IPv6:2607:f8b0:4003:c0f::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6AB1B1294E8 for <trans@ietf.org>; Fri, 17 Mar 2017 09:31:46 -0700 (PDT)
Received: by mail-ot0-x230.google.com with SMTP id o24so96723640otb.1 for <trans@ietf.org>; Fri, 17 Mar 2017 09:31:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=fwjvvHkkfDEL6fzbQprx/HD9ekRNpt6e+q/sOvL2Z+M=; b=UiHk7RLxicx8hhLZU7KYWE97UYoP0fX4zFlrth+gkDAGsIX3eRHZomqb5j4OlVVwsA X1X+C+juXqcDHcHhffyOfo79wozb7FzynZTLvBk+fbgn4xr181a2BIdQW011oW05jtuO erK3BLCjKKOSJ5xNqUdNuiQWLFn6gdlN1oTlAWIxCnKN1eyVE1yZBGRG7bmyM4epKDre +ZhOWg1b/wBl5AilgiJ08EMPilhCYbKiyLS4i9kz9oqdAX+wkKiXe0ywo4+1q6cvZ6jt W06OjnbGz/kTxkNjEc37jZseoxd4+FJ2WB0z9LZEejkjsZlUweCpBCV3N9Jm4RmoGDQA DdRw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=fwjvvHkkfDEL6fzbQprx/HD9ekRNpt6e+q/sOvL2Z+M=; b=OrqrZmo19z4uEQ+VOqoIYhzzbqOsda2KSw7CbOh4pb0iKYt/rwI+d6ZpI0JWrT+4yI pcFx/N//lisjQzulnLCeAtbKUxlYFMY5RjBvfF/O1C1y5FwvYoLgJSPJCztiz4znEMtD cazWHJni87GEPKzJpRZ2xAtZvq7WLucsqWAKxwb1VL/PAfWWDNgcsK1/wZK8TNNDpMrV Gi1zXEPbLNYgx1P6O2RXyrKiD0DUi1BoCyge59hmhMkuqE3Unt1j4uRY+bNQ0TsgExUB 5V6OW7deeINPTBUR5GSe87UG9WJ7m2bPKwNnXKcfPq7sp3PS4I2andPQuX4g89u21K0U J24w==
X-Gm-Message-State: AFeK/H35oD8tF+0gLn3mx5tgX10RzXwdc6aBdL+DwdtYjlqz7fL4+GrcCnieJZo4CZFuX1WRQ4/C0oPGt3OEEXMY
X-Received: by 10.202.178.138 with SMTP id b132mr8568195oif.101.1489768305631; Fri, 17 Mar 2017 09:31:45 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.157.41.226 with HTTP; Fri, 17 Mar 2017 09:31:44 -0700 (PDT)
In-Reply-To: <455EC3FC-9140-40D3-88F8-77990B7C7DD0@vpnc.org>
References: <CAAFsWK0bCDZmg0csCfXAJ1=jqbOBc7sUUvSg-6ZKjxuAQKmQPA@mail.gmail.com> <455EC3FC-9140-40D3-88F8-77990B7C7DD0@vpnc.org>
From: Wei Chuang <weihaw@google.com>
Date: Fri, 17 Mar 2017 09:31:44 -0700
Message-ID: <CAAFsWK2z1AR6RZToQvw7s_t_u+333Jyk6pUQ5KznbsrQGxkvgQ@mail.gmail.com>
To: Paul Hoffman <paul.hoffman@vpnc.org>
Cc: trans@ietf.org, dane@ietf.org
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="001a113ce0b0acbcb1054aefb685"
Archived-At: <https://mailarchive.ietf.org/arch/msg/trans/XDWjEQTFqFvu06Yb3Y-aamh0_iQ>
Subject: Re: [Trans] [dane] CT for DNSSEC
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Mar 2017 16:31:50 -0000
On Thu, Mar 16, 2017 at 10:25 AM, Paul Hoffman <paul.hoffman@vpnc.org> wrote: > On 16 Mar 2017, at 10:09, Wei Chuang wrote: > > I saw there was significant interest >> <http://blog.huque.com/2014/07/dnssec-key-transparency.html> in exploring >> CT for DNSSEC back in 2014 of which a draft draft-zhang-trans-ct-dnssec >> <https://tools.ietf.org/html/draft-zhang-trans-ct-dnssec-03> was created. >> It seems to have quieted down since. I believe the motivation is still >> there which is to prevent a parent zone from potentially misbehaving and >> spoofing the child zone. Is there still interest in this? From the list >> archives, I can't see what the issues were though I'm guessing one of them >> was respecifying the DS resource record to use a SCT which might have >> caused compatibility concerns. (But please correct me if I'm wrong) >> Other >> than that, the draft seems pretty reasonable. Were there other concerns? >> > > There were two separate issues that got conflated at the time: > > - Seeing evidence that a parent had spoofed DNSSEC keys for a child. A > transcript of the DS records in the parent is sufficient as long as the > child doesn't have relying parties create islands of trust (which is > relatively rare these days). > > - Seeing evidence that a parent had spoofed any resource records for a > child. A transcript of the NS records in the parents is a good start, > although what is really needed is a transcript of everything that is seen > for the child. > Is this because you're worried about the parent removing evidence of DNSSEC for the child in the spoofing scenario? If the parent tries to spoof with DNSSEC for the child I would assume that seeing the DS SCT's in the log, that is sufficient to find evidence of spoofing. That said I think it could be helpful to log NS as well for forensics. One issue with logging all records seen is if webmail providers publish SMIMEA there will be a potentially overwhelming number of records logged, and a very large change rate. Another issue is privacy of such records. > > In both cases, having transcripts from various DNS looking glasses around > the Internet would give greater assurance of the integrity of the > transcript. I agree that would a good idea. -Wei > > --Paul Hoffman >
- Re: [Trans] [dane] CT for DNSSEC Wei Chuang
- [Trans] CT for DNSSEC Wei Chuang
- Re: [Trans] [dane] CT for DNSSEC Paul Hoffman
- Re: [Trans] CT for DNSSEC Linus Nordberg
- Re: [Trans] [dane] CT for DNSSEC Wei Chuang
- Re: [Trans] CT for DNSSEC Wei Chuang
- Re: [Trans] [dane] CT for DNSSEC Paul Hoffman
- Re: [Trans] [dane] CT for DNSSEC Viktor Dukhovni
- Re: [Trans] CT for DNSSEC Linus Nordberg
- Re: [Trans] [dane] CT for DNSSEC Wei Chuang
- Re: [Trans] [dane] CT for DNSSEC Wei Chuang
- Re: [Trans] [dane] CT for DNSSEC Viktor Dukhovni
- Re: [Trans] CT for DNSSEC Paul Wouters
- Re: [Trans] [dane] CT for DNSSEC Wei Chuang
- Re: [Trans] [dane] CT for DNSSEC Viktor Dukhovni
- Re: [Trans] [dane] CT for DNSSEC Paul Wouters
- Re: [Trans] [dane] CT for DNSSEC Tony Finch