Re: [Trans] DNSSEC also needs CT

Ben Laurie <benl@google.com> Tue, 13 May 2014 15:02 UTC

Return-Path: <benl@google.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E45C1A00DB for <trans@ietfa.amsl.com>; Tue, 13 May 2014 08:02:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.03
X-Spam-Level:
X-Spam-Status: No, score=-2.03 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cXF4AwJperCE for <trans@ietfa.amsl.com>; Tue, 13 May 2014 08:02:18 -0700 (PDT)
Received: from mail-vc0-x22f.google.com (mail-vc0-x22f.google.com [IPv6:2607:f8b0:400c:c03::22f]) by ietfa.amsl.com (Postfix) with ESMTP id 5E9A01A008E for <trans@ietf.org>; Tue, 13 May 2014 08:02:18 -0700 (PDT)
Received: by mail-vc0-f175.google.com with SMTP id hu19so607983vcb.20 for <trans@ietf.org>; Tue, 13 May 2014 08:02:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=jfP7HXmA6O4Plvzynz8F+QBu+Yymx1v+ft58hBjpEGM=; b=gsJedB3xxIP7NNqmCHIb0s+vF+/C0K3m5gjHSlrlPxwUMVrQZf55oxWnOdELxSjkfY 4wP7r3QFGdwwPZQZRClqwHvzhG0AY+6WZJ669OB8Aw5iq/NdJSt1V8EjEzt6oRwNWWVm BJLHzqXd2nZK7wZExH+iFqD0+N1A603MdNroXHsiTQnm3tRHJgBaUV5VarvX4NuyHfgP wfIcuXsoM8xu7q8oeQzEcT2acupQOuqqENRtkC9ABAs0YWnbg9cPtJgTuLLtfMN42fLy nGiUf3EP8vXKaalV+KjJFN5Fkms0+p1TdgODut3xrZ50nHY4QscalCmu0OQOadFu2aYp C5pg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=jfP7HXmA6O4Plvzynz8F+QBu+Yymx1v+ft58hBjpEGM=; b=d0CZxbl3MhAFuYSpi+HCPrrMBhLOZk7JxpgTuVJ0YuvA4LcKJfp4d+bUZeb07+oruq ryKc/17sNI7DpuUpRn9lnR3YPPac/v6DTA3QTeceioVCs7HCnlIwQkRCk5rdxPXrVa2v k9sveITb5F8ZsMqznDKlZtq4y8qN1yBtCkEB+BbNtDpkajtP3OMBhsMfnX9ivOKqTsfa UNyFAgDuZkbB91OWfw7CujPFN7hGRgJszvaJQf3Rfa9N9tcOcE+5JRyDdumV+0F+CnaG j2RjhGoCpVCd8i+MB9k4glZEtGUb5M7Ca8hXFoIK08q7i8kv7y5xk8esTrbfyiZBmKJ5 axvA==
X-Gm-Message-State: ALoCoQnd6qGejkw1aP3t0ihq+2T0AjtKi3MKL9WMYhuzQA5s86tF2VvL1gDYXnqPU4Sh4yWO0F0S
MIME-Version: 1.0
X-Received: by 10.220.163.201 with SMTP id b9mr256772vcy.79.1399993331863; Tue, 13 May 2014 08:02:11 -0700 (PDT)
Received: by 10.52.252.97 with HTTP; Tue, 13 May 2014 08:02:11 -0700 (PDT)
In-Reply-To: <alpine.LFD.2.10.1405130948160.25023@bofh.nohats.ca>
References: <CAK3OfOjiL2DTJPH3CaAjg8YGrrwN56SgQ+DnqPXx4MLbgXQN+A@mail.gmail.com> <CAK3OfOiKjY6YyiyeHiFJrecZfj_uQ-2k+KucKnzb9Yt8VCRPOQ@mail.gmail.com> <CAHw9_iKpN7AXfrH6SzroMukrKTPR5z24U9KfWpVW-F2R_wX3ag@mail.gmail.com> <alpine.LFD.2.10.1405101722240.897@bofh.nohats.ca> <CABrd9ST7K-7RGwGD2G+kDcVSceC2ZJ-5Tz2tdp5NWa3cqBK+-w@mail.gmail.com> <CAOe4Ui=nqmCfjBYNE2CJtEs1jnbavpY4Dv-T3FRDdAwAA2dScg@mail.gmail.com> <CAK3OfOiYMJkXVR+QsCzEV0ir6u53coJz0b-JdGGD5bTTz5YcMg@mail.gmail.com> <CAOe4Ui=u0fkm9_nuXx_6gpH6jHM5pBvzjzru9O8y3bpLkA0qmw@mail.gmail.com> <CAK3OfOi6y=QAMXe_2axiavxwR5nS2Uv8SM4JxQHsvEKbUyNGCA@mail.gmail.com> <CAOe4Uimvc6e6u=fJjM1-iaOTepA33Sx5CBjMV9dB8sSLqtZoWA@mail.gmail.com> <CAK3OfOhdhWdGvvhuaGyE_p5kLy0ZX-V5sAXfoLGP_8d8vPJDgg@mail.gmail.com> <CAOe4Uik+fjM4wTVBiFxphVZAwVYBPgd1a9xUyUBMSFy30SWNLg@mail.gmail.com> <CAK3OfOiC+5+s2UtSEP788W23tHq6VQSQfMsUboUp16L-27zsvQ@mail.gmail.com> <CABrd9STYxmK6gg7a5wDtejdc_Y0aD9hwQkHpFu3HbxVbMZDQHQ@mail.gmail.com> <alpine.LFD.2.10.1405130948160.25023@bofh.nohats.ca>
Date: Tue, 13 May 2014 16:02:11 +0100
Message-ID: <CABrd9SSiHfyvPxgYrDZ_idE+UGcUXVFx3BGcc2qp+t+nmuJwLw@mail.gmail.com>
From: Ben Laurie <benl@google.com>
To: Paul Wouters <paul@nohats.ca>
Content-Type: text/plain; charset=UTF-8
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/zqhQLT2PD4m3CUJUCLEeNsMTn50
Cc: "trans@ietf.org" <trans@ietf.org>
Subject: Re: [Trans] DNSSEC also needs CT
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 May 2014 15:02:21 -0000

On 13 May 2014 14:55, Paul Wouters <paul@nohats.ca> wrote:
>
> On Tue, 13 May 2014, Ben Laurie wrote:
>
> [DNSSEC CT]
>
>
>> Is it necessary to log anything other than keys? My base assumption was no: if the keys are as expected, then all records signed by those keys
>> can be trusted. If someone wants to publish RRsets that are other than the one the true domain owner wants to publish, they necessarily have
>> to inject a key they control, which becomes apparent from the logs.
>
>
> That would not allow us to detect coercion, that is a custom RRset signed
> to be used only for a targetted attack (by say, .com or the root)
>
> But I'm not sure how we _could_ detect that. Let's say they get an A
> record for www.victim.com that bypasses the NS RRset completely, that
> is, signed by the .com key. To notice this case, you would also need to log
> the change of zone cut.


OK, good point: zone cuts need to also be verified.

> The other case is injection of a custom DS RRset. How would we tell the
> difference between the legitimate zone owner adding a DS record or an
> attacker/parent zone owner adding one?

The legitimate owner can tell - that's the point, right?

> One defense would be to ignore
> any new DS record for a certain amount of time, but that runs into
> similar issues as pinning and TACK.
>
> Paul




-- 
Certificate Transparency is hiring! Let me know if you're interested.