IETF Logo Mail Archive

Re: [v6ops] Last Call: <draft-ietf-v6ops-v6-aaaa-whitelisting-implications-08.txt> (Considerations for Transitioning Content to IPv6) to Informational RFC

Ronald Bonica <rbonica@juniper.net> Mon, 20 February 2012 15:21 UTC

Return-Path: <rbonica@juniper.net>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B056521F856A for <v6ops@ietfa.amsl.com>; Mon, 20 Feb 2012 07:21:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.229
X-Spam-Level:
X-Spam-Status: No, score=-106.229 tagged_above=-999 required=5 tests=[AWL=-0.230, BAYES_00=-2.599, J_CHICKENPOX_13=0.6, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id srMMNTX7fODr for <v6ops@ietfa.amsl.com>; Mon, 20 Feb 2012 07:21:36 -0800 (PST)
Received: from exprod7og107.obsmtp.com (exprod7og107.obsmtp.com [64.18.2.167]) by ietfa.amsl.com (Postfix) with ESMTP id 3B38921F855D for <v6ops@ietf.org>; Mon, 20 Feb 2012 07:21:36 -0800 (PST)
Received: from P-EMHUB01-HQ.jnpr.net ([66.129.224.36]) (using TLSv1) by exprod7ob107.postini.com ([64.18.6.12]) with SMTP ID DSNKT0Jk/a7gRUR9rIywe0OlesblzyJrdFpF@postini.com; Mon, 20 Feb 2012 07:21:36 PST
Received: from P-CLDFE02-HQ.jnpr.net (172.24.192.60) by P-EMHUB01-HQ.jnpr.net (172.24.192.35) with Microsoft SMTP Server (TLS) id 8.3.213.0; Mon, 20 Feb 2012 07:18:25 -0800
Received: from p-emfe02-wf.jnpr.net (172.28.145.25) by p-cldfe02-hq.jnpr.net (172.24.192.60) with Microsoft SMTP Server (TLS) id 14.1.355.2; Mon, 20 Feb 2012 07:18:24 -0800
Received: from EMBX01-WF.jnpr.net ([fe80::1914:3299:33d9:e43b]) by p-emfe02-wf.jnpr.net ([fe80::c126:c633:d2dc:8090%11]) with mapi; Mon, 20 Feb 2012 10:18:23 -0500
From: Ronald Bonica <rbonica@juniper.net>
To: Marc Lampo <marc.lampo@eurid.eu>, "jason_livingood@cable.comcast.com" <jason_livingood@cable.comcast.com>
Date: Mon, 20 Feb 2012 10:18:36 -0500
Thread-Topic: [v6ops] Last Call: <draft-ietf-v6ops-v6-aaaa-whitelisting-implications-08.txt> (Considerations for Transitioning Content to IPv6) to Informational RFC
Thread-Index: Aczg83O386MCjRztTKmEcXn2PnRYGAO5mMuQAAIvihA=
Message-ID: <13205C286662DE4387D9AF3AC30EF456D7671A210C@EMBX01-WF.jnpr.net>
References: <20120201150911.25955.80172.idtracker@ietfa.amsl.com> <017501ccefdc$68025a50$38070ef0$@lampo@eurid.eu>
In-Reply-To: <017501ccefdc$68025a50$38070ef0$@lampo@eurid.eu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-EXCLAIMER-MD-CONFIG: f8e27f27-03b2-4c3e-9447-119194e72cb6
Cc: "v6ops@ietf.org" <v6ops@ietf.org>
Subject: Re: [v6ops] Last Call: <draft-ietf-v6ops-v6-aaaa-whitelisting-implications-08.txt> (Considerations for Transitioning Content to IPv6) to Informational RFC
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Feb 2012 15:21:41 -0000

Marco,

The IESG has already approved this drat for publication. However, I think that your comment is significant if you can make a case that the DNS information returned to the user is less trustworthy than it would have been had the authoritative DNS not been practicing whitelisiting. Can you make this case?

                                                Ron


> -----Original Message-----
> From: v6ops-bounces@ietf.org [mailto:v6ops-bounces@ietf.org] On Behalf
> Of Marc Lampo
> Sent: Monday, February 20, 2012 9:32 AM
> To: jason_livingood@cable.comcast.com
> Cc: v6ops@ietf.org
> Subject: Re: [v6ops] Last Call: <draft-ietf-v6ops-v6-aaaa-whitelisting-
> implications-08.txt> (Considerations for Transitioning Content to IPv6)
> to Informational RFC
> 
> Hello,
> 
> (sorry to be late with my comments, bit overloaded on my side)
> 
> 6.1 Security Considerations - paragraph 2 (on DNSSEC)
> The text states : "there should not be any negative impact on DNSSEC"
> In my opinion, this is *wrong* :
> 
> 
> It is correct that, if an AAAA record exists (in a DNSSEC's zone),
> the appropriate RRSIG will be known to authoritative NS's.
> If, via white listing, the decision is taken not to present the AAAA
> record
> (and its signature), this seems OK.
> 
> However : not returning an AAAA record seems identical to : there is no
> AAAA record.
> And that - there is no AAAA record - yields to "Next Secure" changes !
> If no AAAA record exists, for a name, the corresponding NSEC (NSEC3)
> record
> should not hold a reference to AAAA.
> But if that AAAA record does exist, the authoritative NS will have NSEC
> (NSEC3)
> data that shows so.
> 
> A DNSSEC query (ENDS0 + DO set) for AAAA (and the AAAA exists but due
> to
> whitelisting
> will not be returned), cannot be proven by accompanying (and required)
> NSEC (NSEC3)
> information.
> Hence : this draft will/might make DNSSEC validating name servers fail.
> 
> 
> If you look at 4.3.1.1 (Description of DNS Resolver Whitelisting) in
> detail,
> please observe :
> 1) the caching name server (and "stub resolver") ask 2 queries
>     (there is only one line,
>      but it are two queries : one for "A", one for "AAAA")
> 2) if the caching name server (or stub resolver) performs DNSSEC
> validation,
>     it will never accept a reply of "NODATA" to the query of AAAA
>     (because the NSEC (NSEC3) information will not prove that
> non-existance)
>     ((and the validating name server will repeat the query to all
>       authoritative NS's, looking for a validatable answer))
> 
> (the final result, to the user might be that only the A record is
> useable
>  - mission accomplished ?
>  But the side effect will be that validating caching name servers will
> hit
>   *all* authoritative servers for the domain,
>   "in search of" a correctly validating answer.)
> 
> So, while for the end-user, the result might be identical,
> one "security impact" of this approach is
> additional (useless) DNS traffic and
> additional load on authoritative NS's (that implement whitelisting)
> 
> 
> Kind regards,
> 
> Marc Lampo
> Security Officer
> EURid
> 
> 
> -----Original Message-----
> From: The IESG [mailto:iesg-secretary@ietf.org]
> Sent: 01 February 2012 04:09 PM
> To: IETF-Announce
> Cc: v6ops@ietf.org
> Subject: [v6ops] Last Call:
> <draft-ietf-v6ops-v6-aaaa-whitelisting-implications-08.txt>
> (Considerations for Transitioning Content to IPv6) to Informational RFC
> 
> 
> The IESG has received a request from the IPv6 Operations WG (v6ops) to
> consider the following document:
> - 'Considerations for Transitioning Content to IPv6'
>   <draft-ietf-v6ops-v6-aaaa-whitelisting-implications-08.txt> as an
> Informational RFC
> 
> The IESG plans to make a decision in the next few weeks, and solicits
> final comments on this action. Please send substantive comments to the
> ietf@ietf.org mailing lists by 2012-02-15. Exceptionally, comments may
> be
> sent to iesg@ietf.org instead. In either case, please retain the
> beginning of the Subject line to allow automated sorting.
> 
> Abstract
> 
> 
>    This document describes considerations for the transition of end
> user
>    content on the Internet to IPv6.  While this is tailored to address
>    end user content, which is typically web-based, many aspects of this
>    document may be more broadly applicable to the transition to IPv6 of
>    other applications and services.  This document explores the
>    challenges involved in the transition to IPv6, potential migration
>    tactics, possible migration phases, and other considerations.  The
>    audience for this document is the Internet community generally,
>    particularly IPv6 implementers.
> 
> 
> 
> 
> The file can be obtained via
> http://datatracker.ietf.org/doc/draft-ietf-v6ops-v6-aaaa-whitelisting-
> impl
> ications/
> 
> IESG discussion can be tracked via
> http://datatracker.ietf.org/doc/draft-ietf-v6ops-v6-aaaa-whitelisting-
> impl
> ications/
> 
> 
> No IPR declarations have been submitted directly on this I-D.
> 
> 
> 
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops

v2.23.0 | Report a Bug | By Email