[dns-operations] Unplanned DLV zone outage on 2009-Apr-06
Eric Osterweil
eoster at CS.UCLA.EDU
Wed Apr 15 00:33:30 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
First: this whole discussion is all ignoring the implications of using
a 3rd party for inline validation (privacy, etc.) vs. constructing
local TA lists. For the rest of this discussion please recall that I
think resolvers should cull their own TA lists and manage them
locally, but inline mechanisms exists and some prefer to use them, so
we have the following discussion.
On Apr 14, 2009, at 5:50 PM, Michael Sinatra wrote:
> On 4/14/09 3:44 PM, Eric Osterweil wrote:
>
>> We only serve keys that were seen during the last poll and that
>> have valid RRSIGs (i.e. if they've expired we don't list them). If
>> a zone signs for (say) a month, and then removes its signed
>> material the next day, that's already a bit of a faux pas.
>> Something like that can cause a lot of problems for that zone if
>> data is cached somewhere, or if someone wants to replay data into a
>> cache w/ the still valid RRSIGs anyway. We will stop listing the
>> keys, however, if they are not present the next time we crawl.
>
> There's a big difference between signing and placing a trust anchor
> somewhere where you *know* people will use it and then unsigning
> your zone and leaving the trust anchor in place, versus placing a
> signed zone into production with no trust anchors anywhere (==an
> insecure zone). In the first case, you have created a broken zone,
> and you should know that you have done so.
>
> In the second case, you have created an insecure zone which you have
> not explicitly asked anyone to trust. But then someone comes along
> and scrapes your zone without your knowledge and puts the keys in a
> repository that others trust. Now you're in a situation where
> people are trusting your DNSSEC without your knowledge. If I assume
> nobody is trusting my zone, is it really that big a faux pas to un-
> sign it or change the signing keys? Or is it a bigger faux pas to
> create a mechanism where people trust my zone without my knowledge?
> (I hope that this is not the way SecSpider works.)
Given that edu cannot delegate to you (as com cannot delegate to
foo.com), how do you plan to declare your intent to be secure? There
isn't (at present) any way to declare this to everyone (modulo an
unsigned parent). I know there are some who like to subscribe to the
idea that there is one TA registry in the sky that we all should
trust, but not everyone _has_ to believe this or use them. That
doesn't make anyone bad in any way, but you have to realize that not
everyone has to play by one group's rules. By contrast, is there any
reason that you should necessarily _not_ be able to be trusted by
someone who simply wants to use a different TA registry? Are you now
going to run to all of the would-be registries (assuming you could
even know who they all are) and get your keys in them and maintain
their correctness, or are resolvers just out of luck if they don't
agree with/know to use your TA registry of choice? This seems a
little difficult to imagine at any scale, no?
None the less, people who want to benefit from deploying DNSSEC below
an unsigned parent should not have to get one group's blessing, etc.
>
>
> Consider another example: Someone spoofs a zone in such a way that
> all of your pollers get the same key information and SecSpider
> regards that information as valid.
Before we jump here... How? This is within the realm of possibility,
but can you tell me how likely you consider this? I also consider it
possible for a TA registry to have one of its servers get pwnd and
then we could have an adversary affect all of the clients of that
server too, no? Seriously, what degree of realness are you supposing
here? I mentioned in my first email the lengths we go to.
> Now there is a trusted fake zone with bogus information that users
> of SecSpider regard as "secure." Unlikely scenario, but it seems
> that it is a much better idea to have key management done out-of-
> band from the DNS protocol itself.
If I pop a TA operator's box and insert a key we have the same
situation, right? Also unlikely, but possible, yes?
>
>
> I can see where SecSpider would have use in testing and research,
> but I assume you're not advocating it for production use.
Right now, there are thousands of zones (that we know of) that have
deployed DNSSEC and who are not able to benefit from it because their
keys are not part of a single group's verification process. The idea
that I put data in public and then expect it to be ignored may seem
fair from one perspective but maybe not the best practice because of
others' perspectives (resolvers use what you put in your public
zone). There is no protocol semantic for the root of an island to
signal to resolvers that it wants (or doesn't want) its keys to be used.
The biggest problem I see here is that trust really isn't black and
white. Given you _know_ something about a key (like it's _your own_
key), you may trust it. For another key, given no other information
aside from its global consistency, you may feel safe using it. If you
see a key in a DLV do you "trust" that as much as your own KSK? What
if they disagree? No matter what, trust is not a boolean. SecSpider
provides you information about keys that you likely would not have
heard of otherwise *period*. In the absence of _any_ other
information, this is meant to help resolvers make informed decisions.
Yes, I think this can be very helpful in production and I think it
highlights some needs of the protocol.
Eric
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (Darwin)
iEYEARECAAYFAknlK14ACgkQK/tq6CJjZQL4TwCgh0YcNKY6ll9psBDgLasixVnh
lDMAn2Ws8Wkuxc0fTAZ2RJXS8NtbrVEP
=baCB
-----END PGP SIGNATURE-----
More information about the dns-operations
mailing list