Requirements related to DNSSEC Signed Proof of Non-Existence
description
Transcript of Requirements related to DNSSEC Signed Proof of Non-Existence
Dom
ain
Nam
e Sy
stem
Se
curi
tyRequirements related to
DNSSEC Signed Proof of Non-Existence
draft-ietf-dnsext-signed-nonexistence-requirements-01.txt
Ben Laurie – NominetRip Loomis – SAIC
10 November 2004
2004-11-10 dnsext-signed-nonexistence-requirements-01 2
Dom
ain
Nam
e Sy
stem
Se
curi
tyDraft status
• Version -01 released Sept 2004• No significant feedback received on-
or off-list by the editors• Informal discussions on 08 Nov AM
(at IETF61) have provided possible clarifications, some potential new requirements…
• …and maybe a way ahead.
2004-11-10 dnsext-signed-nonexistence-requirements-01 3
Dom
ain
Nam
e Sy
stem
Se
curi
tyTerminology
• “Current DNS” – DNS without DNSSEC cryptographic extensions, and with AXFR disabled for “unauthorized” entities
• DNSSECbis – Self explanatory?• NSEC++ - Whatever is added/changed in
DNSSECbis to provide a “new” method of authenticatable non-existence. We know that some possible solutions will not actually be a “new NSEC”.
• DNSSEC-TNG – A/K/A DNSSECter – DNSSECbis plus the NSEC++ changes. We expect that DNSSECter will likely still include the current NSEC record as well.
2004-11-10 dnsext-signed-nonexistence-requirements-01 4
Dom
ain
Nam
e Sy
stem
Se
curi
tyGroup 1 – Zone enumeration
and exposure • Comprised of req’ts 3, 4, 5, 6, 10, 26• We suggest that these boil down to:
“DNSSECter should not make it easier to enumerate zones than it is with plain DNS”. [Derived from req’t 4]
• We believe that this is a high-priority requirement.
• Threshold requirement: Enumeration is at least “non-trivial” (where current NSEC provides a linked list that is considered trivial to walk). [Derived from req’t 3]
• Concrete test might be that a random zone is infeasible to enumerate—this also reflects the “goal requirement”. [Derived from req’t 5]
2004-11-10 dnsext-signed-nonexistence-requirements-01 5
Dom
ain
Nam
e Sy
stem
Se
curi
tyGroup 2 – Zone size
• Comprised of req’t 7.• We did not reword this requirement• We believe that this is a “nice to have”
desire, and not a true requirement.– Comments welcomed as to how the zone size
issue is in fact as significant as the other explicit requirements we received.
– Yes, it will receive some weighting in recommending a solution set.
2004-11-10 dnsext-signed-nonexistence-requirements-01 6
Dom
ain
Nam
e Sy
stem
Se
curi
tyGroup 3 – Compatibility and
transition • Comprised of req’ts 8, 20, 21, 22, 23, 24• We suggest that these boil down to: “Current
deployment of DNSSECbis w/NSEC, by those who care not about zone enumeration, should not be affected by future NSEC++ deployment”. [Derived from req’ts 20-24 ]
• We believe that this is a high-priority requirement.
• Requirement 8 no longer applicable, because it would have mandated a change (that did not happen) to DNSSECbis.
2004-11-10 dnsext-signed-nonexistence-requirements-01 7
Dom
ain
Nam
e Sy
stem
Se
curi
tyGroup 4 – Empty non-
terminals (ENT) • Comprised of req’t 9.• We did not reword this requirement.• We believe that this is a low-priority
desire.
2004-11-10 dnsext-signed-nonexistence-requirements-01 8
Dom
ain
Nam
e Sy
stem
Se
curi
tyGroup 5 – DNSSEC adoption
and zone-growth • Comprised of req’t 11• We did not reword this requirement.• We believe that this is a “nice to
have” (medium priority desire)• We are aware that consideration of
this requirement may bog down the WG…
2004-11-10 dnsext-signed-nonexistence-requirements-01 9
Dom
ain
Nam
e Sy
stem
Se
curi
tyGroup 6 – Non-overlap of denial
records with “regular” namespace • Comprised of req’t 12• We did not reword this requirement• The editors are not sure that this has
a realistic basis—protocols cannot protect against all possible foolish or silly actions.– As usual, comments and clarifications
welcome
2004-11-10 dnsext-signed-nonexistence-requirements-01 10
Dom
ain
Nam
e Sy
stem
Se
curi
tyGroup 7 – Online exposure of
signing keys • Comprised of req’t 13• We did not reword this requirement• We believe that this is a medium-
priority desire– It would be nice if…but online keys may
actually be an acceptable trade-off for a subset of those concerned with zone enumeration
– …and it might not be an acceptable trade-off for others.
2004-11-10 dnsext-signed-nonexistence-requirements-01 11
Dom
ain
Nam
e Sy
stem
Se
curi
tyGroup 8 – Zone-signing cost
• Comprised of req’t 14• We did not reword this requirement,
but we added a 14a: NSEC++ should not make incremental signing of existing zones any “harder” than it is with DNSSECbis/NSEC.
• We believe that this is a medium-priority desire
2004-11-10 dnsext-signed-nonexistence-requirements-01 12
Dom
ain
Nam
e Sy
stem
Se
curi
ty
Group 9 – DoS prevention/symmetric cost
• Comprised of req’t 15• We reworded this as: “NSEC++ should not
make Denial of Service attacks significantly more effective than plain DNSSECbis. Any increase in real-time cost at the name server (to respond) should correspond to a proportional increase in real-time cost to generate the original query.”
• We believe that this is a low-priority desire—”it would be nice if”, but in general DNSSEC makes DoS attacks so much easier that the answer is increasing available server CPU resources.
• We’re also not sure that this is realistic given the other requirements for NSEC++.
2004-11-10 dnsext-signed-nonexistence-requirements-01 13
Dom
ain
Nam
e Sy
stem
Se
curi
tyGroup 10 – Acceptable Complexity
• Comprised of req’t 16• After further discussion, we rewrote
this requirement as, “Caching, wildcards, CNAMEs, DNAMEs should continue to work without significant increases in complexity at the client side.”– Complexity of operational usage– Complexity of validator implementation
• We listed this as a medium priority desire.
2004-11-10 dnsext-signed-nonexistence-requirements-01 14
Dom
ain
Nam
e Sy
stem
Se
curi
tyGroup 11 - Completeness
• Comprised of req’t 17• What we think this was *really* supposed to
require, after discussion with the original contributor: “there should not be a proof of non-existence for any valid data in the zone.” This is much different than the requirement as expressed in I-D version -01, and essentially would prohibit an NSEC/NSEC++ that spans a range which contains valid data.
• Appears to conflict with requirement 11 (Group 5 in this document). WG probably needs to resolve the conflict.
• Currently listed as a “desire” at the same priority as requirement 11.
2004-11-10 dnsext-signed-nonexistence-requirements-01 15
Dom
ain
Nam
e Sy
stem
Se
curi
tyGroup 12 – DNS “purity”
• Comprised of req’t 18• After discussion with the contributor, the editors
believe that this is really an awareness issue to be considered when reviewing potential solutions.– For example, what if the hash of a name somehow
collides with “real” data/RRs that are later added to a zone?
• This appears to be an implementation-side issue and not a going-in requirement that can be used to categorize potential solutions. For now, list as desirable.
2004-11-10 dnsext-signed-nonexistence-requirements-01 16
Dom
ain
Nam
e Sy
stem
Se
curi
tyGroup 13 – Replay
• Comprised of req’t 19• DNSSECbis by design does not allow replay
attacks that deny a record which already exists. However, attacks against a record which has been added will succeed (until the signature expires on the relevant NSEC)
• We reworded this requirement as “NSEC++ should not allow replay attacks that are any more effective than those which currently exist in DNSSECbis.”
• This is a requirement.
2004-11-10 dnsext-signed-nonexistence-requirements-01 17
Dom
ain
Nam
e Sy
stem
Se
curi
tyGroup 14 – Security During
Zone Transition• Newly identified requirement• “It should be possible to switch between NSEC
and NSEC++ without any zone data appearing to be unsigned, insecure, or ‘partly secure’ during the transition, taking into account externally cached data.”– We never want an end-user to see “inconsistently
signed” data– Both positive and negative answers should still be able
to be validated
• This is at least highly desirable and perhaps a hard-and-fast requirement.
2004-11-10 dnsext-signed-nonexistence-requirements-01 18
Dom
ain
Nam
e Sy
stem
Se
curi
tyGroup 15a – Universal Signing
• Newly identified requirement• “Every zone that can be signed with DNSSECbis
can also be signed with DNSSECter.” (We believe that this is all zones, but do not want to prove it nor raise the bar for DNSSECter)
• Hard-and-fast requirement
2004-11-10 dnsext-signed-nonexistence-requirements-01 19
Dom
ain
Nam
e Sy
stem
Se
curi
tyGroup 15b – Universal Signing
• Newly identified requirement• “It should be possible to sign all zones with
NSEC++”• We rate this as “highly desirable”
2004-11-10 dnsext-signed-nonexistence-requirements-01 20
Dom
ain
Nam
e Sy
stem
Se
curi
tyGroup 15c – Universal Signing
• Newly identified requirement• “If it is not possible to sign all zones with NSEC+
+ it should be clearly defined which zones cannot be signed”
• We believe this is a hard-and-fast requirement
2004-11-10 dnsext-signed-nonexistence-requirements-01 21
Dom
ain
Nam
e Sy
stem
Se
curi
tyGroup 16 – NSEC++ as seen
by NSEC-only resolver• Newly identified requirement• “An NSEC++ (only) zone, regardless of
whether parent uses NSEC or NSEC++, should appear as consistently unsigned when seen by an NSEC-only resolver.”– We never want an end-user to see
“inconsistently signed” data• This is at least highly desirable and
perhaps a hard-and-fast requirement.
2004-11-10 dnsext-signed-nonexistence-requirements-01 22
Dom
ain
Nam
e Sy
stem
Se
curi
tyPrioritization (1 of 2) -
RequirementsGr. Req'ts Nature Priority
13,4,5,6, 10,25
Zone enumeration and exposure Reqt - High
38,20,21, 22,23,24 Compatibility and transition Reqt - High
13 19 Replay Reqt - High
15a NEW Universal Signing Reqt - High
15c NEW Universal Signing Reqt - High
2004-11-10 dnsext-signed-nonexistence-requirements-01 23
Dom
ain
Nam
e Sy
stem
Se
curi
tyPrioritization (2 of 2) – DesiresGr. Req'ts Nature Priority14 NEW Security during transition Desire - Med
15b NEW Universal Signing Desire - Med
16 NEW NSEC-only resolver results Desire - Med
5 11 Adoption and zone growth Desire - Med
11 17 Completeness Desire - Med
7 13 Exposure of signing keys Desire - Med
10 16 Complexity Desire - Med
12 18 DNS "purity" Desire - Med
8 14 Zone signing cost Desire - Med
9 15 DoS prevention Desire - Low
2 7 Zone size Desire - Low
4 9 Empty non-terminals Desire - Low
6 12 Non-overlap in namespace Desire - V. Low
2004-11-10 dnsext-signed-nonexistence-requirements-01 24
Dom
ain
Nam
e Sy
stem
Se
curi
tyPrioritization Notes
• There are “desired (but not required) features” that some entities probably cannot live without (e.g., there are those who consider zone enumeration a security issue, but do not want to store keys online since they correctly view that as a potential security issue).
• The WG needs to ensure that the solution sets are reviewed appropriately and that any issues of this sort are identified. (We think this means that although “no storage of keys online” is not a hard-and-fast requirement for NSEC++, it’s pretty close to one…)
2004-11-10 dnsext-signed-nonexistence-requirements-01 25
Dom
ain
Nam
e Sy
stem
Se
curi
tyOther Notes
• Explicit non-requirement: Prevent enumeration of RR types for a given name– Even if it is notionally possible to
provide this capability, we expect a steep cost and little benefit.
– Future provision of this capability is not prevented, if warranted
2004-11-10 dnsext-signed-nonexistence-requirements-01 26
Dom
ain
Nam
e Sy
stem
Se
curi
tyThe way ahead?
• If the WG agrees with our summarizations, we will update the I-D to reflect this.
• Next step will be to consider potential solution sets against these requirements and desires, with appropriate weighting.