Re: [Cerowrt-devel] [Dnsmasq-discuss] Problems with DNSsec on Comcast, with Cero 3.10.38-1/DNSmasq 4-26-2014

Development issues regarding the cerowrt test router project
 help / color / mirror / Atom feed

From: Simon Kelley <simon@thekelleys.org.uk>
To: Dave Taht <dave.taht@gmail.com>, Jim Gettys <jg@freedesktop.org>,
	 dnsmasq-discuss <Dnsmasq-discuss@lists.thekelleys.org.uk>,
	"cerowrt-devel@lists.bufferbloat.net"
	<cerowrt-devel@lists.bufferbloat.net>
Subject: Re: [Cerowrt-devel] [Dnsmasq-discuss] Problems with DNSsec on Comcast, with Cero 3.10.38-1/DNSmasq 4-26-2014
Date: Tue, 29 Apr 2014 14:22:27 +0100	[thread overview]
Message-ID: <535FA793.8020502@thekelleys.org.uk> (raw)
In-Reply-To: <20140428232459.GA55372@redoubt.spodhuis.org>

On 29/04/14 00:24, Phil Pennock wrote:
> On 2014-04-28 at 20:32 +0100, Simon Kelley wrote:
>> On 28/04/14 19:56, Dave Taht wrote:
>>> I see A and AAAA requests for for "ds.test-ipv6.com" that fail.
>>
>> The root of this failure is that DS ds.test-ipv6.com is broken.
>>
>>  <<>> DiG 9.8.1-P1 <<>> @8.8.8.8 ds ds.test-ipv6.com
> 
>> The latest fix I made (when the SERVFAIL reply comes, try the next
>> possible secure-nonexistent DS record at test-ipv6.com) works sometimes,
>> but the query above is taking long enough to fail that sometimes the
>> original requestor has timed out before it gets the answer and tries again.
> 
> Er, DS records are authoritative in the parent domain and are equivalent
> to glue; they are not expected to exist below the zone cut.
> 
> This is why you'll get results from:
> 
>     $ dig -t ds spodhuis.org @a2.org.afilias-nst.info
> 
> but a NOERROR from:
> 
>     $ dig -t ds spodhuis.org @nsauth.spodhuis.org

A NOERROR answer from the authoritative server for test-ipv6.com would
be fine. What actually happens is no answer at all and a timeout (or a
closed TCP connection if TCP is used.)

It's maybe worth expanding on what we're trying to do here. The original
query is "A ds.test-ipv6.com". The answer to that comes back fine, but
there are no RRSIGs proving that that answer is good. Now we have to
distinguish between no signatures because the domain isn't signed, and
no signatures because the answer has come from the Bad Guys.

To do that, we need to find proof (NSEC or NSEC3 records) that a DS
doesn't exist somewhere between ds.test-ipv6.com and the root. Bear in
mind that dnsmasq is a DNS forwarder, not a recursive DNS server, so it
doesn't know where the zone cuts are.

The current strategy it to start at ds.test-ipv6.com and do DS queries.
There are three possible results.

unsigned NOERROR -> chop one label off the RHS and repeat
DS record        -> definite Bad Guy activity, return BOGUS
signed no DS record -> we expect unsigned original answer, return
INSECURE result.ds.test-ipv6.com

The other alternative approach is to start from the root and add labels,
but that has a problem.

Consider

department.campus.university.edu

where there are zone cuts between university and edu and between
department and campus.

All the zones are signed, so if we look up something under .department,
we expect a signature, if we don't get it, we check

DS .edu gives an answer
DS university.edu gives secure NODATA

secure no DS means that the original unsigned answer should be accepted,
except that it shouldn't. There's no way to distinguish between secure
lack of DS because we've reached an unsigned branch of the tree, and
secure lack of DS because we're not at a zone cut, except if we know
where the zone cuts are, and we don't.

That's why dnsmasq works up from the bottom. The first secure no-DS
answer we find marks the boundary between signed and unsigned tree.

Dnsmasq is acting as a validating stub resolver here. That's a supported
role for DNSSEC, so this must be possible. If it's not then we have a
standards problem.

> 
> An NS query for "ds.test-ipv6.com" gives "test-ipv6.com", so that is the
> zone cut, so it's in the COM. zone that you should expect to find any DS
> records for "test-ipv6.com" and there's no need for a DS for anything
> below that unless there's also a zone cut, in which case there's a DS at
> the delegation point.
ds.test-ipv6.com
Doing NS queries to find zone cuts is a possible solution, but I know of
ISP nameservers that elide the Authority section for "performance".

Simon.

> 
> RFC 4033:
> ----------------------------8< cut here >8------------------------------
> 3.1.  Data Origin Authentication and Data Integrity
> [...]
>    The Delegation Signer (DS) RR type simplifies some of the
>    administrative tasks involved in signing delegations across
>    organizational boundaries.  The DS RRset resides at a delegation
>    point in a parent zone and indicates the public key(s) corresponding
>    to the private key(s) used to self-sign the DNSKEY RRset at the
>    delegated child zone's apex.  The administrator of the child zone, in
>    turn, uses the private key(s) corresponding to one or more of the
>    public keys in this DNSKEY RRset to sign the child zone's data.  The
>    typical authentication chain is therefore
>    DNSKEY->[DS->DNSKEY]*->RRset, where "*" denotes zero or more
>    DS->DNSKEY subchains.  DNSSEC permits more complex authentication
>    chains, such as additional layers of DNSKEY RRs signing other DNSKEY
>    RRs within a zone.
> ----------------------------8< cut here >8------------------------------
>

next prev parent reply	other threads:[~2014-04-29 13:22 UTC|newest]

Thread overview: 29+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-04-28 16:55 [Cerowrt-devel] " Jim Gettys
2014-04-28 17:03 ` Dave Taht
2014-04-28 18:37   ` Dave Taht
2014-04-28 18:56     ` Dave Taht
2014-04-28 19:32       ` [Cerowrt-devel] [Dnsmasq-discuss] " Simon Kelley
2014-04-28 19:45         ` Aaron Wood
2014-04-28 23:24         ` Phil Pennock
2014-04-29 13:22           ` Simon Kelley [this message]
2014-04-29 20:57             ` Phil Pennock
2014-04-30 17:26               ` Dave Taht
2014-05-01 18:37                 ` Simon Kelley
2014-05-01 20:26                   ` Rich Brown
2014-05-01 22:27                     ` Dave Taht
2014-05-02 14:30                       ` Sebastian Moeller
2014-05-01 18:35               ` Simon Kelley
2014-05-02 16:40                 ` James Cloos
2014-10-03  9:28             ` [Cerowrt-devel] " Anders Kaseorg
2014-10-03 17:28               ` Valdis.Kletnieks
2014-10-03 21:35                 ` Anders Kaseorg
2014-10-04 21:45               ` Anders Kaseorg
2015-01-08 16:34                 ` Simon Kelley
2015-01-08 17:44                   ` Dave Taht
2015-01-08 18:07                     ` Simon Kelley
2015-01-08 19:52                       ` Dave Taht
2015-01-09  8:52                         ` Dave Taht
2015-01-09 15:36                           ` Simon Kelley
2015-01-09 16:49                           ` Simon Kelley
2015-01-09 21:34                             ` Dave Taht
2015-01-10 15:37                               ` Simon Kelley

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://lists.bufferbloat.net/postorius/lists/cerowrt-devel.lists.bufferbloat.net/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=535FA793.8020502@thekelleys.org.uk \
    --to=simon@thekelleys.org.uk \
    --cc=Dnsmasq-discuss@lists.thekelleys.org.uk \
    --cc=cerowrt-devel@lists.bufferbloat.net \
    --cc=dave.taht@gmail.com \
    --cc=jg@freedesktop.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox