On 9/6/2017 12:05 PM, Wes Hardaker wrote:
Matthijs Mekking <[email protected]> writes:

Thanks for all your points, and I've gone through and handled them all
in the text (including discussing that we update 7583 per your request).

2. waitTime only adds one queryInterval, while Itrp adds two. I believe
to be safe on the publishing side, two queryIntervals is needed. RFC
7583 explains:

    A validator will treat it as a trust anchor the next
    time it retrieves the RRset, a process that can take up to another
    queryInterval (the third term).
This is the one that had me think with a whiteboard for a while.  If I
can sum it up differently, the problem is that 30 days may not be a
factor of the queryInterval.  Thus:

     N * queryInterval >= 30

Where N is the number of queries to get somewhere over 30 days.

So Irtp is waiting an extra queryInterval to account for this
possibility.

Mathematically, I think the actually time needed to wait is 30 %
queryInterval, which may actually be 0 in some cases and just shy of
queryInterval in others.  Sound about right?

*bleah*  This is the problem with trying to do the publisher math from the resolver's point of view.

In the following lower case terms are intervals, uppercase terms are date/times.  The difference between two date/times is an interval. The sum of an interval and a date/time is a date/time.

A given resolver - absent an attack (and missing packets) - installs a new trust anchor at this point in time (assuming the new stuff was published after LastQueryTime)

   LastQueryTime + queryInterval + addHoldDownTime + queryInterval.


With an attack (but absent missing packets), the new trust anchor is installed   at this point in time:

   RRSigExpirationTime + (queryInterval - MIN(0, RRSetExpirationTime -
   LastQueryTimePriorToRRSetExpiration )) + addHoldDownTime + queryInterval


The publisher, to calculate how long it should wait before assumes that most resolvers have installed the new trust anchor has to be able to calculate both queryInterval and addHoldDownTime and then take a SWAG as to how much longer to wait.  So assuming worst case we

Substitute queryInterval for

   (queryInterval - MIN(0, RRSetExpirationTime -
   LastQueryTimePriorToRRSetExpiration))

(Assuming that the RRSetExpiration happens infinitesimally after to the expiration of the query timer). That gets you the latest time the resolver might install a new trust anchor (without retries):

   RRSigExpirationTime + queryInterval + addHoldDownTime + queryInterval.

queryInterval starts as the 5011 formulation: queryInterval = MAX(1 hr, MIN (15 days, 1/2*origTTL, 1/2*  rrSigExpirationInterval))  but we have to deal with a possible disconnect here.  The notation is made that maxOldRRSigExpirationInterval is the maximum rrSigExpiratonInterval of the DNSKeyRRSets published prior to the RRSigExpirationTime.    The reason for this is to deal with the case where the publisher changes the rrSigExpirationInterval for the new DNSKeyRRSets and where it might be unclear which of multiple possible queryIntervals the resolver is using.

So:

   publishersQueryIntervalEstimate ::= MAX (1hr, MIN (15 days, 1/2*
   origTTL, 1/ * maxOldRRsigExpirationInterval))


addHoldDownTime starts as the 5011 formulation: "The add hold-down time is 30 days or the expiration time of the original TTL of the first trust point DNSKEY RRSet that contained the new key, whichever is greater." and gets converted into an actual formula:

   publishersAddHoldDownEstimate ::= MAX (30 days, origTTL).


So putting it all together we get:

   OldRRSigExpirationTime ::= the latest expiration date of an RRSig
   over an DNSKey RRSet which did not contain the new anchor.


   PublishersAddCompleteEstimatedDate ::= OldRRSigExpirationTime + 2 *
   publishersQueryIntervalEstimate + publishersAddHoldDownEstimate


That gets us a date on which well behaving resolvers should have gotten the word. But we need safety so:

   PublishersAddCompleteSafeDate ::= PublishersAddCompleteEstimatedDate
   + publishersSlop.


For want of a better value we use publishersSlop ::= 2 * publishersQueryIntervalEstimate making the final formula:

   PublishersAddCompleteSafeDate ::= OldRRSigExpirationTime + (4 *
   publishersQueryIntervalEstimate) + publishersAddHoldDownEstimate


So assuming:

   Today ::= 11 September 2017, Noon UTC

   OldRRSigExpirationTime ::= 18 September 2017, Noon UTC

   maxOldRRSigExpirationInterval (from the draft 5.1): 10 days.

   origTTL ::= 1 day


We get:

        publishersQueryIntervalEstimate:  MAX (1 hr, MIN (15 days, 12
   hrs, 5 days)) or 12 hrs.
        publishersAddHoldDownEstimate: MAX (30 days, 1 day) or 30 days.
        PublishersAddCompleteEstimatedDate: 201709181200 + 1 day + 30
   days or 201710191200
        PublishersAddCompleteSafeDate: 201709181200 + 2 days + 30 days
   or 201710201200

The actual interval to wait is PublishersAddCompleteSafeDate - Today or 201710201200 - 201709111200 or 38 days assuming that you publish as soon as you sign.  (which is generally a bad assumption and why I keep pushing to use dates not intervals as the results).

Using instead some larger values:

   Today ::= 11 September 2017 Noon UTC
   OldRRSigExpirationTime ::= 30 September 2017 Noon UTC
   maxOldRRSigExpirationInterval:  45 days
   origTTL ::= 7 days

We get:

   publishersQueryIntervalEstimate: MAX (1 hr, MIN (15 Days, 3.5 days,
   22.5 days)) or 3.5 days
   publishersAddHoldDownCompleteEstimatedDate: MAX (30 days, 7 days) or
   30 days
   PublishersAddCompleteEstimatedDate:  201709301200 + 7 days + 30 days
   we get 201711061200
   PublishersAddCompleteSafeDate: 201709301200 + 14 days + 30 days we
   get 201711131200

Note that the safe dates can be calculated without reference to the current date, and without a need to back calculate an interval.

Mike










4. Both definitions (Itrp and waitTime) don't really take into
consideration the retryTime defined in RFC 5011. Perhaps that can be
used for defining the extra safety margin.
I'll have to add some text about that.  I don't think we can solve the
case for broken networks, though.  But it's an important point to bring up.

Assume the worst case - that a resolver never goes into the fast retry mode.  Then you can just ignore the retryTime in favor of queryTime as a slop term.


Mike


_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to