On 9/6/2017 12:05 PM, Wes Hardaker wrote:
Matthijs Mekking <[email protected]> writes:
Thanks for all your points, and I've gone through and handled them all
in the text (including discussing that we update 7583 per your request).
2. waitTime only adds one queryInterval, while Itrp adds two. I believe
to be safe on the publishing side, two queryIntervals is needed. RFC
7583 explains:
A validator will treat it as a trust anchor the next
time it retrieves the RRset, a process that can take up to another
queryInterval (the third term).
This is the one that had me think with a whiteboard for a while. If I
can sum it up differently, the problem is that 30 days may not be a
factor of the queryInterval. Thus:
N * queryInterval >= 30
Where N is the number of queries to get somewhere over 30 days.
So Irtp is waiting an extra queryInterval to account for this
possibility.
Mathematically, I think the actually time needed to wait is 30 %
queryInterval, which may actually be 0 in some cases and just shy of
queryInterval in others. Sound about right?
*bleah* This is the problem with trying to do the publisher math from
the resolver's point of view.
In the following lower case terms are intervals, uppercase terms are
date/times. The difference between two date/times is an interval. The
sum of an interval and a date/time is a date/time.
A given resolver - absent an attack (and missing packets) - installs a
new trust anchor at this point in time (assuming the new stuff was
published after LastQueryTime)
LastQueryTime + queryInterval + addHoldDownTime + queryInterval.
With an attack (but absent missing packets), the new trust anchor is
installed at this point in time:
RRSigExpirationTime + (queryInterval - MIN(0, RRSetExpirationTime -
LastQueryTimePriorToRRSetExpiration )) + addHoldDownTime + queryInterval
The publisher, to calculate how long it should wait before assumes that
most resolvers have installed the new trust anchor has to be able to
calculate both queryInterval and addHoldDownTime and then take a SWAG as
to how much longer to wait. So assuming worst case we
Substitute queryInterval for
(queryInterval - MIN(0, RRSetExpirationTime -
LastQueryTimePriorToRRSetExpiration))
(Assuming that the RRSetExpiration happens infinitesimally after to the
expiration of the query timer). That gets you the latest time the
resolver might install a new trust anchor (without retries):
RRSigExpirationTime + queryInterval + addHoldDownTime + queryInterval.
queryInterval starts as the 5011 formulation: queryInterval = MAX(1 hr,
MIN (15 days, 1/2*origTTL, 1/2* rrSigExpirationInterval)) but we have
to deal with a possible disconnect here. The notation is made that
maxOldRRSigExpirationInterval is the maximum rrSigExpiratonInterval of
the DNSKeyRRSets published prior to the RRSigExpirationTime. The
reason for this is to deal with the case where the publisher changes the
rrSigExpirationInterval for the new DNSKeyRRSets and where it might be
unclear which of multiple possible queryIntervals the resolver is using.
So:
publishersQueryIntervalEstimate ::= MAX (1hr, MIN (15 days, 1/2*
origTTL, 1/ * maxOldRRsigExpirationInterval))
addHoldDownTime starts as the 5011 formulation: "The add hold-down time
is 30 days or the expiration time of the original TTL of the first trust
point DNSKEY RRSet that contained the new key, whichever is greater."
and gets converted into an actual formula:
publishersAddHoldDownEstimate ::= MAX (30 days, origTTL).
So putting it all together we get:
OldRRSigExpirationTime ::= the latest expiration date of an RRSig
over an DNSKey RRSet which did not contain the new anchor.
PublishersAddCompleteEstimatedDate ::= OldRRSigExpirationTime + 2 *
publishersQueryIntervalEstimate + publishersAddHoldDownEstimate
That gets us a date on which well behaving resolvers should have gotten
the word. But we need safety so:
PublishersAddCompleteSafeDate ::= PublishersAddCompleteEstimatedDate
+ publishersSlop.
For want of a better value we use publishersSlop ::= 2 *
publishersQueryIntervalEstimate making the final formula:
PublishersAddCompleteSafeDate ::= OldRRSigExpirationTime + (4 *
publishersQueryIntervalEstimate) + publishersAddHoldDownEstimate
So assuming:
Today ::= 11 September 2017, Noon UTC
OldRRSigExpirationTime ::= 18 September 2017, Noon UTC
maxOldRRSigExpirationInterval (from the draft 5.1): 10 days.
origTTL ::= 1 day
We get:
publishersQueryIntervalEstimate: MAX (1 hr, MIN (15 days, 12
hrs, 5 days)) or 12 hrs.
publishersAddHoldDownEstimate: MAX (30 days, 1 day) or 30 days.
PublishersAddCompleteEstimatedDate: 201709181200 + 1 day + 30
days or 201710191200
PublishersAddCompleteSafeDate: 201709181200 + 2 days + 30 days
or 201710201200
The actual interval to wait is PublishersAddCompleteSafeDate - Today or
201710201200 - 201709111200 or 38 days assuming that you publish as soon
as you sign. (which is generally a bad assumption and why I keep
pushing to use dates not intervals as the results).
Using instead some larger values:
Today ::= 11 September 2017 Noon UTC
OldRRSigExpirationTime ::= 30 September 2017 Noon UTC
maxOldRRSigExpirationInterval: 45 days
origTTL ::= 7 days
We get:
publishersQueryIntervalEstimate: MAX (1 hr, MIN (15 Days, 3.5 days,
22.5 days)) or 3.5 days
publishersAddHoldDownCompleteEstimatedDate: MAX (30 days, 7 days) or
30 days
PublishersAddCompleteEstimatedDate: 201709301200 + 7 days + 30 days
we get 201711061200
PublishersAddCompleteSafeDate: 201709301200 + 14 days + 30 days we
get 201711131200
Note that the safe dates can be calculated without reference to the
current date, and without a need to back calculate an interval.
Mike
4. Both definitions (Itrp and waitTime) don't really take into
consideration the retryTime defined in RFC 5011. Perhaps that can be
used for defining the extra safety margin.
I'll have to add some text about that. I don't think we can solve the
case for broken networks, though. But it's an important point to bring up.
Assume the worst case - that a resolver never goes into the fast retry
mode. Then you can just ignore the retryTime in favor of queryTime as a
slop term.
Mike
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
