Re: [DNSOP] draft-dnsop-dnssec-extension-pkix
All The chairs want to thank Viktor and Mark for their comments, and for Hyeonmin and Taekyoung for pulling their presentation for now. I know sometimes folks have issues with some of the presentations we accept, but our rules are "Current Work has priority, For Consideration is first come, first serve." Sometimes this may get us documents which may confuse members of the working group, but we also take the approach of acting as "DNS Dispatch". tim (I am sure I said this all wrong and I apologize in advance) On Fri, Jul 21, 2023 at 5:37 AM Taekyoung Kwon wrote: > Hi! Victor, Mark and Paul, > > Thank you so much for crucial comments and candid opinions. > We have been thinking about the downgrade attacks that you mentioned. > Right now, It is not easy to come up with a solution space for such > attacks. > We agree that it is better to discuss this proposal (after addressing such > issues) in later meetings. > So we'd like to withdraw our presentation slot this time. > > Thank you, > > Hyeonmin and Taekyoung, > > > On Mon, Jul 17, 2023 at 7:38 PM wrote: > >> Send DNSOP mailing list submissions to >> dnsop@ietf.org >> >> To subscribe or unsubscribe via the World Wide Web, visit >> https://www.ietf.org/mailman/listinfo/dnsop >> or, via email, send a message with subject or body 'help' to >> dnsop-requ...@ietf.org >> >> You can reach the person managing the list at >> dnsop-ow...@ietf.org >> >> When replying, please edit your Subject line so it is more specific >> than "Re: Contents of DNSOP digest..." >> Today's Topics: >> >>1. draft-dnsop-dnssec-extension-pkix on IETF117 dnsop agenda? >> (Viktor Dukhovni) >>2. Re: draft-dnsop-dnssec-extension-pkix on IETF117 dnsop >> agenda? (Viktor Dukhovni) >>3. Re: draft-dnsop-dnssec-extension-pkix on IETF117 dnsop >> agenda? (Mark Andrews) >>4. Re: [Ext] draft-dnsop-dnssec-extension-pkix on IETF117 dnsop >> agenda? (Paul Hoffman) >>5. Re: Best Practices for Managing Existing Delegations When >> Deleting a Domain or Host (Viktor Dukhovni) >>6. Re: Fwd: New Version Notification - >> draft-ietf-dnsop-avoid-fragmentation-13.txt (Peter van Dijk) >> >> >> >> -- Forwarded message -- >> From: Viktor Dukhovni >> To: dnsop-cha...@ietf.org >> Cc: dnsop@ietf.org >> Bcc: >> Date: Sun, 16 Jul 2023 15:06:35 -0400 >> Subject: [DNSOP] draft-dnsop-dnssec-extension-pkix on IETF117 dnsop >> agenda? >> I see that draft-dnsop-dnssec-extension-pkix is included on the IETF117 >> dnsop agenda. >> >> https://datatracker.ietf.org/doc/draft-dnsop-dnssec-extension-pkix/ >> >> I haven't seen prior discussion of this item on the list, and, >> personally, rather suspect it unlikely to gain meaningful support from >> the WG and see adoption. >> >> Would it possible to defer discussion of this document to such time as >> some evidence of support emerges, and in the meantime use the timeslot >> for more realistically productive proposals? >> >> -- >> Viktor. >> >> >> >> >> >> -- Forwarded message -- >> From: Viktor Dukhovni >> To: dnsop@ietf.org >> Cc: >> Bcc: >> Date: Sun, 16 Jul 2023 15:53:12 -0400 >> Subject: Re: [DNSOP] draft-dnsop-dnssec-extension-pkix on IETF117 dnsop >> agenda? >> On Sun, Jul 16, 2023 at 03:06:35PM -0400, Viktor Dukhovni wrote: >> > I see that draft-dnsop-dnssec-extension-pkix is included on the IETF117 >> dnsop agenda. >> > >> > https://datatracker.ietf.org/doc/draft-dnsop-dnssec-extension-pkix/ >> > >> > I haven't seen prior discussion of this item on the list, and, >> > personally, rather suspect it unlikely to gain meaningful support from >> > the WG and see adoption. >> > >> > Would it possible to defer discussion of this document to such time as >> > some evidence of support emerges, and in the meantime use the timeslot >> > for more realistically productive proposals? >> >> I should perhaps have stated the technical criteria on which I consider >> the proposal non-viable. To whit: >> >> - The proposed protocol lacks all downgrade resistance. >> - Without a signed delegation from the parent, the existence of the >> zone apex CERT MRs and associated RRSIGs is trivially denied by >> an on-path attacker. >> - This protocol adds failure modes
Re: [DNSOP] draft-dnsop-dnssec-extension-pkix
Hi! Victor, Mark and Paul, Thank you so much for crucial comments and candid opinions. We have been thinking about the downgrade attacks that you mentioned. Right now, It is not easy to come up with a solution space for such attacks. We agree that it is better to discuss this proposal (after addressing such issues) in later meetings. So we'd like to withdraw our presentation slot this time. Thank you, Hyeonmin and Taekyoung, On Mon, Jul 17, 2023 at 7:38 PM wrote: > Send DNSOP mailing list submissions to > dnsop@ietf.org > > To subscribe or unsubscribe via the World Wide Web, visit > https://www.ietf.org/mailman/listinfo/dnsop > or, via email, send a message with subject or body 'help' to > dnsop-requ...@ietf.org > > You can reach the person managing the list at > dnsop-ow...@ietf.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of DNSOP digest..." > Today's Topics: > >1. draft-dnsop-dnssec-extension-pkix on IETF117 dnsop agenda? > (Viktor Dukhovni) >2. Re: draft-dnsop-dnssec-extension-pkix on IETF117 dnsop > agenda? (Viktor Dukhovni) >3. Re: draft-dnsop-dnssec-extension-pkix on IETF117 dnsop > agenda? (Mark Andrews) >4. Re: [Ext] draft-dnsop-dnssec-extension-pkix on IETF117 dnsop > agenda? (Paul Hoffman) >5. Re: Best Practices for Managing Existing Delegations When > Deleting a Domain or Host (Viktor Dukhovni) >6. Re: Fwd: New Version Notification - > draft-ietf-dnsop-avoid-fragmentation-13.txt (Peter van Dijk) > > > > -- Forwarded message -- > From: Viktor Dukhovni > To: dnsop-cha...@ietf.org > Cc: dnsop@ietf.org > Bcc: > Date: Sun, 16 Jul 2023 15:06:35 -0400 > Subject: [DNSOP] draft-dnsop-dnssec-extension-pkix on IETF117 dnsop agenda? > I see that draft-dnsop-dnssec-extension-pkix is included on the IETF117 > dnsop agenda. > > https://datatracker.ietf.org/doc/draft-dnsop-dnssec-extension-pkix/ > > I haven't seen prior discussion of this item on the list, and, > personally, rather suspect it unlikely to gain meaningful support from > the WG and see adoption. > > Would it possible to defer discussion of this document to such time as > some evidence of support emerges, and in the meantime use the timeslot > for more realistically productive proposals? > > -- > Viktor. > > > > > > -- Forwarded message -- > From: Viktor Dukhovni > To: dnsop@ietf.org > Cc: > Bcc: > Date: Sun, 16 Jul 2023 15:53:12 -0400 > Subject: Re: [DNSOP] draft-dnsop-dnssec-extension-pkix on IETF117 dnsop > agenda? > On Sun, Jul 16, 2023 at 03:06:35PM -0400, Viktor Dukhovni wrote: > > I see that draft-dnsop-dnssec-extension-pkix is included on the IETF117 > dnsop agenda. > > > > https://datatracker.ietf.org/doc/draft-dnsop-dnssec-extension-pkix/ > > > > I haven't seen prior discussion of this item on the list, and, > > personally, rather suspect it unlikely to gain meaningful support from > > the WG and see adoption. > > > > Would it possible to defer discussion of this document to such time as > > some evidence of support emerges, and in the meantime use the timeslot > > for more realistically productive proposals? > > I should perhaps have stated the technical criteria on which I consider > the proposal non-viable. To whit: > > - The proposed protocol lacks all downgrade resistance. > - Without a signed delegation from the parent, the existence of the > zone apex CERT MRs and associated RRSIGs is trivially denied by > an on-path attacker. > - This protocol adds failure modes (CERTs and RRSIGs are available, > but don't match), without adding any security. > > Since the point of DNSSEC is to thwart active attacks, and the protocol > in the proposed draft offers no such protection, I consider it > non-viable. > > There are other substantial issues, but the above is sufficient to stop > looking for more reasons why this is a dead-end. > > -- > Viktor. > > > > > > -- Forwarded message -- > From: Mark Andrews > To: dnsop > Cc: > Bcc: > Date: Mon, 17 Jul 2023 09:47:35 +1000 > Subject: Re: [DNSOP] draft-dnsop-dnssec-extension-pkix on IETF117 dnsop > agenda? > > > > On 17 Jul 2023, at 05:53, Viktor Dukhovni > wrote: > > > > On Sun, Jul 16, 2023 at 03:06:35PM -0400, Viktor Dukhovni wrote: > >> I see that draft-dnsop-dnssec-extension-pkix is included on the IETF117 > dnsop agenda. > >> > >>https://datatracker.ietf.org/doc/draft-dnsop-
Re: [DNSOP] draft-dnsop-dnssec-extension-pkix on IETF117 dnsop agenda?
On Jul 16, 2023, at 15:53, Viktor Dukhovni wrote: > > > I should perhaps have stated the technical criteria on which I consider > the proposal non-viable. To whit: > >- The proposed protocol lacks all downgrade resistance. >- Without a signed delegation from the parent, the existence of the > zone apex CERT MRs and associated RRSIGs is trivially denied by > an on-path attacker. Indeed, the lack of a chain of trust via DS records means the CERT and RRSIG records can just be removed from the answers. Encoding the presence somehow in the NS names (aka dnscurve style) also doesn’t help because such an approach requires authenticated connections from the root down and doesn’t work through dns caches. The exact reason why dnscurve was non-viable. And finally as with proposals to replace ipv6 with something better, it would take years for the software to be written and deployed so it questionable whether fragmenting the dns world into two different methods to accomplish the same thing would speed up the security of DNS. Better focus on removing roadblocks that causes people to postpone DNSSEC deployments. Paul ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] draft-dnsop-dnssec-extension-pkix on IETF117 dnsop agenda?
> On 17 Jul 2023, at 05:53, Viktor Dukhovni wrote: > > On Sun, Jul 16, 2023 at 03:06:35PM -0400, Viktor Dukhovni wrote: >> I see that draft-dnsop-dnssec-extension-pkix is included on the IETF117 >> dnsop agenda. >> >>https://datatracker.ietf.org/doc/draft-dnsop-dnssec-extension-pkix/ >> >> I haven't seen prior discussion of this item on the list, and, >> personally, rather suspect it unlikely to gain meaningful support from >> the WG and see adoption. >> >> Would it possible to defer discussion of this document to such time as >> some evidence of support emerges, and in the meantime use the timeslot >> for more realistically productive proposals? > > I should perhaps have stated the technical criteria on which I consider > the proposal non-viable. To whit: > >- The proposed protocol lacks all downgrade resistance. >- Without a signed delegation from the parent, the existence of the > zone apex CERT MRs and associated RRSIGs is trivially denied by > an on-path attacker. >- This protocol adds failure modes (CERTs and RRSIGs are available, > but don't match), without adding any security. > > Since the point of DNSSEC is to thwart active attacks, and the protocol > in the proposed draft offers no such protection, I consider it > non-viable. > > There are other substantial issues, but the above is sufficient to stop > looking for more reasons why this is a dead-end. > > -- >Viktor. > > ___ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop I concur. This is a horribly flawed proposal. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] draft-dnsop-dnssec-extension-pkix on IETF117 dnsop agenda?
On Sun, Jul 16, 2023 at 03:06:35PM -0400, Viktor Dukhovni wrote: > I see that draft-dnsop-dnssec-extension-pkix is included on the IETF117 dnsop > agenda. > > https://datatracker.ietf.org/doc/draft-dnsop-dnssec-extension-pkix/ > > I haven't seen prior discussion of this item on the list, and, > personally, rather suspect it unlikely to gain meaningful support from > the WG and see adoption. > > Would it possible to defer discussion of this document to such time as > some evidence of support emerges, and in the meantime use the timeslot > for more realistically productive proposals? I should perhaps have stated the technical criteria on which I consider the proposal non-viable. To whit: - The proposed protocol lacks all downgrade resistance. - Without a signed delegation from the parent, the existence of the zone apex CERT MRs and associated RRSIGs is trivially denied by an on-path attacker. - This protocol adds failure modes (CERTs and RRSIGs are available, but don't match), without adding any security. Since the point of DNSSEC is to thwart active attacks, and the protocol in the proposed draft offers no such protection, I consider it non-viable. There are other substantial issues, but the above is sufficient to stop looking for more reasons why this is a dead-end. -- Viktor. ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] draft-dnsop-dnssec-extension-pkix on IETF117 dnsop agenda?
I see that draft-dnsop-dnssec-extension-pkix is included on the IETF117 dnsop agenda. https://datatracker.ietf.org/doc/draft-dnsop-dnssec-extension-pkix/ I haven't seen prior discussion of this item on the list, and, personally, rather suspect it unlikely to gain meaningful support from the WG and see adoption. Would it possible to defer discussion of this document to such time as some evidence of support emerges, and in the meantime use the timeslot for more realistically productive proposals? -- Viktor. ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
