Re: [dns-operations] Signing on the fly and UltraDNS

[Kim Minh Kaplan]

Paul Hoffman writes:

> Greetings again. Those of us who research DNSSEC adoption in the real world 
> are being a bit stymied by some of the sign-on-the-fly systems, such as this 
> one, apparently from UltraDNS. (Similar results are given for any nonexistent 
> name in house.gov, such as "www1".)

[...]

> ~.anynameyouwans~.house.gov. 882 IN   RRSIG   NSEC 13 4 900 20210625144704 
> 20201227144704 34842 house.gov. 
> cyHvX3u6PVXUmSqWwFbzDEwKDpCLklowf+QnNF5q4hwUulvaZci+n2Ml 
> yK7K2Q0ttdsaicN255QJmNU7pBD5qA==
> ~.anynameyouwans~.house.gov. 882 IN   NSECanynameyouwant!.house.gov. 
> RRSIG NSEC
> !~.house.gov. 882 IN  RRSIG   NSEC 13 3 900 20210625144704 
> 20201227144704 34842 house.gov. 
> gQ8Rwjx/31pXh0Anx9+wYSmj3BRpKp7PGegmEvmdejiVV6UmFfds8YyV 
> nqjs9Au1XZVgNjtE9fjQC87nElKUCQ==
> !~.house.gov. 882 IN  NSEC-.house.gov. RRSIG NSEC

This kind of trick is documented in RFC 4470 Minimally Covering NSEC
Records and DNSSEC On-line Signing. It gives even weirder names.

Kim Minh.
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] [Ext] Signing on the fly and UltraDNS

[Viktor Dukhovni]

On Tue, Jan 05, 2021 at 08:07:16AM +0100, Vladimír Čunát wrote:

> Off the top of my head, I don't even now how exactly is the escaping 
> specified in RFCs.

That's easy, any *non-digit* character can be escaped with a preceding
"\", or alternatively as a 3-digit *decimal* \DDD sequence.

The text in 1035 is:

\X  where X is any character other than a digit (0-9), is
used to quote that character so that its special meaning
does not apply.  For example, "\." can be used to place
a dot character in a label.

\DDDwhere each D is a digit is the octet corresponding to
the decimal number described by DDD.  The resulting
octet is assumed to be text and is not checked for
special meaning.

-- 
Viktor.
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] [Ext] Signing on the fly and UltraDNS

[Vladimír Čunát]

On 1/5/21 5:52 AM, Paul Hoffman wrote:

I brought the issue to this mailing list, instead of to the UltraDNS folks, 
because I am using tools that expect host names instead of domain names (in 
this case, dig); now I have to write shims around them.


In case it helps you, kdig escapes punctuation characters like '!' and 
'~' (contrary to original dig, apparently).


Off the top of my head, I don't even now how exactly is the escaping 
specified in RFCs.


--Vladimir

___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] [Ext] Signing on the fly and UltraDNS

[Viktor Dukhovni]

On Tue, Jan 05, 2021 at 04:52:07AM +, Paul Hoffman wrote:

> >> ~.anynameyouwans~.house.gov. 882 INNSEC
> >> anynameyouwant!.house.gov. RRSIG NSEC
> >> !~.house.gov.  882 IN  NSEC-.house.gov. RRSIG NSEC
> > 
> > Consequently, these choices are largely rational, whether they're
> > "optimal" is a matter of what one chooses to prioritise.
> 
> That all seems correct. However, I brought the issue to this mailing
> list, instead of to the UltraDNS folks, because I am using tools that
> expect host names instead of domain names (in this case, dig); now I
> have to write shims around them. Other signing-on-the-fly mechanisms
> might cause similar issues for dig or other tools.

Indeed anyone else who has been getting away with assuming ~LDH names in
NSEC RRs should be prepared for this, and perhaps even more surprising
formats.  For example, I can elicit "\\\@.house.gov" as an NSEC right
bound from this domain, so escaping/unescaping may be required...

I've also found a way to walk the zone anyway, so the whole charade is
mostly pointless.  It would be far better to just use the real names,
take advantage of aggressive negative caching, and ignore the zone-
walking non-problem.

-- 
Viktor.
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] [Ext] Signing on the fly and UltraDNS

[Paul Hoffman]

On Jan 4, 2021, at 7:44 PM, Viktor Dukhovni  wrote:
> 
> On Tue, Jan 05, 2021 at 02:39:27AM +, Paul Hoffman wrote:
> 
>> Greetings again. Those of us who research DNSSEC adoption in the real
>> world are being a bit stymied by some of the sign-on-the-fly systems,
>> such as this one, apparently from UltraDNS. (Similar results are given
>> for any nonexistent name in house.gov, such as "www1".)
> 
> These are certainly *interesting* choices, but the result is a valid
> denial of existence, which for some reason chooses to optimise to defend
> against zone walking (of a zone whose content is entirely predictable,
> and likely a matter of public record, ...), rather than improved
> negative caching.  Not a choice I'd make for this zone, but on a purely
> technical level, the proofs work.
> 
> If the zone is known a priori to only contain regular LDH names and the
> occasional "*" or "_", then the possible character range of "real" names
> is a subset of:
> 
>!…*…-…0–9…A–Z…_…a–z…~
> 
> with the two endpoints excluded.  In which case, any actual successor,
> in lexical order, of some label "foo" (<62 octets long) sorts after
> "foo!", and its predecessor sorts before "~.fon~".
> 
>> ~.anynameyouwans~.house.gov. 882 IN  NSECanynameyouwant!.house.gov. 
>> RRSIG NSEC
>> !~.house.gov.882 IN  NSEC-.house.gov. RRSIG NSEC
> 
> Consequently, these choices are largely rational, whether they're
> "optimal" is a matter of what one chooses to prioritise.

That all seems correct. However, I brought the issue to this mailing list, 
instead of to the UltraDNS folks, because I am using tools that expect host 
names instead of domain names (in this case, dig); now I have to write shims 
around them. Other signing-on-the-fly mechanisms might cause similar issues for 
dig or other tools.

--Paul Hoffman

smime.p7s
Description: S/MIME cryptographic signature
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] Signing on the fly and UltraDNS

[Viktor Dukhovni]

On Tue, Jan 05, 2021 at 02:39:27AM +, Paul Hoffman wrote:

> Greetings again. Those of us who research DNSSEC adoption in the real
> world are being a bit stymied by some of the sign-on-the-fly systems,
> such as this one, apparently from UltraDNS. (Similar results are given
> for any nonexistent name in house.gov, such as "www1".)

These are certainly *interesting* choices, but the result is a valid
denial of existence, which for some reason chooses to optimise to defend
against zone walking (of a zone whose content is entirely predictable,
and likely a matter of public record, ...), rather than improved
negative caching.  Not a choice I'd make for this zone, but on a purely
technical level, the proofs work.

If the zone is known a priori to only contain regular LDH names and the
occasional "*" or "_", then the possible character range of "real" names
is a subset of:

!…*…-…0–9…A–Z…_…a–z…~

with the two endpoints excluded.  In which case, any actual successor,
in lexical order, of some label "foo" (<62 octets long) sorts after
"foo!", and its predecessor sorts before "~.fon~".

> ~.anynameyouwans~.house.gov. 882 IN   NSECanynameyouwant!.house.gov. 
> RRSIG NSEC
> !~.house.gov. 882 IN  NSEC-.house.gov. RRSIG NSEC

Consequently, these choices are largely rational, whether they're
"optimal" is a matter of what one chooses to prioritise.

-- 
Viktor.
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

[dns-operations] Signing on the fly and UltraDNS

[Paul Hoffman]

Greetings again. Those of us who research DNSSEC adoption in the real world are 
being a bit stymied by some of the sign-on-the-fly systems, such as this one, 
apparently from UltraDNS. (Similar results are given for any nonexistent name 
in house.gov, such as "www1".)

--Paul Hoffman

# dig +dnssec +noidnout anynameyouwant.house.gov a

; <<>> DiG 9.16.10 <<>> +dnssec +noidnout anynameyouwant.house.gov a
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 3131
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: 82c292cc154c0bee35a4c8d95ff3cf3d4fb01e0d645f3375 (good)
;; QUESTION SECTION:
;anynameyouwant.house.gov.  IN  A

;; AUTHORITY SECTION:
~.anynameyouwans~.house.gov. 882 IN RRSIG   NSEC 13 4 900 20210625144704 
20201227144704 34842 house.gov. 
cyHvX3u6PVXUmSqWwFbzDEwKDpCLklowf+QnNF5q4hwUulvaZci+n2Ml 
yK7K2Q0ttdsaicN255QJmNU7pBD5qA==
~.anynameyouwans~.house.gov. 882 IN NSECanynameyouwant!.house.gov. 
RRSIG NSEC
!~.house.gov.   882 IN  RRSIG   NSEC 13 3 900 20210625144704 
20201227144704 34842 house.gov. 
gQ8Rwjx/31pXh0Anx9+wYSmj3BRpKp7PGegmEvmdejiVV6UmFfds8YyV 
nqjs9Au1XZVgNjtE9fjQC87nElKUCQ==
!~.house.gov.   882 IN  NSEC-.house.gov. RRSIG NSEC
house.gov.  882 IN  SOA pdns109.ultradns.com. 
ncc.mail.house.gov. 1407134 10800 1080 2419200 900
house.gov.  882 IN  RRSIG   SOA 13 2 900 20210625144704 
20201227144704 34842 house.gov. 
p4vIz0ORiZPlwbbpbGo5TEex+eYnvgj+pLzIaK4mSHwUzF+bk15Xx6ao 
HikR5X1/ejuVUIuS6teRjm8ZVdoKag==



smime.p7s
Description: S/MIME cryptographic signature
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] DNSViz please support DNSSEC algorithm Ed25519 (15)

[Jerry Lundström]

Hi Arsen,

On 2021-01-04 09:30, Arsen STASIC wrote:
> Hi Jerry,
> 
> * Jerry Lundström  [2021-01-04 09:19 (+0100)]:
>> On 2020-12-30 12:42, Arsen STASIC wrote:
>>> Could you please support DNSSEC algorithm Ed25519 (15)?
>>> I think Casey Deccio has already added support for Ed25519. [0]
>     ^

Ah, I miss read.

> I think the code is ready (see [0]).
> Now it's on DNS-OARC to git pull and run it ;-)

I believe Casey has access to push new code himself to the site but if
it's new code then maybe there is a reason it's not up yet, besides that
it's still holiday season.

Cheers,
Jerry
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] DNSViz please support DNSSEC algorithm Ed25519 (15)

[Arsen STASIC]

Hi Jerry,

* Jerry Lundström  [2021-01-04 09:19 (+0100)]:

On 2020-12-30 12:42, Arsen STASIC wrote:

Could you please support DNSSEC algorithm Ed25519 (15)?
I think Casey Deccio has already added support for Ed25519. [0]

^

[0] 
https://github.com/dnsviz/dnsviz/commit/375941d1f2c5cb3ad5ae76138cf9887971b611cf

I think the code is ready (see [0]).
Now it's on DNS-OARC to git pull and run it ;-)

Thank you Casey Deccio for the code and DNS-OARC for hosting it! This is really 
a useful service.


While we (DNS-OARC) host and operate the public instance of DNSViz, the
code is still owned and managed by Casey Deccio so I'd suggest you
create an issue on DNSViz's GitHub:

 


cheers,
-arsen
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] DNSViz please support DNSSEC algorithm Ed25519 (15)

[Jerry Lundström]

Hi Arsen,

On 2020-12-30 12:42, Arsen STASIC wrote:
> Could you please support DNSSEC algorithm Ed25519 (15)?
> I think Casey Deccio has already added support for Ed25519. [0]

While we (DNS-OARC) host and operate the public instance of DNSViz, the
code is still owned and managed by Casey Deccio so I'd suggest you
create an issue on DNSViz's GitHub:

  

Also, as DNSViz is a open source project, you are more then welcome to
help develop this support. We can also help with managing the funds for
such a development, please see Funding Development at
.

Cheers,
Jerry
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations