Re: [DNSOP] Acceptance processing in draft-ietf-regext-dnsoperator-to-rrr-protocol-04 section 3.4

2018-04-14 Thread Viktor Dukhovni 


> On Apr 14, 2018, at 4:26 PM, Matthew Pounsett  wrote:
> 
> These are getting into name server quality checks, and not security checks, 
> which is the point of the acceptance testing.  I don't agree that these 
> should be part of this document.

If the registry operator is going to automatically upgrade previously insecure 
delegations to DNSSEC, then due diligence to make sure that this is not going 
to cause outages is advisable.  Once a domain is signed, TLSA and CAA lookups 
must succeed, or the domain may no longer receive email from DANE-enabled 
sending MTAs, or be able to obtain certificates from their CA, ...

So I rather strongly feel that appropriate quality checks should be in place, 
to protect both the registrant and the registry (dealing with fallout from 
outages is best avoided).

>>   o Check that if the zone uses RSA, the KSK and ZSK are at least 1280
>> bits and at most 2048 bits.  This may be controversial, but for new
>> deployments RSA <= 1024 bits is widely considered too weak, and RSA
>> with more than 2048 bits creates signatures that are often too large
>> for reliable UDP transport.
> 
> While this is probably a reasonable thing to do, a registration mechanism 
> documented in REGEXT is not the place to do this.  I think if DNSOP wants 
> such advice in a standard there should be a BCP document out of DNSOP that 
> defines it.

Yes, this is a point for discussion.  Still I think it would be bad to, for 
example, introduce more domains with 512-bit RSA keys, or perhaps even accept 
1024-bit RSA
keys.  There are many domains with 1536-bit KSKs and 1280-bit ZSKs, these are I
think well chosen, though ECDSA P-256 (algorithm 13) is looking increasingly 
like
an even better choice at present.

Given that 1024-bit RSA is considered past its use-by these days, perhaps 
limiting
automated upgrades to DNSSEC only to stronger keys is a good idea???

>>   o Check that if the zone uses NSEC3 the NSEC3PARAM iteration count is
>> at most 150 (regardless of RSA key size).  Larger iteration counts
>> are both inefficient and fragile in the face of algorithm rollovers.
>> The optimal value is 0 (performs one round of SHA1, which is enough 
>> to
>> deter casual zone walking).  The most popular value is 1, which is
>> very likely because it is slightly unclear whether 0 means no hash
>> or (as is the case) just one initial hash.  So hats off to the
>> operations that chose 1, they understand that the count should be
>> low, and are careful to avoid edge cases.
> 
> Again, I think this is out of scope of a document standardizing a 
> registration mechanism.  Besides which, there are operators out there who 
> deliberately have a low iteration count because they don't care about zone 
> walking, and are only using NSEC3 for the opt-out capability.

Here you misunderstood my point, I am suggesting a MAXIMUM of 150 and 
recommending
0 or 1, precisely because opt-out is mostly all that NSEC3 is useful for, but 
one
or two rounds of SHA deter "casual" zone walking.

You may not have seen my posts to dns-operations and this list about the issues
with iteration counts that exceed 150.  The tl;dr version is don't do that.
Catching mistakes at registration time is our best opportunity to maintain the
hygiene of the ecosystem.

-- 
Viktor.

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Acceptance processing in draft-ietf-regext-dnsoperator-to-rrr-protocol-04 section 3.4

2018-04-14 Thread Matthew Pounsett 
On 14 April 2018 at 12:54, Viktor Dukhovni  wrote:

>
> A number of checks are listed in:
>
>   https://tools.ietf.org/html/draft-ietf-regext-dnsoperator-
> to-rrr-protocol-04#section-3.4
>
> that are intended to make sure a domain is ready for DNSSEC.
>
> As I've been the DNSSEC and DANE implementations at now ~5.8 million
> domains, I'd like to suggest some additional checks:
>

Thanks for the review Viktor. We haven't had many DNS people respond to the
draft.. I've been considering mentioning it in DNSOP, but was going to wait
until several pending changes are in the doc and -05 is out (hopefully in
the next week or two, time permitting).


>
>  o  ensuring that the SOA record RRset is correctly signed, unlike:
>
>   http://dnsviz.net/d/_25._tcp.mx1.techtrack.gov/dnssec/
>
> which is always incremented by 1 *after* the zone is signed!
>

I believe this is already covered by the first point: "checks that the
child zone is is properly signed as per the Registration Entity and parent
DNSSEC policies".  Although, we could add some example RRsets that should
be examined for correct signatures.


>  o  ensuring the NS RRset at the zone apex matches the glue RRs
> at the parent zone


>  o  Verifying that TLSA lookups are NOT blocked and denial of
> existence works by querying for:
>
>_25._tcp..example.net. IN TLSA ?
>
> and verifying the NXDomain, NODATA, or (very rarely) wildcard
> TLSA records against the implied DNSKEYs.  The nonce can be some
> random hex string of 8 or more bytes, that is unlikely to be an
> actual name in the zone.
>
>   o Do the above for all IPv4 and IPv6 addresses of all the
> nameservers,
> as some misconfigured firewalls block unexpected RR types for just
> IPv4 or just IPv6.
>
>   o A similar probe for CAA records is likely appropriate, Let's
> Encrypt
> runs into CAA lookup issues for a non-negligible fraction of
> domains.
>

These are getting into name server quality checks, and not security checks,
which is the point of the acceptance testing.  I don't agree that these
should be part of this document.


>
>   o Check that if the zone uses RSA, the KSK and ZSK are at least 1280
> bits and at most 2048 bits.  This may be controversial, but for new
> deployments RSA <= 1024 bits is widely considered too weak, and RSA
> with more than 2048 bits creates signatures that are often too
> large
> for reliable UDP transport.
>

While this is probably a reasonable thing to do, a registration mechanism
documented in REGEXT is not the place to do this.  I think if DNSOP wants
such advice in a standard there should be a BCP document out of DNSOP that
defines it.


>
>   o Check that if the zone uses NSEC3 the NSEC3PARAM iteration count is
> at most 150 (regardless of RSA key size).  Larger iteration counts
> are both inefficient and fragile in the face of algorithm
> rollovers.
> The optimal value is 0 (performs one round of SHA1, which is
> enough to
> deter casual zone walking).  The most popular value is 1, which is
> very likely because it is slightly unclear whether 0 means no hash
> or (as is the case) just one initial hash.  So hats off to the
> operations that chose 1, they understand that the count should be
> low, and are careful to avoid edge cases.
>

Again, I think this is out of scope of a document standardizing a
registration mechanism.  Besides which, there are operators out there who
deliberately have a low iteration count because they don't care about zone
walking, and are only using NSEC3 for the opt-out capability.
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

[DNSOP] Acceptance processing in draft-ietf-regext-dnsoperator-to-rrr-protocol-04 section 3.4

2018-04-14 Thread Viktor Dukhovni 

A number of checks are listed in:

  
https://tools.ietf.org/html/draft-ietf-regext-dnsoperator-to-rrr-protocol-04#section-3.4

that are intended to make sure a domain is ready for DNSSEC.

As I've been the DNSSEC and DANE implementations at now ~5.8 million domains, 
I'd like to suggest some additional checks:

 o  ensuring that the SOA record RRset is correctly signed, unlike:

  http://dnsviz.net/d/_25._tcp.mx1.techtrack.gov/dnssec/

which is always incremented by 1 *after* the zone is signed!

 o  ensuring the NS RRset at the zone apex matches the glue RRs
at the parent zone

 o  Verifying that TLSA lookups are NOT blocked and denial of
existence works by querying for:

   _25._tcp..example.net. IN TLSA ?

and verifying the NXDomain, NODATA, or (very rarely) wildcard
TLSA records against the implied DNSKEYs.  The nonce can be some
random hex string of 8 or more bytes, that is unlikely to be an
actual name in the zone.

  o Do the above for all IPv4 and IPv6 addresses of all the nameservers,
as some misconfigured firewalls block unexpected RR types for just
IPv4 or just IPv6.

  o A similar probe for CAA records is likely appropriate, Let's Encrypt
runs into CAA lookup issues for a non-negligible fraction of domains.

  o Check that if the zone uses RSA, the KSK and ZSK are at least 1280
bits and at most 2048 bits.  This may be controversial, but for new
deployments RSA <= 1024 bits is widely considered too weak, and RSA
with more than 2048 bits creates signatures that are often too large
for reliable UDP transport.

  o Check that if the zone uses NSEC3 the NSEC3PARAM iteration count is
at most 150 (regardless of RSA key size).  Larger iteration counts
are both inefficient and fragile in the face of algorithm rollovers.
The optimal value is 0 (performs one round of SHA1, which is enough to
deter casual zone walking).  The most popular value is 1, which is
very likely because it is slightly unclear whether 0 means no hash
or (as is the case) just one initial hash.  So hats off to the
operations that chose 1, they understand that the count should be
low, and are careful to avoid edge cases.

-- 
Viktor.

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop