On 17 Mar 2017, at 9:31, Wei Chuang wrote:
On Thu, Mar 16, 2017 at 10:25 AM, Paul Hoffman <[email protected]>
wrote:
On 16 Mar 2017, at 10:09, Wei Chuang wrote:
I saw there was significant interest
<http://blog.huque.com/2014/07/dnssec-key-transparency.html> in
exploring
CT for DNSSEC back in 2014 of which a draft
draft-zhang-trans-ct-dnssec
<https://tools.ietf.org/html/draft-zhang-trans-ct-dnssec-03> was
created.
It seems to have quieted down since. I believe the motivation is
still
there which is to prevent a parent zone from potentially misbehaving
and
spoofing the child zone. Is there still interest in this? From the
list
archives, I can't see what the issues were though I'm guessing one
of them
was respecifying the DS resource record to use a SCT which might
have
caused compatibility concerns. (But please correct me if I'm wrong)
Other
than that, the draft seems pretty reasonable. Were there other
concerns?
There were two separate issues that got conflated at the time:
- Seeing evidence that a parent had spoofed DNSSEC keys for a child.
A
transcript of the DS records in the parent is sufficient as long as
the
child doesn't have relying parties create islands of trust (which is
relatively rare these days).
- Seeing evidence that a parent had spoofed any resource records for
a
child. A transcript of the NS records in the parents is a good start,
although what is really needed is a transcript of everything that is
seen
for the child.
Is this because you're worried about the parent removing evidence of
DNSSEC
for the child in the spoofing scenario?
No, this is because the parent can spoof any data for the child. It is
unrelated to DNSSEC.
If the parent tries to spoof with
DNSSEC for the child I would assume that seeing the DS SCT's in the
log,
that is sufficient to find evidence of spoofing. That said I think it
could be helpful to log NS as well for forensics.
Transcripts are useful even when the logged data is not cryptographic.
One issue with logging all records seen is if webmail providers
publish
SMIMEA there will be a potentially overwhelming number of records
logged,
and a very large change rate.
Don't log what you can't log due to scale.
Another issue is privacy of such records.
Sure, but there are unpredictable privacy issues with lots of DNS record
data. It's not possible for us to predict what will and will not be
considered private information now or in the future for anyone other
than ourselves.
In both cases, having transcripts from various DNS looking glasses
around
the Internet would give greater assurance of the integrity of the
transcript.
I agree that would a good idea.
--Paul Hoffman
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
