> On Mar 20, 2017, at 6:43 PM, Wei Chuang <[email protected]> wrote:
>
>>> No, this is because the parent can spoof any data for the child.
>>> It is unrelated to DNSSEC.
>>
>> With qname minimization, the parent will first need to deny an NS
>> RRset for the child, and those DOE records are better candidates
>> for logging than routine non-NS queries.
>
> Can you expand on how the the DOE record (which I assumes means
> denial-of-existence) could work with an adversarial parent?
Yes, DOE is denial of existence. When the child sends NS queries
as part of qname minimization a negative response (no NS records)
will include signed NSEC(3) records to that effect, signed by the
parent zone. These are candidates for logging.
An insecure positive response will include NSEC(3) records proving
the non-existence of the DS RRset (possibly via the opt-out flag).
These can also be logged.
A secure positive response, can also be logged, and the follow-up
query for any associated DS records will again either yields an
answer that can be logged, or DOE that can be logged.
The key question is how to avoid logging ridiculous volumes of
data that can DoS any log service and also disclose too much.
Hence the suggestion to consider using the PSL as a cut-off
mechanism. One would also not log NXDOMAIN responses to NS,
which might allow parent domains to lie about non-existence,
but is surely necessary to guard against filling logs with
junk.
There are likely many issues this fails to consider, but I
think that's a reasonable starting point to explore further.
--
Viktor.
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
