On Wed, 29 Mar 2017, Viktor Dukhovni wrote:
Why not create an explicit Non-existence of DS (NDS) RR that gets logged along with DS and NS?This is not needed, the NSEC/NSEC3 RRs already serve that role. For NSEC records (RFC4034), an unsigned delegation looks like: example.com. IN NS ns1.example.com. example.com. IN NSEC examplf.com NS example.com. IN RRSIG NSEC ... this proves that NS (or other depending on the content of the type bitmap of the NSEC record) records exist for example.com, but DS records do not.
I don't think so? Because this is the parental NS RRset for the child, which the parent does not sign. The NSEC only covers the existance of the DS record, not of the glue records. And those glue records can still be maliciously pointing elsewhere. Or the zone cut can be temporarilly removed at the parent to sign the child's TLSA record directly. You really need to find the NSEC(3) record that proves the parent has no DS record for the child zone, and really have to find and submit the TLSA record and RRSIG. That way the logs can tell who signed the DS and/or TLSA record. Checking the child APEX is of no use because the parent might be overriding the delegation briefly. Eg remove the DS record and/or NS records, publish a childzone TLSA record as "without a zone cut", and then restoring the DS/NS chain again. The only way out I see is to log the TLSA records, so you know which key signed it. If this is done, we clearly need a ratelimit and/or some method of finding conflicting overlapping-in-time records.
With NSEC3 (rfc5155), and the "opt-out" bit the situation can be more complex because the answer may not establish the existence of example.com. Instead we may get an existence proof for the closest encloser (ancestor domain) and proof that "example.com" is not signed, but no proof of its existence. This means that to avoid spam, a log might want to independently verify the existence of the insecure delegation by repeating the query, so as to avoid storing data for non-existent domains with the insecure NXDOMAIN modified to NOERROR with made up NS records.
Repeating the query is not a real solution, as the malicious parent could open a small time window for the attack and close it again. Clients really need to submit state their validation reached. This cannot include any unsigned state as that cannot be trusted itself, but should include the signatures proving the unsigned state. Paul _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
