Discussion:
[Unbound-users] Delegation-only zones and non-root zone RFC 5011?
Viktor Dukhovni
2015-01-17 22:08:48 UTC
Permalink
It would be nice if unbound were able to enforce "delegation-only"
zones that contain only delegations and glue. This would be useful
for the root zone and various TLDs. Otherwise, such zones can
return apparently valid signed responses that should have been
delegated to a child zone, but for some reason were not.

This feature is of course not urgent, it would be more useful if
for various TLDs (and not just the root) it were feasible to "pin"
the DNSKEY RRs via RFC 5011, and/or "transparency" of some kind
were implemented for DNSSEC.

Still I think it would be useful to consider whether and when to
include such a feature. I may of course not have thought this
through properly, ...

Also, how would one configure unbound to use an auto-trust-anchor-file
via RFC 5011 for a given gTLD or ccTLD?
--
Viktor.
Florian Weimer
2015-01-17 23:28:55 UTC
Permalink
Post by Viktor Dukhovni
It would be nice if unbound were able to enforce "delegation-only"
zones that contain only delegations and glue. This would be useful
for the root zone and various TLDs. Otherwise, such zones can
return apparently valid signed responses that should have been
delegated to a child zone, but for some reason were not.
There are very few strictly-delegation-only zones, and zones change
there status over time, so this feature seems fairly risky. The ISC
recommendations for BIND make recursors subject to denial-of-service
attacks that prevent name resolution for entire TLDs.
Viktor Dukhovni
2015-01-18 18:15:52 UTC
Permalink
Post by Florian Weimer
Post by Viktor Dukhovni
It would be nice if unbound were able to enforce "delegation-only"
zones that contain only delegations and glue. This would be useful
for the root zone and various TLDs. Otherwise, such zones can
return apparently valid signed responses that should have been
delegated to a child zone, but for some reason were not.
There are very few strictly-delegation-only zones, and zones change
there status over time, so this feature seems fairly risky. The ISC
recommendations for BIND make recursors subject to denial-of-service
attacks that prevent name resolution for entire TLDs.
Is the root zone at least compatible with a "delegation-only" policy?
Can you be a bit more specific about the DoS?

I've certainly seen ccTLD zones that are not delegation-only, for
example "nic.li" is a CNAME for "switch.ch". That clearly is
neither a delegation nor glue, so "li" is not "delegation-only".

Without some constraints on which queries the root, gTLD and ccTLD
can choose to answer rather than delegate, it seems difficult to
make "transparency" work for DNSSEC. There is likely future work
to be done here...
Post by Florian Weimer
Also, how would one configure unbound to use an auto-trust-anchor-file
via RFC 5011 for a given gTLD or ccTLD?
Any comment on my second question? If one enables RFC 5011 tracking
for all the trust anchors one cares about, it is no longer necessary
to worry about delegation-only above those trust anchors.
--
Viktor.
Johan Ihrén
2015-01-19 09:47:02 UTC
Permalink
Hi,
Post by Viktor Dukhovni
Post by Florian Weimer
Post by Viktor Dukhovni
It would be nice if unbound were able to enforce "delegation-only"
zones that contain only delegations and glue. This would be useful
for the root zone and various TLDs. Otherwise, such zones can
return apparently valid signed responses that should have been
delegated to a child zone, but for some reason were not.
There are very few strictly-delegation-only zones, and zones change
there status over time, so this feature seems fairly risky. The ISC
recommendations for BIND make recursors subject to denial-of-service
attacks that prevent name resolution for entire TLDs.
Is the root zone at least compatible with a "delegation-only" policy?
Can you be a bit more specific about the DoS?
I've certainly seen ccTLD zones that are not delegation-only, for
example "nic.li" is a CNAME for "switch.ch". That clearly is
neither a delegation nor glue, so "li" is not "delegation-only".
To show an example of Florians point: once there were a bunch of TLDs that were technically "delegation-only" and another bunch which was not. ISC went ahead with the delegation-only thing together with a default config which claimed that at least one TLD of the latter kind was "delegation-only". With that code shipped to a large fraction of the BIND9 user base this TLD... felt the pain (as the story goes). In the end, realizing there was no way to get this fixed they realized that their only real alternative was to restructure the TLD to become "delegation only".

So utterly broken. So full of wrong. So not a responsible software design design.
Post by Viktor Dukhovni
Without some constraints on which queries the root, gTLD and ccTLD
can choose to answer rather than delegate, it seems difficult to
make "transparency" work for DNSSEC. There is likely future work
to be done here...
Well, while I agree that there is a choice to be made of whether to return an answer or a referral I will have to say that I think that choice belongs in the authoritative end, not in the recursor.
Post by Viktor Dukhovni
Post by Florian Weimer
Also, how would one configure unbound to use an auto-trust-anchor-file
via RFC 5011 for a given gTLD or ccTLD?
Any comment on my second question? If one enables RFC 5011 tracking
for all the trust anchors one cares about, it is no longer necessary
to worry about delegation-only above those trust anchors.
Not necessary for whom to worry? For the admin of that particular instance of a recursive server or for the owner of some zone the structure of which is suddenly not quite under their control because someone somewhere said that zone FOO should be delegation-only.

All of DNS is based on a few fundamental principles, one of which is that the structure of the namespace is decided in the authoritative part. Incidentally, discussing this with various ISC folks over the years it is clear that they agree and that the delegation-only option is just plain wrong. The only reason that this piece of wrong ever made it into BIND9 was as a defense against the Verisign lets-put-a-wildcard-in-com-and-net party trick many years ago.

The problem with putting something wrong into BIND9, even if it was for a good cause, is that it gets used by vast numbers of people and then it can never ever be taken out again.

So here we are, almost ten years down the line, no wildcards in .COM or .NET (or elsewhere that matters) but were stuck with the delegation-only option in BIND9 forever. To add the same wrongness into Unbound at this point seems to me to be a really... avoidable mistake.

Regards,

Johan
Tony Finch
2015-01-19 10:21:36 UTC
Permalink
Post by Viktor Dukhovni
Post by Florian Weimer
There are very few strictly-delegation-only zones, and zones change
there status over time, so this feature seems fairly risky. The ISC
recommendations for BIND make recursors subject to denial-of-service
attacks that prevent name resolution for entire TLDs.
I don't think turning on root-delegation-only has been recommended by the
ISC for years.
Post by Viktor Dukhovni
Post by Florian Weimer
Also, how would one configure unbound to use an auto-trust-anchor-file
via RFC 5011 for a given gTLD or ccTLD?
Any comment on my second question? If one enables RFC 5011 tracking
for all the trust anchors one cares about, it is no longer necessary
to worry about delegation-only above those trust anchors.
I don't know of any zones other than the root which promise to follow the
RFC 5011 key rollover timing requirements. (And even the root zone does it
wrong by not having a standby KSK.)

If you want to use RFC 5011 on a TLD you will have to inspect their
DNSSEC Practice Statement with care.

Tony.
--
f.anthony.n.finch <***@dotat.at> http://dotat.at/
Faeroes, Southeast Iceland: Variable 4 at first except in the west of
Southeast Iceland, otherwise southeasterly veering southerly 5 to 7,
increasing gale 8 for a time, occasionally severe gale 9 until later in
Southeast Iceland. Moderate or rough, becoming very rough or high. Rain or
wintry showers. Moderate or good, occasionally poor.
Viktor Dukhovni
2015-01-20 04:32:16 UTC
Permalink
Post by Tony Finch
Post by Viktor Dukhovni
Post by Viktor Dukhovni
Also, how would one configure unbound to use an auto-trust-anchor-file
via RFC 5011 for a given gTLD or ccTLD?
Any comment on my second question? If one enables RFC 5011 tracking
for all the trust anchors one cares about, it is no longer necessary
to worry about delegation-only above those trust anchors.
I don't know of any zones other than the root which promise to follow the
RFC 5011 key rollover timing requirements. (And even the root zone does it
wrong by not having a standby KSK.)
If you want to use RFC 5011 on a TLD you will have to inspect their
DNSSEC Practice Statement with care.
Yes of course, that makes sense. We're may not be quite there yet.
And yet at some point this may become more important, and so the
question is whether unbound is ready to support such non-root zones
if when they show up...

I can, for example, envision the ".de" TLD adopting such a policy,
and interested resolvers starting to track those keys per RC 5011,
thereby closing opportunities for the root zone keys to return
improper .de answers.
--
Viktor.
W.C.A. Wijngaards
2015-01-20 09:25:06 UTC
Permalink
Hi Viktor,
Post by Viktor Dukhovni
Post by Tony Finch
On Sat, Jan 17, 2015 at 10:08:48PM +0000, Viktor Dukhovni
Post by Viktor Dukhovni
Also, how would one configure unbound to use an
auto-trust-anchor-file via RFC 5011 for a given gTLD or
ccTLD?
$ dig mytld DNSKEY > mytld.key
# check if key is trustworthy
# add a line to unbound.conf:
auto-trust-anchor-file: "mytld.key"
Post by Viktor Dukhovni
Post by Tony Finch
Any comment on my second question? If one enables RFC 5011
tracking for all the trust anchors one cares about, it is no
longer necessary to worry about delegation-only above those
trust anchors.
I don't know of any zones other than the root which promise to
follow the RFC 5011 key rollover timing requirements. (And even
the root zone does it wrong by not having a standby KSK.)
If you want to use RFC 5011 on a TLD you will have to inspect
their DNSSEC Practice Statement with care.
Yes of course, that makes sense. We're may not be quite there
yet. And yet at some point this may become more important, and so
the question is whether unbound is ready to support such non-root
zones if when they show up...
You can add them into the config file with the auto-trust-anchor-file
statement. You can repeat this statement in the config file to add
more trust anchors.
Post by Viktor Dukhovni
I can, for example, envision the ".de" TLD adopting such a policy,
and interested resolvers starting to track those keys per RC 5011,
thereby closing opportunities for the root zone keys to return
improper .de answers.
If you have nested trust anchors, unbound uses the closest one by
preference (i.e. exactly what you say that you want).

Best regards,
Wouter
Florian Weimer
2015-01-20 19:35:04 UTC
Permalink
Post by Viktor Dukhovni
Post by Florian Weimer
Post by Viktor Dukhovni
It would be nice if unbound were able to enforce "delegation-only"
zones that contain only delegations and glue. This would be useful
for the root zone and various TLDs. Otherwise, such zones can
return apparently valid signed responses that should have been
delegated to a child zone, but for some reason were not.
There are very few strictly-delegation-only zones, and zones change
there status over time, so this feature seems fairly risky. The ISC
recommendations for BIND make recursors subject to denial-of-service
attacks that prevent name resolution for entire TLDs.
Is the root zone at least compatible with a "delegation-only" policy?
Can you be a bit more specific about the DoS?
A zone did not delegate its name servers. If you queried for their
addresses using a regular client, subsequent cache misses from the
zone would result in error responses because BIND could not find any
valid name servers anymore.

There's also the question of further protocol development which might
introduce additional authoritative records such as DNSKEY (but IIRC,
BIND only applies the filter to A/AAAA queries).

Continue reading on narkive:
Loading...