From sosain@microsoft.com Tue Jan 14 07:56:41 2014 Return-Path: X-Original-To: dnsext@ietfa.amsl.com Delivered-To: dnsext@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A0E0C1AE0EE for ; Tue, 14 Jan 2014 07:56:41 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NZGQxAPrBe3C for ; Tue, 14 Jan 2014 07:56:39 -0800 (PST) Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1blp0183.outbound.protection.outlook.com [207.46.163.183]) by ietfa.amsl.com (Postfix) with ESMTP id 79DA51AE037 for ; Tue, 14 Jan 2014 07:56:39 -0800 (PST) Received: from BLUPR03CA032.namprd03.prod.outlook.com (10.141.30.25) by BLUPR03MB183.namprd03.prod.outlook.com (10.255.212.149) with Microsoft SMTP Server (TLS) id 15.0.847.13; Tue, 14 Jan 2014 15:56:27 +0000 Received: from BL2FFO11FD012.protection.gbl (2a01:111:f400:7c09::102) by BLUPR03CA032.outlook.office365.com (2a01:111:e400:879::25) with Microsoft SMTP Server (TLS) id 15.0.842.7 via Frontend Transport; Tue, 14 Jan 2014 15:56:27 +0000 Received: from mail.microsoft.com (131.107.125.37) by BL2FFO11FD012.mail.protection.outlook.com (10.173.161.18) with Microsoft SMTP Server (TLS) id 15.0.847.12 via Frontend Transport; Tue, 14 Jan 2014 15:56:27 +0000 Received: from SINEX14HUBC402.southpacific.corp.microsoft.com (157.60.220.216) by TK5EX14HUBC103.redmond.corp.microsoft.com (157.54.86.9) with Microsoft SMTP Server (TLS) id 14.3.158.2; Tue, 14 Jan 2014 15:55:49 +0000 Received: from SINEX14MBXC421.southpacific.corp.microsoft.com ([169.254.2.127]) by SINEX14HUBC402.southpacific.corp.microsoft.com ([157.60.220.216]) with mapi id 14.03.0174.001; Tue, 14 Jan 2014 15:55:47 +0000 From: Sourav Sain To: "dnsext@ietf.org Group" Thread-Topic: Order of a record and its RRSIG in response Thread-Index: Ac8RPiiq4F0L+tBjROuAGe8aof3IXA== Date: Tue, 14 Jan 2014 15:55:46 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.168.3.91] Content-Type: multipart/alternative; boundary="_000_F04702D34F7A2740A330302703120864385E0497SINEX14MBXC421s_" MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10009001)(679001)(779001)(689001)(164054003)(199002)(189002)(71186001)(79102001)(47976001)(77982001)(81542001)(69226001)(59766001)(20776003)(50986001)(33656001)(56816005)(6806004)(93136001)(65816001)(80022001)(77096001)(46102001)(49866001)(83072002)(47736001)(90146001)(4396001)(74502001)(83322001)(16796002)(44976005)(80976001)(74706001)(74876001)(55846006)(76482001)(76796001)(76176001)(56776001)(54356001)(53806001)(85306002)(92566001)(76786001)(74662001)(31966008)(19300405004)(81686001)(81816001)(54316002)(16236675002)(2656002)(51856001)(85852003)(63696002)(47446002)(19580395003)(81342001)(15202345003)(87266001)(74366001)(15975445006)(84326002)(92726001)(87936001)(512954002); DIR:OUT; SFP:1101; SCL:1; SRVR:BLUPR03MB183; H:mail.microsoft.com; CLIP:131.107.125.37; FPR:; RD:InfoDomainNonexistent; A:1; MX:1; LANG:en; X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY) X-Forefront-PRVS: 0091C8F1EB X-OriginatorOrg: microsoft.com X-Mailman-Approved-At: Tue, 14 Jan 2014 08:15:39 -0800 Subject: [dnsext] Order of a record and its RRSIG in response X-BeenThere: dnsext@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DNS Extensions working group discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Jan 2014 15:56:41 -0000 --_000_F04702D34F7A2740A330302703120864385E0497SINEX14MBXC421s_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi RFC 4035, section 3.1.1, mentions when a security-aware authoritative Name = Server should include RRSIG records in response while placing a signed RRSE= T in a section in response. Is there any clarification on the order in which a signed record and its as= sociated RRSIG are to be included in a section. For example when including = an A record and its RRSIG, is it that the name Server will always place the= A record first followed by its RRSIG in response or can it be RRSIG of A r= ecord followed by the A record as well? Going further, if, for example, a query comes for a.example.com type ALL an= d there are A and AAAA records for a.example.com in the zone, is there an e= xpected order in which the authoritative name server will include the 4 rec= ords (A, RRSIG(A), AAAA, RRSIG(AAAA)) in response's answer section? Is ther= e any guidance around this. Thanks, Sourav Sain --_000_F04702D34F7A2740A330302703120864385E0497SINEX14MBXC421s_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Hi

 

RFC 4035, section 3.1.1, mentions when a security-aw= are authoritative Name Server should include RRSIG records in response whil= e placing a signed RRSET in a section in response.

 

Is there any clarification on the order in which a s= igned record and its associated RRSIG are to be included in a section. For = example when including an A record and its RRSIG, is it that the name Serve= r will always place the A record first followed by its RRSIG in response or can it be RRSIG of A record followed = by the A record as well?

 

Going further, if, for example, a query comes for a.= example.com type ALL and there are A and AAAA records for a.example.com in = the zone, is there an expected order in which the authoritative name server= will include the 4 records (A, RRSIG(A), AAAA, RRSIG(AAAA)) in response’s answer section? Is there any guidan= ce around this.

 

Thanks,

Sourav Sain

 

--_000_F04702D34F7A2740A330302703120864385E0497SINEX14MBXC421s_-- From tale@dd.org Tue Jan 14 08:23:14 2014 Return-Path: X-Original-To: dnsext@ietfa.amsl.com Delivered-To: dnsext@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D35FE1AE17F for ; Tue, 14 Jan 2014 08:23:14 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.261 X-Spam-Level: X-Spam-Status: No, score=0.261 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RP_MATCHES_RCVD=-0.538, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S4nSqo4j4--9 for ; Tue, 14 Jan 2014 08:23:13 -0800 (PST) Received: from gro.dd.org (gro.dd.org [209.198.103.200]) by ietfa.amsl.com (Postfix) with ESMTP id F0E611AE16F for ; Tue, 14 Jan 2014 08:23:12 -0800 (PST) Received: by gro.dd.org (Postfix, from userid 102) id 9B1FE3F468; Tue, 14 Jan 2014 11:22:53 -0500 (EST) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <21205.25693.540345.547480@gro.dd.org> Date: Tue, 14 Jan 2014 11:22:53 -0500 From: Dave Lawrence To: "dnsext@ietf.org Group" In-Reply-To: References: Subject: Re: [dnsext] Order of a record and its RRSIG in response X-BeenThere: dnsext@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DNS Extensions working group discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Jan 2014 16:23:15 -0000 Sourav Sain writes: > Is there any clarification on the order in which a signed record and > its associated RRSIG are to be included in a section. All RRs in a section are unordered. You cannot even expect that two RRs belonging to the same RRset are necessarily adjacent (though admittedly normally a server programmer would have to go out of his way to make that happen). In practice generally records of an RRSet are grouped and RRSIGs follow the type that they cover, but whether they immediately follow their corresponding RRset or all come at the end varies by server software. From Marc.Buijsman@os3.nl Thu Jan 16 06:45:37 2014 Return-Path: X-Original-To: dnsext@ietfa.amsl.com Delivered-To: dnsext@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E1EEE1AE0E5 for ; Thu, 16 Jan 2014 06:45:37 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 1.556 X-Spam-Level: * X-Spam-Status: No, score=1.556 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, HELO_EQ_NL=0.55, HOST_EQ_NL=1.545, RP_MATCHES_RCVD=-0.538] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3u7g-zK86yoI for ; Thu, 16 Jan 2014 06:45:36 -0800 (PST) Received: from mail.serv.os3.nl (mail.serv.os3.nl [IPv6:2001:610:158:960::25]) by ietfa.amsl.com (Postfix) with ESMTP id E5A321AE0D7 for ; Thu, 16 Jan 2014 06:45:35 -0800 (PST) Received: from smtp.os3.nl (smtp.os3.nl [IPv6:2001:610:158:960::119]) by mail.serv.os3.nl (Postfix) with ESMTP id E755217BADF; Thu, 16 Jan 2014 15:45:22 +0100 (CET) Received: from [192.168.1.13] (178-84-162-64.dynamic.upc.nl [178.84.162.64]) by smtp.os3.nl (Postfix) with ESMTPSA id ABEC117BA17; Thu, 16 Jan 2014 15:45:22 +0100 (CET) Message-ID: <52D7F085.5010209@os3.nl> Date: Thu, 16 Jan 2014 15:45:25 +0100 From: Marc Buijsman User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0 MIME-Version: 1.0 To: dnsext@ietf.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Thu, 16 Jan 2014 06:55:21 -0800 Cc: Jeroen van der Ham Subject: [dnsext] CGA-TSIG research report X-BeenThere: dnsext@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DNS Extensions working group discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Jan 2014 14:48:52 -0000 Dear working group members, For my master's thesis I have performed an investigation at NLnet Labs on CGA-TSIG as a solution to the last mile problem of DNS. The version of the CGA-TSIG proposal that I reviewed is the current latest version at http://tools.ietf.org/html/draft-rafiee-intarea-cga-tsig-06. During the course of my research I have already had some contact with Ms. Rafiee. In order to do a verification of the CGA-TSIG proposal I have created a proof of concept implementation in NLnet Labs' "ldns" library. Since the scope of the project was limited to the last mile problem it only includes the code required for this purpose, but the implementation could easily be extended to support other applications (like zone transfers). I have found that CGA-TSIG has potential to be an adequate solution to the last mile problem on IPv6 networks, although some future research is needed with regard to bootstrapping the authentication. As a result, I would hereby like to refer you to my report which can be found at http://www.nlnetlabs.nl/downloads/publications/report-rp2-buijsman.pdf. I have outlined my results in section 4.2 which contains suggestions on how I believe the CGA-TSIG draft could be clarified and otherwise improved. I hope my suggestions will be adopted in the next version of the draft. The PoC code can be found in the online Git repository of NLnet Labs at http://git.nlnetlabs.nl/ldns/?h=cga-tsig. I hope my work will be helpful in standardising CGA-TSIG. Yours sincerely, Marc Buijsman From ajs@anvilwalrusden.com Fri Jan 24 18:12:12 2014 Return-Path: X-Original-To: dnsext@ietfa.amsl.com Delivered-To: dnsext@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BC2171A041E for ; Fri, 24 Jan 2014 18:12:12 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.141 X-Spam-Level: X-Spam-Status: No, score=-0.141 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_INFO=1.448, HOST_MISMATCH_NET=0.311] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JgJmdn6G-7af for ; Fri, 24 Jan 2014 18:12:11 -0800 (PST) Received: from mx1.yitter.info (ow5p.x.rootbsd.net [208.79.81.114]) by ietfa.amsl.com (Postfix) with ESMTP id 044091A03E3 for ; Fri, 24 Jan 2014 18:12:10 -0800 (PST) Received: from mx1.yitter.info (unknown [64.150.193.2]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.yitter.info (Postfix) with ESMTPSA id 3E4978A031 for ; Sat, 25 Jan 2014 02:12:09 +0000 (UTC) Date: Fri, 24 Jan 2014 21:12:05 -0500 From: Andrew Sullivan To: dnsext@ietf.org Message-ID: <20140125021204.GA2219@mx1.yitter.info> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.21 (2010-09-15) Subject: [dnsext] [brian@innovationslab.net: [dns-dir] Heads up on a London BoF] X-BeenThere: dnsext@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DNS Extensions working group discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 25 Jan 2014 02:12:13 -0000 Dear colleagues, Please see Brian's note below. It will be important to get people with protocol expertise into this room. A ----- Forwarded message from Brian Haberman ----- Date: Fri, 24 Jan 2014 08:31:19 -0500 From: Brian Haberman To: IETF DNS Directorate Subject: [dns-dir] Heads up on a London BoF List-Id: IETF DNS directorate discussion list All, I have agreed to sponsor a BoF in London to look into adding confidentiality to DNS. The current description of the DNSE BoF is available at: http://trac.tools.ietf.org/bof/trac/wiki/WikiStart#Internet I want to encourage the DNS protocol experts to participate in the BoF. The primary focus will be on discussing whether there are existing ways to accomplish the goals described in the problem statement draft targeted for the DNSOP WG. If you have any questions, feel free to let me know. Regards, Brian _______________________________________________ dns-dir mailing list dns-dir@ietf.org https://www.ietf.org/mailman/listinfo/dns-dir ----- End forwarded message ----- -- Andrew Sullivan ajs@anvilwalrusden.com From ietf@rozanak.com Sat Jan 25 04:54:08 2014 Return-Path: X-Original-To: dnsext@ietfa.amsl.com Delivered-To: dnsext@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C50311A02ED for ; Sat, 25 Jan 2014 04:54:08 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.835 X-Spam-Level: X-Spam-Status: No, score=-1.835 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_54=0.6, RP_MATCHES_RCVD=-0.535] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PK8VnD_qxoIi for ; Sat, 25 Jan 2014 04:54:05 -0800 (PST) Received: from mail.rozanak.com (mail.rozanak.com [IPv6:2a01:238:42ad:1500:aa19:4238:e48f:61cf]) by ietfa.amsl.com (Postfix) with ESMTP id 937CE1A02D0 for ; Sat, 25 Jan 2014 04:54:05 -0800 (PST) Received: from localhost (unknown [127.0.0.1]) by mail.rozanak.com (Postfix) with ESMTP id 8EBE223E2D48; Sat, 25 Jan 2014 12:54:02 +0000 (UTC) X-Virus-Scanned: amavisd-new at rozanak.com Received: from mail.rozanak.com ([127.0.0.1]) by localhost (mail.iknowlaws.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ORwIvvbiDvCZ; Sat, 25 Jan 2014 13:53:51 +0100 (CET) Received: from kopoli (g225190094.adsl.alicedsl.de [92.225.190.94]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mail.rozanak.com (Postfix) with ESMTPSA id D414A23E2B25; Sat, 25 Jan 2014 13:53:50 +0100 (CET) From: "Hosnieh Rafiee" To: "'Andrew Sullivan'" References: <20140125021204.GA2219@mx1.yitter.info> In-Reply-To: <20140125021204.GA2219@mx1.yitter.info> Date: Sat, 25 Jan 2014 13:53:49 +0100 Message-ID: <001501cf19cc$7e329260$7a97b720$@rozanak.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 14.0 Thread-Index: AQI5dQCg59D8WfmDq02MG5s9OO+6aJnAq7Mg Content-Language: en-us Cc: brian@innovationslab.net, dnsext@ietf.org Subject: Re: [dnsext] [brian@innovationslab.net: [dns-dir] Heads up on a London BoF] X-BeenThere: dnsext@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DNS Extensions working group discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 25 Jan 2014 12:54:09 -0000 Hi, At least for IPv6, this is possible by using both asymetric and symetric encryption. One solution might be the use of CGA-TSIG (http://tools.ietf.org/html/draft-rafiee-intarea-cga-tsig ). I wrote a paper about it and called it CGA-TSIGe (e represents encryption) How? 1- Client asks for a public key of the server 2- Server answers with his own public key that is binded to his IP address 3- Client encrypt a session key using the public key of the server and also encrypt the whole message using this session key and also can generate a signature and sign the whole message. 4- server receive this message and decrypt the session key using his own private key and decrypt the whole message using this session key. I also evaluted the encryption and decryption using a public key cryptography. If the message size or the session key is small(less than 100 bytes) then the encryption is in microseconds. Security Analysis of this approach - Nobody can spoof the public key of the server since there is a binding between this public key and the server's IP address - It provides both data integrity and confidentiality Disadvantage - It only supports IPv6 since CGA or SSAS that is the main algorithm in this approach is supported by IPv6 Smile, Hosnieh P.S. I would need to update the draft and will do this soon. > -----Original Message----- > From: dnsext [mailto:dnsext-bounces@ietf.org] On Behalf Of Andrew Sullivan > Sent: Saturday, January 25, 2014 3:12 AM > To: dnsext@ietf.org > Subject: [dnsext] [brian@innovationslab.net: [dns-dir] Heads up on a London > BoF] > > Dear colleagues, > > Please see Brian's note below. It will be important to get people with protocol > expertise into this room. > > A > > ----- Forwarded message from Brian Haberman --- > -- > > Date: Fri, 24 Jan 2014 08:31:19 -0500 > From: Brian Haberman > To: IETF DNS Directorate > Subject: [dns-dir] Heads up on a London BoF > List-Id: IETF DNS directorate discussion list > > All, > I have agreed to sponsor a BoF in London to look into adding confidentiality > to DNS. The current description of the DNSE BoF is available at: > > http://trac.tools.ietf.org/bof/trac/wiki/WikiStart#Internet > > I want to encourage the DNS protocol experts to participate in the BoF. > The primary focus will be on discussing whether there are existing ways to > accomplish the goals described in the problem statement draft targeted for > the DNSOP WG. > > If you have any questions, feel free to let me know. > > Regards, > Brian > > > > > _______________________________________________ > dns-dir mailing list > dns-dir@ietf.org > https://www.ietf.org/mailman/listinfo/dns-dir > > > ----- End forwarded message ----- > > -- > Andrew Sullivan > ajs@anvilwalrusden.com > _______________________________________________ > dnsext mailing list > dnsext@ietf.org > https://www.ietf.org/mailman/listinfo/dnsext