[Cryptography] Certificates and PKI

[Paul Wouters]

On Wed, 24 Dec 2014, Viktor Dukhovni wrote:

>>> CT is more than just a mitigation against lack of name constraints.
>>> It's applicable to any kind of PKI.  DNSSEC is a kind of PKI.  CT should
>>> be applicable to DNSSEC.
>>
>> Ben limits CT transactions to recognized CAs to limit spam to the CA CT
>> registries. Could the DNS registrars be enlisted as intermediaries in a DNS
>> based CT registry to similarly limit spam?
>
> It seems rather easy, all log submissions of signed DS RRsets can
> be validated up to the root.

that does not provide any proof for a parent stealing an entry from your
domain:

example.com. IN NS ns1.yournameserver.com.
example.com. IN DS 1234 8 2 <blob>
www.example.com. IN A 1.2.3.4

While it does make sense to log DS, CDS and DNSKEYs, the real problem
lies in the fact that you don't "own" your domain and your parents
take-over is "legitimate" even if you don't agree with that. The log
can only log, the clients/monitors however have some really hard
decisions to make to distinguish domain ownership change versus hostile
take-over.

Additionally, DNS is supposed to work in a split-world, which will
trigger false positives to the logs unless you can inform the logs
of such split-view.

> If any registry or individual domain
> is spamming the log with fake delegations, this is easily detected
> and their ability to continue to participate may suffer.

Spamming can actually be simply reduced by refusing any DNSKEY/DS/CDS
that has an RRSIG lifetime shorter than about 1 day. Possibly also
rate limit the number of new delegations from any zone in time to
a reasonable maximum.

As I said, the A record hostile take over above is the real problem. We
don't want to start logging every DNS entry. But we would also not want
to track labels vs zone cuts. I'm not sure yet what the solution should
be.

Paul