Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DNSSEC policy. #869

Merged
merged 1 commit into from
Dec 15, 2022
Merged

DNSSEC policy. #869

merged 1 commit into from
Dec 15, 2022

Conversation

rthalley
Copy link
Owner

An idea for DNSSEC policy enforcement

jschlyter
jschlyter approved these changes Dec 13, 2022
View reviewed changes
Copy link
Contributor

@jschlyter jschlyter left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like this, very clean and easy to extend. It doesn't differs between MAY and NOT RECOMMENDED though, but one can create such a policy later if needed.

@rthalley
Copy link
Owner Author

Just a note that I will write documentation and otherwise polish things a bit more if we go in this direction.

@pspacek
Copy link
Collaborator

pspacek commented Dec 14, 2022

I like this too. Two notes:

  • It would be awesome if it could check other parameters, like RSA bitlength. I mean - 512-bit RSA is not good anymore, while 2048 bit is okay if you have to use it.
  • Maybe two-state result is not enough - some people in the past advocated for DONT_USE_AT_ALL/INSECURE_ONLY/OKAY_TO_USE states, where weak combinations of parameters (be it 512-bit RSA or SHA1) fall into category "INSECURE_ONLY" - if you do validation you can effectively get only INSECURE (if it passes validation) or BOGUS (if there is a problem).

The logic behind this is skipping validation is not doing any good, and that real threat is in saying "it's secure" when it's really not that much secure anymore.

Uh huh, that's a long post. Does it make any sense?

@rthalley
Copy link
Owner Author

Hmm, maybe I should I have the policy take the whole DNSKEY for the signing and validation check. Then you can subclass Policy and add length checks for RSA etc.

I didn't go for more complex states like "NOT RECOMMENDED" as I wanted to use this in the actual signing and validation code, and all it cares about is "should I or shouldn't I?" I suppose I could have had policy in the policy about how to deal with more complex recommendations, but it seemed just as easy to say "make another policy object if you want a different policy".

Aside: personally I don't like the concept of INSECURE_ONLY as an automatic response to inadequate crypto, as it is hiding the inadequacy from the zone owner. I'd rather that things failed hard in such a case, but had a manual workaround, like installing a "negative trust anchor".

@pspacek
Copy link
Collaborator

pspacek commented Dec 15, 2022

Taking in whole DNSKEY sounds reasonable! FTR I'm not sold to the INSECURE_ONLY idea, I just wanted to make sure it was considered.

@rthalley rthalley merged commit 16b55fd into master Dec 15, 2022
@rthalley rthalley deleted the dnssec-policy branch December 15, 2022 14:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jschlyter jschlyter jschlyter approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@rthalley @pspacek @jschlyter