-
Notifications
You must be signed in to change notification settings - Fork 65
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create DNSSEC16 (Validate CDS) and DNSSEC17 (Validate CDNSKEY) #939
Conversation
e98c878
to
f215abd
Compare
* [WARNING] message if a CDS record does not match any | ||
DNSKEY in DNSKEY RRset (except for "delete" CDS). | ||
* [WARNING] message if a CDNSKEY record does not match any | ||
DNSKEY in DNSKEY RRset (except for "delete" CDNSKEY). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Add test: [ERROR] if no CDS/CDNSKEY record matches any DNSKEY record.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There will be warning messages for every CDS and CDNSKEY record. That should be enough, shouldn't it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If a single key doesn't match, that's a warning, but if no key matches the parent will not update. So that is an error.
* [WARNING] message if CDS RRset is signed by a key in the DNSKEY RRset | ||
but not with one that has signed the DNSKEY RRset. | ||
* [WARNING] message if CDNSKEY RRset is signed by a key in the DNSKEY | ||
RRset but not with one that has signed the DNSKEY RRset. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually RFC7344 says "MUST be signed with a key that is represented in both the current DNSKEY and DS RRsets,"
But that only applies if a DS set exists.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will update.
* [WARNING] message if a CDS record does not match any | ||
DNSKEY in DNSKEY RRset (except for "delete" CDS). | ||
* [WARNING] message if a CDNSKEY record does not match any | ||
DNSKEY in DNSKEY RRset (except for "delete" CDNSKEY). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If a single key doesn't match, that's a warning, but if no key matches the parent will not update. So that is an error.
* [WARNING] message if CDS RRset is signed by a key in the DNSKEY RRset | ||
but not with one that has signed the DNSKEY RRset. | ||
* [WARNING] message if CDNSKEY RRset is signed by a key in the DNSKEY | ||
RRset but not with one that has signed the DNSKEY RRset. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think we should drop the requirement. The test needs to be more complex
- if DS set exists ....
- If DS does not exist -> in this case the above tests apply.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In this test case the DS records are not considered. That comes in DNSSEC17 (#941).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I found a bunch of spelling errors and minor things.
But I really like how you approach this, despite the sheer size of it.
* Adds explicit "Scope" headline * Updated text under new "Scope" * Editorial updates
* Merges table from "Outcome(s)" with summary into a new table. * Updates some message tags to make them more explicit. * Updates some set names to make them more explicit.
I merged the table in "Outcome(s)" into the summary to make it more comprehensible on suggestion by @mattias-p. Some message tags and sets have been renamed. Also old methods are used, not MethodsNT. @mattias-p, @ulrichwisser, @vlevigneron and @romu42, please rereview! |
@sandoche2k, I have updated the format and introduced a summary section. It replaces the table in "Outcome(s)". Can you review? |
*CDS Signed By Unknown DNSKEY* set. | ||
2. Else, if the RRSIG cannot be validated by the DNSKEY it | ||
refers to by key tag, then add the name server IP and RRSIG | ||
key tag to the *CDS Invalid RRSIG* set. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
6/7 must be done for CDS delete, too.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is, but further down.
*CDNSKEY Signed By Unknown DNSKEY* set. | ||
2. Else, if the RRSIG cannot be validated by the DNSKEY it | ||
refers to by key tag, then add the name server IP and RRSIG | ||
key tag to the *CDNSKEY Invalid RRSIG* set. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same as above. 6/7 needs to be done for CDS delete, too
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is, but further up.
|
||
10. If the *No DNSKEY RRset* set is non-empty, then output | ||
*[DS16_CDS_CDNSKEY_WITHOUT_DNSKEY]* with all name server IP addresses | ||
in the set. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Positive statement "if all DNSKEY RRsets are empty ....". Much easier to understand
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The No DNSKEY RRset set is defined as a set of IP addresses.
@romu42, @mattias-p, @ulrichwisser and @vlevigneron, DNSSEC16 was too large. It has now been split up into two test cases, one for CDS and one for CDNSKEY. Please rereview. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have only looked at DNSSEC16.
|
||
4. Create the following empty sets: | ||
1. Name server IP address and associated CDS RRset and its RRSIG | ||
records ("CDS RRsets"). RRSIG records may be absent. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Optional sets is a new concept, IIRC. Would you consider representing this with an empty set instead? That should be operationally equivalent, but it would make the test cases more consistent in the way they're constructed.
There's another one like this below.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is only the RRsig records that can be absent. They are, if present, connected to the CDS RRset. I think it is better to keep them in the same set as the CDS RRset.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes. My suggestion is to make it so that the RRSIG RRset is required, but that it may be empty. That way you only have one kind of absence to think about when you consider the state space that can be represented within the defined data structures. Having a smaller state space makes to consider makes the steps below easier to understand.
As authors of the test specifications we may know that the steps don't make use of the possibility for the RRSIG RRset to be present but empty. But for someone working through the test case who doesn't understand it yet, this distinction is another thing to keep in mind. And AFAICT for on good reason.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I honestly think that "absent" is better, but I have used empty in other specifications. It is clear, in a DNS context, what an absent RRSIG record is, but it is not defined what an empty set of RRSIG records is, and we have not defined it.
Another thing is that we cannot refer to RRSIG RRset.
I will do the change, with some hesitation.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh, that's interesting! You're thinking of an RRset as something different than a set of records of the same record type? Is there a meaningful distinction?
In any case the empty set is a very simple yet powerful idea that makes many things easier.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
An RRset is a group of DNS records that share owner name, class and RR type. All members of a RRset share two features:
- If one member of the RRset is present in the answer section, then all members must be present, or else the packet must set as truncated.
- All members of the RRset must have the same TTL.
Neither of those two features apply to RRSIGs with the same owner name and class.
- A RRSIG RR always has the same TTL as the RRset it signs, but not necessarily the same TTL as other RRSIGs. The RRSIGs of SOA, NS and DNSKEY RRsets can have different TTLs.
- A RRSIG RR usually follows the RRset it signs. In a reply to a DNSSEC enabled SOA query, the answer section will containt the SOA record and the RRSIG for that, but not the RRSIG for the DNSKEY RRset.
RRSIGs are special. They are more of an extension of the RRset it signs than a RR of its own.
2. Else, add the name server IP address to the *Delete CDS* | ||
set. | ||
3. Go to next name server IP. | ||
3. Get the DNSKEY and its RRSIG records, if any, from the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What's the meaning of this "if any" clause again? Does it mean any DNSKEY and RRSIG records, or any RRSIG records for this DNSKEY since that set may be absent? Could it be present but empty? Anyway, what happens if the "if any" clause is false?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There are the following possibilities:
- There is no key for the name server IP, and obviously no records.
- There is a key for the name server IP and at least one DNSKEY record but no RRSIG records.
- There is a key for the name server IP, at least one DNSKEY record and at least one RRSIG record.
If there are any RRSIG, then it is always over the DNSKEY RRset.
If there is no DNSKEY RRset, then we follow the next instruction "If there are no DNSKEY records, then do".
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Okay, so "if any" isn't about control flow. It's only there to let the reader know that they shouldn't worry even if there is no RRSIG RRset associated with the name server IP. Right?
How do you feel about this wording?
Get the DNSKEY and its RRSIG records from the *DNSKEY RRsets* for the same name server IP. The set of RRSIG records may be empty.
To me that would be much better.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is ok. I have done change.
11. If the *No Match CDS With DNSKEY* set is non-empty then for each | ||
key tag in the set output *[DS16_CDS_MATCHES_NO_DNSKEY]* with the | ||
CDS key tag and the name server IP addresses in the set per key | ||
tag. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This could be simplified without changing the behavior, right? It'd be shorter, less complex and easier to parse.
If the *No Match CDS With DNSKEY* set is non-empty then for each key tag in the set output
->
For each key tag in the *No Match CDS With DNSKEY* output
Also, first it talks about "the key tag", then "the CDS key tag" and then "the key tag" again. Those three are all the same key tag, right?
What's going on with the tag arguments? It looks pretty complicated. Is the problem that you add them per name server IP but here you want to get them per key tag?
This goes for steps 12 and 15 as well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is complicated, or at least I have given room for complicated situations. If different server return different CDS records (different key tags) and none of them match DNSKEY record, the the message is to be outputted once for each CDS record (key tag) with a list of the servers that it was found on.
I will rewrite in smaller steps.
@mattias-p, I applied your comments in the same way on both DNSSEC16 and DNSSEC17. |
1. Name server IP address and associated CDS RRset and its RRSIG | ||
records ("CDS RRsets"). RRSIG records may be absent. | ||
2. Name server IP address and associated DNSKEY RRset and its | ||
RRsig records ("DNSKEY RRsets"). RRSIG records may be absent. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
RRsig
-> RRSIG
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will fix.
@@ -0,0 +1,225 @@ | |||
# DNSSEC16: Validate CDNSKEY |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
DNSSEC16
-> DNSSEC17
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will fix.
|
||
## Objective | ||
|
||
CDS and CDNSKEY record types are defined in [RFC 7344] and [RFC 8078]. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we really be speaking of CDNSKEY in the objective section of DNSSEC16? It makes sense to mention it in the scope section. But having it in the Objective section makes it look like this test case also concerns itself with CDNSKEY.
And conversely in DNSSEC17.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it is. They are very connected. It says "The objective of this test case is to verify that the CDS RRset is valid" and "For tests of the CDNSKEY, see test case [DNSSEC17]".
|
||
4. Create the following empty sets: | ||
1. Name server IP address and associated CDS RRset and its RRSIG | ||
records ("CDS RRsets"). RRSIG records may be absent. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes. My suggestion is to make it so that the RRSIG RRset is required, but that it may be empty. That way you only have one kind of absence to think about when you consider the state space that can be represented within the defined data structures. Having a smaller state space makes to consider makes the steps below easier to understand.
As authors of the test specifications we may know that the steps don't make use of the possibility for the RRSIG RRset to be present but empty. But for someone working through the test case who doesn't understand it yet, this distinction is another thing to keep in mind. And AFAICT for on good reason.
2. Else, add the name server IP address to the *Delete CDS* | ||
set. | ||
3. Go to next name server IP. | ||
3. Get the DNSKEY and its RRSIG records, if any, from the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Okay, so "if any" isn't about control flow. It's only there to let the reader know that they shouldn't worry even if there is no RRSIG RRset associated with the name server IP. Right?
How do you feel about this wording?
Get the DNSKEY and its RRSIG records from the *DNSKEY RRsets* for the same name server IP. The set of RRSIG records may be empty.
To me that would be much better.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have a couple of questions. But as a test specification I think this is really good! I haven't checked it thoroughly against the RFCs though.
record in the answer section, then add the name server IP and | ||
the DNSKEY RRset from the answer section to the | ||
*DNSKEY RRsets* set. Also include any associated RRSIG | ||
records in the answer section. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
in the answer section
-> from the answer section
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess both could do.
1. Compare the key tag from the CDS record with the calculated | ||
key tags for the DNSKEY records. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Potentially stupid question: Are the calculated key tags read from the DNSKEY records, or do we perform the calculation ourselves?
If we're doing it ourselves, maybe it should be promoted to a step of its own?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, the key tag is calculated from the DNSKEY RR. If you run this manually, dig
can provide it to you. ldns
provides a method to do it.
Let us save that possible change to the next iteration.
Now updated to create two test cases, DNSSEC16 for validating CDS and DNSSEC17 for validating CDNSKEY. Previously there was one test case for both.
Also see #938 (PR to create DNSSEC15), #941 (PR to create DNSSEC18 and New-Test-Cases-for-CDS-CDNSKEY (a temporary document).