Mailing List Archive

Question re prevention of enumeration with DNSSEC (NSEC3, etc.)
Hi NANOGers,

I have a small question re DNSSEC `proof of non-existence' records: NSEC,
NSEC3 and the (dead?) NSEC5 proposal.

<begin background (probably known to all/most):> NSEC3 was motivated as a
method to prevent Zone enumeration, then Berenstein showed its defense is
pretty weak. RFC7129 (White Lies) prevents this enumeration attack but
requires online signing with the zone's key, which introduces another
vulnerability and, of course, overhead of online-signing. NSEC5 was
proposed to prevent enumeration without online signing, so arguably more
secure than RFC7129, but has comparable online overhead and appears `dead';
the I-D expired (last update July'17).

Note that NSEC3 also supports `opt-out', which reduces overhead for
adoptions in domains with many non-adopting ASes, and I believe is not
supported by NSEC.
<end background>

Questions:
- Do you find zone enumeration a real concern?
- Do you think the white-lies countermeasure is sufficient and fine, or do
you have security and/or performance concern (or just think it's
pointless)?
- and the final question... would you think an alternative to NSEC5 which
will be more efficient and simpler would be of potential practical
importance, or just a nice academic `exercise'?

I'm really unsure about these questions - esp. the last one - and your
feedback may help me decide on the importance of this line of research.
Just fun or of possible practical importance?

thanks and peace, Amir
--
Amir Herzberg

Comcast professor of Security Innovations, Computer Science and
Engineering, University of Connecticut
Homepage: https://sites.google.com/site/amirherzberg/home
`Applied Introduction to Cryptography' textbook and lectures:
https://sites.google.com/site/amirherzberg/applied-crypto-textbook
<https://sites.google.com/site/amirherzberg/applied-crypto-textbook>
Re: Question re prevention of enumeration with DNSSEC (NSEC3, etc.) [ In reply to ]
On Fri, May 06, 2022 at 08:58:51PM -0400, Amir Herzberg wrote:
> Hi NANOGers,
>
> I have a small question re DNSSEC `proof of non-existence' records: NSEC,
> NSEC3 and the (dead?) NSEC5 proposal.
>
> <begin background (probably known to all/most):> NSEC3 was motivated as a
> method to prevent Zone enumeration, then Berenstein showed its defense is
> pretty weak. RFC7129 (White Lies) prevents this enumeration attack but
> requires online signing with the zone's key, which introduces another
> vulnerability and, of course, overhead of online-signing. NSEC5 was
> proposed to prevent enumeration without online signing, so arguably more
> secure than RFC7129, but has comparable online overhead and appears `dead';
> the I-D expired (last update July'17).
>
> Note that NSEC3 also supports `opt-out', which reduces overhead for
> adoptions in domains with many non-adopting ASes, and I believe is not
> supported by NSEC.
> <end background>
>
> Questions:
> - Do you find zone enumeration a real concern?

The answer to this would vary depending on who is asked, so it's not
clear how you would use such answers. It may be a concern to some, may
not be a concern to others.

If zone enumeration was not a real concern, NSEC3 would not
exist. However, public DNS is a public tree and so we should have
limited expectations for hiding names in it.

> - Do you think the white-lies countermeasure is sufficient and fine, or do
> you have security and/or performance concern (or just think it's
> pointless)?
> - and the final question... would you think an alternative to NSEC5 which
> will be more efficient and simpler would be of potential practical
> importance, or just a nice academic `exercise'?
>
> I'm really unsure about these questions - esp. the last one - and your
> feedback may help me decide on the importance of this line of research.
> Just fun or of possible practical importance?

These questions may be better posed to the dnsop@ietf.org and
dns-operations@dns-oarc.net mailing lists, as you'll get more relevant
answers from people who work in the DNS industry.

Mukund
Re: Question re prevention of enumeration with DNSSEC (NSEC3, etc.) [ In reply to ]
On 07/05/2022 02:18, Mukund Sivaraman wrote:

> If zone enumeration was not a real concern, NSEC3 would not
> exist. However, public DNS is a public tree and so we should have
> limited expectations for hiding names in it.

A significant motivation was to help defend database copyright in the
zone content, rather than to explicitly hide particular entries.

With NSEC it was simply too easy for a third party to produce an
infringing copy of the registry's entire database.

Ray
Re: Question re prevention of enumeration with DNSSEC (NSEC3, etc.) [ In reply to ]
I don’t think copyright can enter into it, by dint of the fact that registry data, being purely factual and publicly available, cannot be copyrighted.


On March 27, 1991, in a case that transformed the nascent online database publishing industry, the Supreme Court ruled unanimously that there is no copyright protection for purely factual products such as a telephone directory white pages.


The plaintiff in the case was Kansas Rural Telephone Service (KRTS) , and the defendant regional phone book producer Feist Publications Inc.. Feist asked KRTS, which published its own “white pages” for its subscribers in Kansas, to purchase the right to use its local listings in compiling its broader regional directory. KRTS refused, but Feist used the information anyway, copying at least 1,309 names, towns and telephone numbers of KRTS subscribers. KRTS then filed a copyright infringement suit.


A basic principle of copyright law is that facts themselves cannot be copyrighted because they are not "original works of authorship." However, compilations of facts can be copyrighted, under the 1976 copyright law, if they are "selected, coordinated or arranged in such a way that the resulting work as a whole constitutes an original work of authorship." An example of a compilation copyright is an anthology of fiction stories, collected on a single theme based on author, topic, or some other relationship. The compilation of just those stories creates a new “original work”, albeit one that the author would still need a license from the individual story authors to create. An example of a modern infringing idea of a composite work is a “mix tape” of songs, collected without the original authors’ permission


SCOTUS’ opinion, authored by Justice Sandra Day O'Connor, said telephone directories -- which do nothing more than list subscribers in alphabetical order -- do not meet that test. Feist thus did nothing wrong, and needed no permission, or license, from KRTS. Feist could simply copy records from the KPRS listings and use them without paying one red cent to KRTS.


"It is not only unoriginal, it is practically inevitable," the decision states. "This time-honored tradition does not possess the minimal creative spark required by the Copyright Act and the Constitution."


SCOTUS then said a number of lower courts were wrong when they decided compilations, such as geographical sorting or other works, were entitled to copyright protection by a "sweat of the brow" test, in which the amount of effort that went into gathering and arranging the data is substantial.


Originality, not effort, is the "touchstone of copyright protection," according to the decision, further stating that copyright "is not a tool by which a compilation author may keep others from using the facts or data he or she has collected."


So it is certain that domain registry records, which are purely factual and publicly available, cannot be copyrighted.


They lack “originality”.

-mel

On May 7, 2022, at 5:15 AM, Ray Bellis <ray@bellis.me.uk> wrote:

?

On 07/05/2022 02:18, Mukund Sivaraman wrote:

If zone enumeration was not a real concern, NSEC3 would not
exist. However, public DNS is a public tree and so we should have
limited expectations for hiding names in it.

A significant motivation was to help defend database copyright in the zone content, rather than to explicitly hide particular entries.

With NSEC it was simply too easy for a third party to produce an infringing copy of the registry's entire database.

Ray
Re: Question re prevention of enumeration with DNSSEC (NSEC3, etc.) [ In reply to ]
* mel@beckman.org (Mel Beckman) [Sat 07 May 2022, 18:38 CEST]:
>I don’t think copyright can enter into it, by dint of the fact that
>registry data, being purely factual and publicly available, cannot
>be copyrighted.

I'm not a lawyer nor pretend to be one on the internet but
https://bitlaw.com/copyright/database.html provides some nuance
to that statement.


-- Niels.
Re: Question re prevention of enumeration with DNSSEC (NSEC3, etc.) [ In reply to ]
Actually, that source quotes the Feist decision. The rest of the discussion makes it pretty clear that domain registries are not copyrightable.

“Thus, a database of unprotectable works (such as basic facts) is protected only as a compilation. Since the underlying data is not protected, U.S. copyright law does not prevent the extraction of unprotected data from an otherwise protectable database. In the example of a database of presidential quotations, it would therefore not be a violation of copyright law to extract (copy) a quotation from George Washington from the database. On the other hand, it would be violation to copy the entire database, as long as the database met the Feist<https://bitlaw.com/copyright/database.html#Feist> originality and creativity requirements.”

The key problem is that no domain registry meets the originality and creativity requirements set forth by SCOTUS in Feist.

I am not a lawyer either, but I have a lot of initials after my name, just like some lawyers that post on NANOG :)

-mel beckman, ABC, ACM, DEF, PFL, MEL, SEL, IFR, A&P, X&Y, QWERTY, ASDFG, NANOG,and St. Anthony’s Elementary School Diploma

On May 7, 2022, at 9:58 AM, Niels Bakker <niels=nanog@bakker.net> wrote:

?* mel@beckman.org (Mel Beckman) [Sat 07 May 2022, 18:38 CEST]:
I don’t think copyright can enter into it, by dint of the fact that registry data, being purely factual and publicly available, cannot be copyrighted.

I'm not a lawyer nor pretend to be one on the internet but https://bitlaw.com/copyright/database.html provides some nuance to that statement.


-- Niels.
Re: Question re prevention of enumeration with DNSSEC (NSEC3, etc.) [ In reply to ]
For some reason NANOG is quoting my original reply in base64 encoding. I did not specify that on my end, so I’m not sure what is going on here.

-mel

> On May 7, 2022, at 12:08 PM, Mel Beckman <mel@beckman.org> wrote:
>
> ?--_000_D1647C55C4B34117851B3D01FD4CAC89beckmanorg_
> Content-Type: text/plain; charset="utf-8"
> Content-Transfer-Encoding: base64
>
> QWN0dWFsbHksIHRoYXQgc291cmNlIHF1b3RlcyB0aGUgRmVpc3QgZGVjaXNpb24uIFRoZSByZXN0
> IG9mIHRoZSBkaXNjdXNzaW9uIG1ha2VzIGl0IHByZXR0eSBjbGVhciB0aGF0IGRvbWFpbiByZWdp
> c3RyaWVzIGFyZSBub3QgY29weXJpZ2h0YWJsZS4NCg0K4oCcVGh1cywgYSBkYXRhYmFzZSBvZiB1
> bnByb3RlY3RhYmxlIHdvcmtzIChzdWNoIGFzIGJhc2ljIGZhY3RzKSBpcyBwcm90ZWN0ZWQgb25s
> eSBhcyBhIGNvbXBpbGF0aW9uLiBTaW5jZSB0aGUgdW5kZXJseWluZyBkYXRhIGlzIG5vdCBwcm90
> ZWN0ZWQsIFUuUy4gY29weXJpZ2h0IGxhdyBkb2VzIG5vdCBwcmV2ZW50IHRoZSBleHRyYWN0aW9u
> IG9mIHVucHJvdGVjdGVkIGRhdGEgZnJvbSBhbiBvdGhlcndpc2UgcHJvdGVjdGFibGUgZGF0YWJh
> c2UuIEluIHRoZSBleGFtcGxlIG9mIGEgZGF0YWJhc2Ugb2YgcHJlc2lkZW50aWFsIHF1b3RhdGlv
> bnMsIGl0IHdvdWxkIHRoZXJlZm9yZSBub3QgYmUgYSB2aW9sYXRpb24gb2YgY29weXJpZ2h0IGxh
> dyB0byBleHRyYWN0IChjb3B5KSBhIHF1b3RhdGlvbiBmcm9tIEdlb3JnZSBXYXNoaW5ndG9uIGZy
> b20gdGhlIGRhdGFiYXNlLiBPbiB0aGUgb3RoZXIgaGFuZCwgaXQgd291bGQgYmUgdmlvbGF0aW9u
> IHRvIGNvcHkgdGhlIGVudGlyZSBkYXRhYmFzZSwgYXMgbG9uZyBhcyB0aGUgZGF0YWJhc2UgbWV0
> IHRoZSBGZWlzdDxodHRwczovL2JpdGxhdy5jb20vY29weXJpZ2h0L2RhdGFiYXNlLmh0bWwjRmVp
> c3Q+IG9yaWdpbmFsaXR5IGFuZCBjcmVhdGl2aXR5IHJlcXVpcmVtZW50cy7igJ0NCg0KVGhlIGtl
> eSBwcm9ibGVtIGlzIHRoYXQgbm8gZG9tYWluIHJlZ2lzdHJ5IG1lZXRzIHRoZSBvcmlnaW5hbGl0
> eSBhbmQgY3JlYXRpdml0eSByZXF1aXJlbWVudHMgc2V0IGZvcnRoIGJ5IFNDT1RVUyBpbiBGZWlz
> dC4NCg0KSSBhbSBub3QgYSBsYXd5ZXIgZWl0aGVyLCBidXQgSSBoYXZlIGEgbG90IG9mIGluaXRp
> YWxzIGFmdGVyIG15IG5hbWUsIGp1c3QgbGlrZSBzb21lIGxhd3llcnMgdGhhdCBwb3N0IG9uIE5B
> Tk9HIDopDQoNCiAtbWVsIGJlY2ttYW4sIEFCQywgQUNNLCBERUYsIFBGTCwgTUVMLCBTRUwsIElG
> UiwgQSZQLCBYJlksIFFXRVJUWSwgQVNERkcsIE5BTk9HLGFuZCBTdC4gQW50aG9ueeKAmXMgRWxl
> bWVudGFyeSBTY2hvb2wgRGlwbG9tYQ0KDQpPbiBNYXkgNywgMjAyMiwgYXQgOTo1OCBBTSwgTmll
> bHMgQmFra2VyIDxuaWVscz1uYW5vZ0BiYWtrZXIubmV0PiB3cm90ZToNCg0K77u/KiBtZWxAYmVj
> a21hbi5vcmcgKE1lbCBCZWNrbWFuKSBbU2F0IDA3IE1heSAyMDIyLCAxODozOCBDRVNUXToNCkkg
> ZG9u4oCZdCB0aGluayBjb3B5cmlnaHQgY2FuIGVudGVyIGludG8gaXQsIGJ5IGRpbnQgb2YgdGhl
> IGZhY3QgdGhhdCByZWdpc3RyeSBkYXRhLCBiZWluZyBwdXJlbHkgZmFjdHVhbCBhbmQgcHVibGlj
> bHkgYXZhaWxhYmxlLCBjYW5ub3QgYmUgY29weXJpZ2h0ZWQuDQoNCkknbSBub3QgYSBsYXd5ZXIg
> bm9yIHByZXRlbmQgdG8gYmUgb25lIG9uIHRoZSBpbnRlcm5ldCBidXQgaHR0cHM6Ly9iaXRsYXcu
> Y29tL2NvcHlyaWdodC9kYXRhYmFzZS5odG1sIHByb3ZpZGVzIHNvbWUgbnVhbmNlIHRvIHRoYXQg
> c3RhdGVtZW50Lg0KDQoNCiAgIC0tIE5pZWxzLg0K
>
> --_000_D1647C55C4B34117851B3D01FD4CAC89beckmanorg_
> Content-Type: text/html; charset="utf-8"
> Content-ID: <581BD3EFEBA32141BC633F11830431FF@beckman.org>
> Content-Transfer-Encoding: base64
>
> PGh0bWw+PGhlYWQ+DQo8bWV0YSBodHRwLWVxdWl2PSJDb250ZW50LVR5cGUiIGNvbnRlbnQ9InRl
> eHQvaHRtbDsgY2hhcnNldD11dGYtOCI+DQo8L2hlYWQ+DQo8Ym9keSBkaXI9ImF1dG8iPg0KQWN0
> dWFsbHksIHRoYXQgc291cmNlIHF1b3RlcyB0aGUgRmVpc3QgZGVjaXNpb24uIFRoZSByZXN0IG9m
> IHRoZSBkaXNjdXNzaW9uIG1ha2VzIGl0IHByZXR0eSBjbGVhciB0aGF0IGRvbWFpbiByZWdpc3Ry
> aWVzIGFyZSBub3QgY29weXJpZ2h0YWJsZS4mbmJzcDs8YnI+DQo8YnI+DQrigJw8c3BhbiBzdHls
> ZT0iY2FyZXQtY29sb3I6IHJnYig0MSwgNDEsIDQxKTsgY29sb3I6IHJnYig0MSwgNDEsIDQxKTsg
> Zm9udC1mYW1pbHk6ICZxdW90O09wZW4gU2FucyZxdW90Oywgc2Fucy1zZXJpZjsgZm9udC1zaXpl
> OiAxNXB4OyBiYWNrZ3JvdW5kLWNvbG9yOiByZ2IoMjU1LCAyNTUsIDI1NSk7Ij5UaHVzLCBhIGRh
> dGFiYXNlIG9mIHVucHJvdGVjdGFibGUgd29ya3MgKHN1Y2ggYXMgYmFzaWMgZmFjdHMpIGlzIHBy
> b3RlY3RlZCBvbmx5IGFzIGEgY29tcGlsYXRpb24uDQogU2luY2UgdGhlIHVuZGVybHlpbmcgZGF0
> YSBpcyBub3QgcHJvdGVjdGVkLCBVLlMuIGNvcHlyaWdodCBsYXcgZG9lcyBub3QgcHJldmVudCB0
> aGUgZXh0cmFjdGlvbiBvZiB1bnByb3RlY3RlZCBkYXRhIGZyb20gYW4gb3RoZXJ3aXNlIHByb3Rl
> Y3RhYmxlIGRhdGFiYXNlLiBJbiB0aGUgZXhhbXBsZSBvZiBhIGRhdGFiYXNlIG9mIHByZXNpZGVu
> dGlhbCBxdW90YXRpb25zLCBpdCB3b3VsZCB0aGVyZWZvcmUgbm90IGJlIGEgdmlvbGF0aW9uIG9m
> IGNvcHlyaWdodA0KIGxhdyB0byBleHRyYWN0IChjb3B5KSBhIHF1b3RhdGlvbiBmcm9tIEdlb3Jn
> ZSBXYXNoaW5ndG9uIGZyb20gdGhlIGRhdGFiYXNlLiBPbiB0aGUgb3RoZXIgaGFuZCwgaXQgd291
> bGQgYmUgdmlvbGF0aW9uIHRvIGNvcHkgdGhlIGVudGlyZSBkYXRhYmFzZSwgYXMgbG9uZyBhcyB0
> aGUgZGF0YWJhc2UgbWV0IHRoZSZuYnNwOzwvc3Bhbj48YSBocmVmPSJodHRwczovL2JpdGxhdy5j
> b20vY29weXJpZ2h0L2RhdGFiYXNlLmh0bWwjRmVpc3QiIHN0eWxlPSJib3gtc2l6aW5nOiBib3Jk
> ZXItYm94OyBtYXJnaW46IDBweDsgcGFkZGluZzogMHB4OyBib3JkZXI6IDBweDsgZm9udC1mYW1p
> bHk6ICZxdW90O09wZW4gU2FucyZxdW90Oywgc2Fucy1zZXJpZjsgZm9udC1zaXplOiAxNXB4OyBm
> b250LXN0cmV0Y2g6IGluaGVyaXQ7IGxpbmUtaGVpZ2h0OiBpbmhlcml0OyB2ZXJ0aWNhbC1hbGln
> bjogYmFzZWxpbmU7IGNvbG9yOiByZ2IoMzQsIDk0LCAxNTIpOyI+RmVpc3Q8L2E+PHNwYW4gc3R5
> bGU9ImNhcmV0LWNvbG9yOiByZ2IoNDEsIDQxLCA0MSk7IGNvbG9yOiByZ2IoNDEsIDQxLCA0MSk7
> IGZvbnQtZmFtaWx5OiAmcXVvdDtPcGVuIFNhbnMmcXVvdDssIHNhbnMtc2VyaWY7IGZvbnQtc2l6
> ZTogMTVweDsgYmFja2dyb3VuZC1jb2xvcjogcmdiKDI1NSwgMjU1LCAyNTUpOyI+Jm5ic3A7b3Jp
> Z2luYWxpdHkNCiBhbmQgY3JlYXRpdml0eSByZXF1aXJlbWVudHMuPC9zcGFuPuKAnQ0KPGRpdj48
> YnI+DQo8L2Rpdj4NCjxkaXY+VGhlIGtleSBwcm9ibGVtIGlzIHRoYXQgbm8gZG9tYWluIHJlZ2lz
> dHJ5IG1lZXRzIHRoZSBvcmlnaW5hbGl0eSBhbmQgY3JlYXRpdml0eSByZXF1aXJlbWVudHMgc2V0
> IGZvcnRoIGJ5IFNDT1RVUyBpbiBGZWlzdC4mbmJzcDs8YnI+DQo8ZGl2Pjxicj4NCjwvZGl2Pg0K
> PGRpdj5JIGFtIG5vdCBhIGxhd3llciBlaXRoZXIsIGJ1dCBJIGhhdmUgYSBsb3Qgb2YgaW5pdGlh
> bHMgYWZ0ZXIgbXkgbmFtZSwganVzdCBsaWtlIHNvbWUgbGF3eWVycyB0aGF0IHBvc3Qgb24gTkFO
> T0cgOik8L2Rpdj4NCjxkaXY+PGJyPg0KPGRpdiBkaXI9Imx0ciI+Jm5ic3A7LW1lbCBiZWNrbWFu
> LCBBQkMsIEFDTSwgREVGLCBQRkwsIE1FTCwgU0VMLCBJRlIsIEEmYW1wO1AsIFgmYW1wO1ksIFFX
> RVJUWSwgQVNERkcsIE5BTk9HLGFuZCBTdC4gQW50aG9ueeKAmXMgRWxlbWVudGFyeSBTY2hvb2wg
> RGlwbG9tYTwvZGl2Pg0KPGRpdiBkaXI9Imx0ciI+PGJyPg0KPGJsb2NrcXVvdGUgdHlwZT0iY2l0
> ZSI+T24gTWF5IDcsIDIwMjIsIGF0IDk6NTggQU0sIE5pZWxzIEJha2tlciAmbHQ7bmllbHM9bmFu
> b2dAYmFra2VyLm5ldCZndDsgd3JvdGU6PGJyPg0KPGJyPg0KPC9ibG9ja3F1b3RlPg0KPC9kaXY+
> DQo8YmxvY2txdW90ZSB0eXBlPSJjaXRlIj4NCjxkaXYgZGlyPSJsdHIiPu+7vzxzcGFuPiogbWVs
> QGJlY2ttYW4ub3JnIChNZWwgQmVja21hbikgW1NhdCAwNyBNYXkgMjAyMiwgMTg6MzggQ0VTVF06
> PC9zcGFuPjxicj4NCjxibG9ja3F1b3RlIHR5cGU9ImNpdGUiPjxzcGFuPkkgZG9u4oCZdCB0aGlu
> ayBjb3B5cmlnaHQgY2FuIGVudGVyIGludG8gaXQsIGJ5IGRpbnQgb2YgdGhlIGZhY3QgdGhhdCBy
> ZWdpc3RyeSBkYXRhLCBiZWluZyBwdXJlbHkgZmFjdHVhbCBhbmQgcHVibGljbHkgYXZhaWxhYmxl
> LCBjYW5ub3QgYmUgY29weXJpZ2h0ZWQuPC9zcGFuPjxicj4NCjwvYmxvY2txdW90ZT4NCjxzcGFu
> Pjwvc3Bhbj48YnI+DQo8c3Bhbj5JJ20gbm90IGEgbGF3eWVyIG5vciBwcmV0ZW5kIHRvIGJlIG9u
> ZSBvbiB0aGUgaW50ZXJuZXQgYnV0IGh0dHBzOi8vYml0bGF3LmNvbS9jb3B5cmlnaHQvZGF0YWJh
> c2UuaHRtbCBwcm92aWRlcyBzb21lIG51YW5jZSB0byB0aGF0IHN0YXRlbWVudC48L3NwYW4+PGJy
> Pg0KPHNwYW4+PC9zcGFuPjxicj4NCjxzcGFuPjwvc3Bhbj48YnI+DQo8c3Bhbj4mbmJzcDsgJm5i
> c3A7LS0gTmllbHMuPC9zcGFuPjxicj4NCjwvZGl2Pg0KPC9ibG9ja3F1b3RlPg0KPC9kaXY+DQo8
> L2Rpdj4NCjwvYm9keT4NCjwvaHRtbD4NCg==
>
> --_000_D1647C55C4B34117851B3D01FD4CAC89beckmanorg_--
Re: Question re prevention of enumeration with DNSSEC (NSEC3, etc.) [ In reply to ]
> On 7 May 2022, at 17:37, Mel Beckman <mel@beckman.org> wrote:
>
> ? I don’t think copyright can enter into it, by dint of the fact that registry data, being purely factual and publicly available, cannot be copyrighted.
>
> On March 27, 1991, in a case that transformed the nascent online database publishing industry, the Supreme Court ruled unanimously that there is no copyright protection for purely factual products such as a telephone directory white pages.

I wasn’t talking about US law…

Ray
Re: Question re prevention of enumeration with DNSSEC (NSEC3, etc.) [ In reply to ]
On Fri, May 06, 2022 at 9:18 PM, Mukund Sivaraman <muks@mukund.org> wrote:

> On Fri, May 06, 2022 at 08:58:51PM -0400, Amir Herzberg wrote:
>
> Hi NANOGers,
>
> I have a small question re DNSSEC `proof of non-existence' records: NSEC,
> NSEC3 and the (dead?) NSEC5 proposal.
>
> <begin background (probably known to all/most):> NSEC3 was motivated as a
> method to prevent Zone enumeration, then Berenstein showed its defense is
> pretty weak. RFC7129 (White Lies) prevents this enumeration attack but
> requires online signing with the zone's key, which introduces another
> vulnerability and, of course, overhead of online-signing. NSEC5 was
> proposed to prevent enumeration without online signing, so arguably more
> secure than RFC7129, but has comparable online overhead and appears `dead';
> the I-D expired (last update July'17).
>
> Note that NSEC3 also supports `opt-out', which reduces overhead for
> adoptions in domains with many non-adopting ASes, and I believe is not
> supported by NSEC.
> <end background>
>
> Questions:
> - Do you find zone enumeration a real concern?
>
> The answer to this would vary depending on who is asked, so it's not clear
> how you would use such answers. It may be a concern to some, may not be a
> concern to others.
>
> If zone enumeration was not a real concern, NSEC3 would not exist.
>


Ackchyually, that's only partly true — a significant amount of the driver
(some would say hte large majority) behind NSEC3 was that it supports
"opt-out". This was important in very large, delegation-centric zones (e.g
like .com), where the vast majority of delegations were initially not
signed. This allows just signing the signed delegation and the holes
between them, and not all of the unsigned delegations.

This was also before things like passive DNS services existed, etc., and
the "secrecy" of a zone was viewed more as an actual thing...

From RFC5155:
"A second problem is that the cost to cryptographically secure
delegations to unsigned zones is high, relative to the perceived
security benefit, in two cases: large, delegation-centric zones, and
zones where insecure delegations will be updated rapidly. In these
cases, the costs of maintaining the NSEC RR chain may be extremely
high and use of the "Opt-Out" convention may be more appropriate (for
these unsecured zones)."



However, public DNS is a public tree and so we should have limited
> expectations for hiding names in it.
>
> - Do you think the white-lies countermeasure is sufficient and fine, or do
> you have security and/or performance concern (or just think it's
> pointless)?
> - and the final question... would you think an alternative to NSEC5 which
> will be more efficient and simpler would be of potential practical
> importance, or just a nice academic `exercise'?
>
> I'm really unsure about these questions - esp. the last one - and your
> feedback may help me decide on the importance of this line of research.
> Just fun or of possible practical importance?
>
> These questions may be better posed to the dnsop@ietf.org and
> dns-operations@dns-oarc.net mailing lists, as you'll get more relevant
> answers from people who work in the DNS industry.
>


Yes, +1, etc.!

W



> Mukund
>
Re: Question re prevention of enumeration with DNSSEC (NSEC3, etc.) [ In reply to ]
On 5/8/22 19:48, Warren Kumari wrote:
>> If zone enumeration was not a real concern, NSEC3 would not exist.
>
> Ackchyually, that's only partly true — a significant amount of the
> driver (some would say hte large majority) behind NSEC3 was that it
> supports "opt-out". This was important in very large, delegation-centric
> zones (e.g like .com), where the vast majority of delegations were
> initially not signed. This allows just signing the signed delegation and
> the holes between them, and not all of the unsigned delegations.

But, with op-out, there're some security concerns around... so TL;DR
generally you should avoid-it.

http://www.e-ontap.com/dns/entpoison.html
https://theory.stanford.edu/people/jcm/papers/dnssec_ndss10.pdf
Re: Question re prevention of enumeration with DNSSEC (NSEC3, etc.) [ In reply to ]
It appears that Ray Bellis <ray@bellis.me.uk> said:
>> On March 27, 1991, in a case that transformed the nascent online database publishing industry, the Supreme Court ruled unanimously that there is no
>copyright protection for purely factual products such as a telephone directory white pages.
>
>I wasn’t talking about US law…

Is there any case law where someone has asserted a database right for a DNS zone?

It seems like a rather stupid thing to do. If someone asserted such a
right, I would make sure not to infringe it by ensuring no entries
from that database entered my DNS caches or other software.

Also, I see that in a decision last year the ECJ required "substantial
extraction" also caused "significant detriment" to the investment in
the database. I'm having trouble coming up with a scenario in which copying
even the entire thing would impair the investment unless they are going to
assert that the structure of the names somehow gave away secrets about their
business plans.

R's,
John
Re: Question re prevention of enumeration with DNSSEC (NSEC3, etc.) [ In reply to ]
> Is there any case law where someone has asserted a database right for a DNS zone?

> It seems like a rather stupid thing to do. If someone asserted such a
> right, I would make sure not to infringe it by ensuring no entries
> from that database entered my DNS caches or other software.

It wasn’t the zone itself as such - the concern was use of enumerated zone data to then perform bulk collection of Whois data.

> Also, I see that in a decision last year the ECJ required "substantial
> extraction" also caused "significant detriment" to the investment in
> the database. I'm having trouble coming up with a scenario in which copying
> even the entire thing would impair the investment unless they are going to
> assert that the structure of the names somehow gave away secrets about their
> business plans.

The detriment was scammers sending fake domain renewal notices.

Also, this was 15 or so years ago now…

Ray
Re: Question re prevention of enumeration with DNSSEC (NSEC3, etc.) [ In reply to ]
On 09/05/2022 00:10, Ray Bellis wrote:
>
>> Is there any case law where someone has asserted a database right for a DNS zone?
>
>> It seems like a rather stupid thing to do. If someone asserted such a
>> right, I would make sure not to infringe it by ensuring no entries
>> from that database entered my DNS caches or other software.
>
> It wasn’t the zone itself as such - the concern was use of enumerated zone data to then perform bulk collection of Whois data.
>
>> Also, I see that in a decision last year the ECJ required "substantial
>> extraction" also caused "significant detriment" to the investment in
>> the database. I'm having trouble coming up with a scenario in which copying
>> even the entire thing would impair the investment unless they are going to
>> assert that the structure of the names somehow gave away secrets about their
>> business plans.
>
> The detriment was scammers sending fake domain renewal notices.
>
> Also, this was 15 or so years ago now…

Many of the ccTLD registries used to be more open about publishing zones
and new registrations. Nominet, the .UK registry, took legal action
against a few operations that were scraping its WHOIS. The gTLDs also
had major issues with fake renewal notices.

https://www.pinsentmasons.com/out-law/news/nominet-wins-damages-in-data-mining-dispute

Around 2003, many of the ccTLD registries in Europe subsequently went
dark on publishing anything other than statistics. Many registrants, at
the time, were being hit with directory invoice scams rather than
renewal scams.

Outside the US, there has been an on-going shift to ccTLDs since about
2005. In many of these countries, the local ccTLD has more new
registations each month than new registrations in gTLDs like .COM/NET/ORG.

With the gTLDs, the domain renewal scams still exist but they are far
rarer now. The search engine submission scams seem to have taken over
but they are also dependent on old WHOIS data and a lot of them
disappeared in 2018 because of GDPR limiting WHOIS data. Some of the
European ccTLDs now publish their zones or lists of registations as the
legal framework has improved. Most no longer publish comprehensive WHOIS
data.

Regards...jmcc
--
**********************************************************
John McCormac * e-mail: jmcc@hosterstats.com
MC2 * web: http://www.hosterstats.com/
22 Viewmount * Domain Registrations Statistics
Waterford * Domnomics - the business of domain names
Ireland * https://amzn.to/2OPtEIO
IE * Skype: hosterstats.com
**********************************************************

--
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
Re: Question re prevention of enumeration with DNSSEC (NSEC3, etc.) [ In reply to ]
> Is there any case law where someone has asserted a database right for a DNS zone?

German law has something to goes somewhat near it, although closer to
a mandate rather than a right:
https://www.denic.de/en/faqs/faqs-for-domain-holders/#code-154


Rubens
Re: Question re prevention of enumeration with DNSSEC (NSEC3, etc.) [ In reply to ]
Rubens Kuhl wrote:

>> Is there any case law where someone has asserted a database right for a DNS zone?
>
> German law has something to goes somewhat near it, although closer to
> a mandate rather than a right:
> https://www.denic.de/en/faqs/faqs-for-domain-holders/#code-154

Similar regulation also exists in Japan. However...

Considering that, with a detailed map of a town, one can enumerate
addresses of all the houses in the town and owner information
of the houses can be obtained from land registry office operated
by government (I know complications in US on such registry), such
regulation is not very meaningful.

As privacy breach is caused by not enumeration but registry,
there is little, if any, reason to avoid enumeration.

Moreover, because making ownership information of lands and
domain names publicly available promotes public well fair
and domain name owners approve publication of such
information in advance, there shouldn't be any concern
of privacy breach forbidden by local law of DE.

Masataka Ohta
Re: Question re prevention of enumeration with DNSSEC (NSEC3, etc.) [ In reply to ]
It appears that Ray Bellis <ray@bellis.me.uk> said:
>
>> Is there any case law where someone has asserted a database right for a DNS zone?
>
>> It seems like a rather stupid thing to do. If someone asserted such a
>> right, I would make sure not to infringe it by ensuring no entries
>> from that database entered my DNS caches or other software.
>
>It wasn’t the zone itself as such - the concern was use of enumerated zone data to then perform bulk collection of Whois data.

It's perfectly reasonable to claim a database right in the WHOIS data,
but the offense is scraping WHOIS, not enumerating the DNS zone.

I could enumerate the DNS zone twice a day every day and so long as I stayed
away from WHOIS, nobody would notice or care.

R's,
John
Re: Question re prevention of enumeration with DNSSEC (NSEC3, etc.) [ In reply to ]
> It's perfectly reasonable to claim a database right in the WHOIS data,
> but the offense is scraping WHOIS, not enumerating the DNS zone.
>
> I could enumerate the DNS zone twice a day every day and so long as I stayed
> away from WHOIS, nobody would notice or care.


The zone file could be seen as an accessory to the database rip-off.
For instance, it would be hard to see such a dependency on Alexa 1M
top domains, since they are already enumerated. But some spam actors
deliberately compared zone file editions to single out additions, and
then harass the owners of newly registered domains, both by e-mail and
phone.

A wrench can be a tool or a weapon, depending on how one uses it.


Rubens
Re: Question re prevention of enumeration with DNSSEC (NSEC3, etc.) [ In reply to ]
It appears that Rubens Kuhl <rubensk@gmail.com> said:
>> It's perfectly reasonable to claim a database right in the WHOIS data,
>> but the offense is scraping WHOIS, not enumerating the DNS zone. ...

>The zone file could be seen as an accessory to the database rip-off.
>For instance, it would be hard to see such a dependency on Alexa 1M
>top domains, since they are already enumerated. But some spam actors
>deliberately compared zone file editions to single out additions, and
>then harass the owners of newly registered domains, both by e-mail and
>phone.

Yeah, I know, and some of us download and diff zone files every day to
see what's new to track abuse trends. That doesn't annoy anyone other
than perhaps people whose phish campaigns it might disrupt.

Once again, the issue is WHOIS scraping, not the DNS.

R's,
John
Re: Question re prevention of enumeration with DNSSEC (NSEC3, etc.) [ In reply to ]
Rubens Kuhl wrote:

> But some spam actors
> deliberately compared zone file editions to single out additions, and
> then harass the owners of newly registered domains, both by e-mail and
> phone.

If that is a serious concern, stop whois.

> A wrench can be a tool or a weapon, depending on how one uses it.

The wrench is whois.

Masataka Ohta
Re: Question re prevention of enumeration with DNSSEC (NSEC3, etc.) [ In reply to ]
As I wrote:

>> But some spam actors
>> deliberately compared zone file editions to single out additions, and
>> then harass the owners of newly registered domains, both by e-mail and
>> phone.
>
> If that is a serious concern, stop whois.

There are various ways, such as crawling the web, to enumerate
domain names.

For example, large companies such as google can obtain enumerated
list of all the current most active domains in the world, which
can, then, be used to access whois.

Hiding DNS zone information from public is beneficial to powerful
entities such as google.

As such

>> A wrench can be a tool or a weapon, depending on how one uses it.
>
> The wrench is whois.

However, something like trust banks may be able to hide
privacy of domain name owners if such entities can be regulated
properly for people who want some privacy.

                            Masataka Ohta
Re: Question re prevention of enumeration with DNSSEC (NSEC3, etc.) [ In reply to ]
On 11/05/2022 13:31, Masataka Ohta wrote:
> As I wrote:
>
>>> But some spam actors
>>> deliberately compared zone file editions to single out additions, and
>>> then harass the owners of newly registered domains, both by e-mail and
>>> phone.
>>
>> If that is a serious concern, stop whois.
>
> There are various ways, such as crawling the web, to enumerate
> domain names.
>

That is not an efficient method. The gTLD zones are available on
approval from the registries via ICANN's CZDS. Many of the ccTLDs do not
provide such access.

> For example, large companies such as google can obtain enumerated
> list of all the current most active domains in the world, which
> can, then, be used to access whois.

What Google might obtain would be a list of domain names with websites.
The problem is that the web usage rate for TLDs varies with some ccTLDs
seeing a web usage rate of over 40% (40% of domain names having
developed websites) but some of the new gTLDs have web usage rates below
10%. Some of the ccTLDs have high web usage rates.

> Hiding DNS zone information from public is beneficial to powerful
> entities such as google.

In some respects, yes. But there is a problem with that because of all
the FUD about websites linking to "bad" websites that had been pushed in
the media a few years ago. That had an effect of websites no longer
linking to others. Any search engine that detected new websites by
following links was at a severe disadvantage. There are other methods of
detecting new websites but for those without Google's resources, it is a
lot more difficult without access to the zone files.

Another factor that is often missed is the renewal rate of domain names.
Some of the ccTLDs have very strong renewal rates of over 70% and the
.COM typically has a blended renewal rate of over 70%. A blended renewal
rate is the renewal rate for all registrations (first year and
multi-year). The first year renewal rates can vary considerably. Some of
the new gTLDs can see upwards of 80% of the zone deleted within a year.
The first year renewal rate varies considerably across ccTLDs and gTLDs
and from month to month. With heavily discounted new registrations, it
is not unusual to see over 90% of those discounted registations deleted
when they come up for renewal.

Access to WHOIS servers and the records that they return has changed
considerably since the infliction of GDPR in May 2018. Some gTLDs are
moving to RDAP and will throttle the number of requests by IP or limit
them to a maximum number of queries per minute. A lot of personal data
such as e-mail addresses, phone numbers and even postal addresses have
been removed from gTLD records because of the fear of GDPR. Some of the
European ccTLD registries simply don't return any personal information
for a WHOIS request. (deNIC is a good example.) Others allow registrants
to opt out of public WHOIS.

One of the largest "registrations as a service" gTLD registrars (it
helps resellers resell gTLD domain names without them having to become
ICANN accredited registrars) unilaterally decided to go dark on WHOIS
data a few years ago by removing registrant data.

The zones change. New domain names are registered and domain names are
deleted. For many TLDs, the old WHOIS model of registrant name, e-mail
and phone number no longer exists. And there are also WHOIS privacy
services which have obscured ownership.

Regards...jmcc
--
**********************************************************
John McCormac * e-mail: jmcc@hosterstats.com
MC2 * web: http://www.hosterstats.com/
22 Viewmount * Domain Registrations Statistics
Waterford * Domnomics - the business of domain names
Ireland * https://amzn.to/2OPtEIO
IE * Skype: hosterstats.com
**********************************************************

--
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
Re: Question re prevention of enumeration with DNSSEC (NSEC3, etc.) [ In reply to ]
On 5/6/22 5:58 PM, Amir Herzberg wrote:
> Hi NANOGers,
>
> Questions:
> - Do you find zone enumeration a real concern?

I have found that some people who are concerned about such things will have LetsEncrypt certs for
many of the same hosts they were worried about - which of course makes the DNS zone enumeration
issue moot - any CA-signed certs are already public these days.

Doesn't make the issue completely moot, but the reality is if you're exposing something to the
internet, there's plenty of ways for it to leak out, so best not to make it public to begin with.

Tangentially related today is the news that all your "private channel" names are actually completely
public on Discord[1], which was also true for Slack for many years, with their security folks
claiming its totally no problem that anyone can see you have a channel named
secret-jv-announcing-next-month-with-company-X.

Matt

[1] https://twitter.com/joshfraser/status/1524093111349166080
Re: Question re prevention of enumeration with DNSSEC (NSEC3, etc.) [ In reply to ]
John McCormac wrote:

>> There are various ways, such as crawling the web, to enumerate
>> domain names.

> That is not an efficient method.

Not a problem for large companies or botnet. So, only
small legal players suffer from hiding zone information.

>> For example, large companies such as google can obtain enumerated
>> list of all the current most active domains in the world, which
>> can, then, be used to access whois.
>
> What Google might obtain would be a list of domain names with websites.
> The problem is that the web usage rate for TLDs varies with some ccTLDs
> seeing a web usage rate of over 40% (40% of domain names having
> developed websites) but some of the new gTLDs have web usage rates below
> 10%. Some of the ccTLDs have high web usage rates.

You misunderstand my statement. Domain names not offering
HTTP service can also be collected by web crawling.

>> Hiding DNS zone information from public is beneficial to powerful
>> entities such as google.
>
> In some respects, yes.

Google can also use gmail to collect domain names used by
sent or received e-mails.

> But there is a problem with that because of all
> the FUD about websites linking to "bad" websites that had been pushed in
> the media a few years ago.

Is your concern privacy of "bad" websites?

> Another factor that is often missed is the renewal rate of domain names.

That's not a problem related to enumeration of domain names.

> A lot of personal data
> such as e-mail addresses, phone numbers and even postal addresses have
> been removed from gTLD records because of the fear of GDPR.

As I have been saying, the problem, *if+ *any*, is whois. So?

> The zones change. New domain names are registered and domain names are
> deleted. For many TLDs, the old WHOIS model of registrant name, e-mail
> and phone number no longer exists. And there are also WHOIS privacy
> services which have obscured ownership.

As I wrote:

: Moreover, because making ownership information of lands and
: domain names publicly available promotes public well fair
: and domain name owners approve publication of such
: information in advance, there shouldn't be any concern
: of privacy breach forbidden by local law of DE.

that is not a healthy movement.

Masataka Ohta
Re: Question re prevention of enumeration with DNSSEC (NSEC3, etc.) [ In reply to ]
On 12/05/2022 11:16, Masataka Ohta wrote:
> John McCormac wrote:
>
>>> There are various ways, such as crawling the web, to enumerate
>>> domain names.
>
>> That is not an efficient method.
>
> Not a problem for large companies or botnet. So, only
> small legal players suffer from hiding zone information.

Agree on the effects on smaller legal players.

A domain name does not always have to have a website. This means that
some domain names may have no presence on the Web unless they are
mentioned on a site or in e-mail. With the increased automation of
webhosting control panels, undeveloped domain names may be automatically
parked on the webhoster's or registrar's holding page.

> You misunderstand my statement. Domain names not offering
> HTTP service can also be collected by web crawling.

Perhaps if there are lists of new registrations published or the domain
names are reregistrations that had been previously deleted. Some might
be detected if they have reverse DNS set up for the domain name. DNS
traffic could be another source. Other than those cases, I am not sure
about web crawling detecting domain names without HTTP service.

> Google can also use gmail to collect domain names used by
> sent or received e-mails.

Or even Google Analytics but that may have legal issues over privacy.

>> But there is a problem with that because of all the FUD about websites
>> linking to "bad" websites that had been pushed in the media a few
>> years ago.
>
> Is your concern privacy of "bad" websites?

No. The problem for search engines and other crawlers that detect new
websites by crawling links from others are at a disadvantage because of
websites being less likely to link to others due to search engine
optimisation. The decline of web directories has also had an effect. It
becomes increasingly difficult for newer players without the resources
of Google or Microsoft to compete at detecting new websites, typically
ccTLD, when they have no inbound links from other websites.

>> Another factor that is often missed is the renewal rate of domain names.
>
> That's not a problem related to enumeration of domain names.

It is when millions of (gTLD and ccTLD) domain names per month are
deleted. Even after a run of enumerating domain names in a zone, some of
those domain names will have been deleted before the process is
completed. Enumerating domain names is very much a continual process
rather than a one-off process. The set of domain names in a zone is
rarely a static one. An enumerated zone is a snapshot of that zone at a
particular time. It becomes increasingly unreliable.

>> A lot of personal data such as e-mail addresses, phone numbers and
>> even postal addresses have been removed from gTLD records because of
>> the fear of GDPR.
>
> As I have been saying, the problem, *if+ *any*, is whois. So?

There are multiple issues. The redaction of WHOIS data has made dealing
with fradulent/malware/phishing sites more difficult. It can also cause
problems for registrants who have registered their domain name through a
reseller that has disappeared.

Spammers using WHOIS data from new registrations to target registrants
has declined somewhat since 2018. The redaction of data from the WHOIS
is not a one-size-fits-all solution. This is why ICANN is moving towards
RDAP and a more controlled access to registrant data.

>> The zones change. New domain names are registered and domain names are
>> deleted. For many TLDs, the old WHOIS model of registrant name, e-mail
>> and phone number no longer exists. And there are also WHOIS privacy
>> services which have obscured ownership.
>
> As I wrote:
>
> : Moreover, because making ownership information of lands and
> : domain names publicly available promotes public well fair
> : and domain name owners approve publication of such
> : information in advance, there shouldn't be any concern
> : of privacy breach forbidden by local law of DE.
>
> that is not a healthy movement.

There has been some discussion about using a Natural Person or Legal
Person field in gTLD WHOIS records with the Legal Person (effectively a
business or company) having more information published. There are
multiple jurisdictions and some have different protections for data.
Some registrars and registries allow registrants to publish ownership
details but others do not. With gTLDs, there is a central organisation
(ICANN). With ccTLDs, each ccTLD registry is almost unique (a few
registries also run IDN versions of ccTLDs in addition to their main
ccTLD) and subject to the local laws of its country. GDPR has caused a
lot of problems inside and outside of the EU.

Regards...jmcc
--
**********************************************************
John McCormac * e-mail: jmcc@hosterstats.com
MC2 * web: http://www.hosterstats.com/
22 Viewmount * Domain Registrations Statistics
Waterford * Domnomics - the business of domain names
Ireland * https://amzn.to/2OPtEIO
IE * Skype: hosterstats.com
**********************************************************

--
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
Re: Question re prevention of enumeration with DNSSEC (NSEC3, etc.) [ In reply to ]
11.05.22 15:31, Masataka Ohta ????:
> As I wrote:
>
>>> But some spam actors
>>> deliberately compared zone file editions to single out additions, and
>>> then harass the owners of newly registered domains, both by e-mail and
>>> phone.
>>
>> If that is a serious concern, stop whois.
>
> There are various ways, such as crawling the web, to enumerate
> domain names.

Come on, web is dying! People are moving to mobile applications!
So more and more domains do not need any web site by design.

1 2  View All