IETF Logo Mail Archive

Re: [Add] I-D Action: draft-ietf-add-resolver-info-06.txt

Ben Schwartz <bemasc@meta.com> Wed, 11 October 2023 22:34 UTC

Return-Path: <prvs=36483f00b9=bemasc@meta.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5DB74C14CEFD for <add@ietfa.amsl.com>; Wed, 11 Oct 2023 15:34:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.793
X-Spam-Level:
X-Spam-Status: No, score=-2.793 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=meta.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vEt6HjP4yvvF for <add@ietfa.amsl.com>; Wed, 11 Oct 2023 15:33:58 -0700 (PDT)
Received: from mx0a-00082601.pphosted.com (mx0b-00082601.pphosted.com [67.231.153.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7AADDC1516E9 for <add@ietf.org>; Wed, 11 Oct 2023 15:33:39 -0700 (PDT)
Received: from pps.filterd (m0089730.ppops.net [127.0.0.1]) by m0089730.ppops.net (8.17.1.19/8.17.1.19) with ESMTP id 39BLK6gE029558; Wed, 11 Oct 2023 15:33:38 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=meta.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=s2048-2021-q4; bh=cDuk++tIOYj34zfvgGg2gLlE5CnNuLh/xjESWY39Fa4=; b=Pwbx8mzg0gWBv0IS7N+9gAmI9TmLrsH9oCehwCvECBVLCuxaLp9By40pHNbni7F9XphA R9UDo/o135CRfwFQZXa80gJcX5HMmFkodRbXHgy9idWGrfr6Ptq9YrqkD35OUwDSQm4n 3p8lQL/vZwOY/DibKCrvMoHlIItCom8UPgYmiDVshkieMbFuOg0nQ+TCMdN0UqC5LNhR moMcDDBo9NrluMNvgGt3wlaZoWgxKNrhpFZ0a/iwMq9L8io25d76p1Zdot533A28Jh9z 4Vl1FkbMtopXBRckecErHkXo3qEAKcud40VvRuVJPdaGpeV0kN6AwUWLoIp/PyNLl/k+ Jw==
Received: from nam02-bn1-obe.outbound.protection.outlook.com (mail-bn1nam02lp2041.outbound.protection.outlook.com [104.47.51.41]) by m0089730.ppops.net (PPS) with ESMTPS id 3tnu04d8b5-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 11 Oct 2023 15:33:37 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=LKeTqW2DPlyfVfdaDFoUfNyXLeu2K/VCdegdizvf/YXVE65Bxpmh8gLpeAY11fCV/axNn4I4meDHU71297NmhhtyeySTZDxv3PanilonkAdtycubptUjLTg9cEXhQNvguf4Fn1aeT6woUtGDbouyONxGFsY0ikL+vUvoIYxbPtB6ALS0IWRcHAGuXsk0MG5xWK+UOgEuxiMmys2cLT+eF+Kuu7V8pj4KnrLfSYN4EYlhqMAHWRazmAURy5rrXl5PUozTEpOxfNQcfXWIc2PWUbf170bjwnfO+laJLOesVmoYYW1NDOagbjct570yVjBatxjwngu44GcPBnJfrSiX9w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=XetbOr9oTqVmAGGC1EWC0fiEyRbBr1heM3qwY9A3Wuk=; b=d0CEi2k9WfNVQmzHHMhe3HB6VYnJcv3oxkdoSYDS5bGs2m7a4sb6gMcn5HjNJhiVHkiRMbTWKW9URRZajPW2YnUKL9Ai1UHk6mLztunvFWRXKnn+GWKiaGsd6HmdAKh+DmxCxZicGDlMCYrNO66P61b35bgALowMNtt+iA/+RQ0fJd+RkBcDk2c83hrHjIHLBEZ9hYu7r8J9XTJ3VSMY6VpsXlxsjC1TCSDxXbJg+95B13Ij7GHEcl0gPK9l4coe6c0R1KpO9FHyRfBffvfcNB/unG2PGKq6gHARn9UDKMvt9MmmQQYiJHePShIMr9Yz8vBpGFFjyDhh/z45CGzbPw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=meta.com; dmarc=pass action=none header.from=meta.com; dkim=pass header.d=meta.com; arc=none
Received: from BN8PR15MB3281.namprd15.prod.outlook.com (2603:10b6:408:aa::24) by CH3PR15MB5515.namprd15.prod.outlook.com (2603:10b6:610:142::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6863.38; Wed, 11 Oct 2023 22:33:35 +0000
Received: from BN8PR15MB3281.namprd15.prod.outlook.com ([fe80::d9e2:fc18:82fa:fd56]) by BN8PR15MB3281.namprd15.prod.outlook.com ([fe80::d9e2:fc18:82fa:fd56%4]) with mapi id 15.20.6838.033; Wed, 11 Oct 2023 22:33:35 +0000
From: Ben Schwartz <bemasc@meta.com>
To: tirumal reddy <kondtir@gmail.com>, "add@ietf.org" <add@ietf.org>
Thread-Topic: [Add] I-D Action: draft-ietf-add-resolver-info-06.txt
Thread-Index: AQHZ9pqG4HQEQrLVek+YnRmR0mZIQ7BEPGKAgAD2dF4=
Date: Wed, 11 Oct 2023 22:33:35 +0000
Message-ID: <BN8PR15MB32818870E42CB776F3A5F1DFB3CCA@BN8PR15MB3281.namprd15.prod.outlook.com>
References: <169640714475.30083.4833419078785956639@ietfa.amsl.com> <CAFpG3ge7G=0f+sWGqL8ANWG+nd=e3ngf7CdbUfhpjQvRYaatbg@mail.gmail.com>
In-Reply-To: <CAFpG3ge7G=0f+sWGqL8ANWG+nd=e3ngf7CdbUfhpjQvRYaatbg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BN8PR15MB3281:EE_|CH3PR15MB5515:EE_
x-ms-office365-filtering-correlation-id: 6b07c1c9-899f-4095-bd78-08dbcaaa1b5c
x-fb-source: Internal
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 7g8+4CklpsjLbdtwUg3jC6Cmt7obU/i4hoHy6rezUB3mdP2pHW9wQct7AK41X8HSwqPYsXpz1FR00KUuHRKUn4bgWhAuohbqumwKDHSppREyp477wEEFYjEQBOMzBPob1k39qmbHy/7StdSrGQ10XOFIhiuKy6WA0ECcJh81FoRx1kU0LkSsgS+4eTrQ2XBLBM3Vcj/TShd5FC6zwnsIiVSITEYGH72EoYMlV1tVStEFHdc5n6wObXb8KxWqhqWo1GRlzA+ls8TqXc0gaWhiAawDyo1YzzRz2LNg8Yt2Xl5emGQetCOMn3eodKEOrFxlZOW67lSz0DityzDE2rRcsWrK7tKJklL2I880xB9U9/OEqKusdpu4dgbzJXqpUWOVYbXxfd0lzWdSh+j6WqXcbcNSGcO0NVNHaVUHp1oacSvZkeJp5iF+5KQi2y03ARg/dQHWpeOP1YVJtpsdAw97c1t2ezZADowVpN1tVmpW0sfOWs8SE1pSkoh7Jdfi0sHce5l0Jz7SJ3j9jmOwoEkFsfW1Gl/09ujriOhKhv8wI2xfxayjmaPtcclqzVI+hK6RI6E3odtBHrBedOvYq5PZsFbip2msVqyQdkBYCqE09GrJ9jgdfqvbkOLDBevoMNA/
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN8PR15MB3281.namprd15.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(366004)(396003)(376002)(39860400002)(346002)(136003)(230922051799003)(1800799009)(451199024)(64100799003)(186009)(55016003)(9686003)(478600001)(966005)(33656002)(86362001)(6506007)(53546011)(7696005)(8676002)(8936002)(122000001)(71200400001)(52536014)(166002)(5660300002)(38070700005)(66446008)(316002)(64756008)(66476007)(66556008)(76116006)(110136005)(2906002)(41300700001)(91956017)(66946007)(38100700002)(66574015)(19627405001)(83380400001)(835385004); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 1s0tTvMZUZIwXFezcJcDAAtc1QEGzeBJlDxL1YXc7lMpdbhACPUsyJJ/97TJ+ma1FYTyWleV7TDWO/kalkEhqJK6gejG/DBT0oKUkuyPK/JbUhVP0wVZSN/E1X2z1R3/Cz39bAQtYrLST96aPbb7FA++C9DBc0+FGVzNPiHizM+sc+Kn7sXTiues3/MqhdKvwgKFwCoTPBmu8PApWVxkAp0TyurzevVDLYGM/tSUHHZ+vG73u4BBWnWzJGtudtSc0w65bqVa/DqXGhlR50GawaVQPUtz+a4FSI8LB3Ey8sDh1A3cY/jJ7uRAjuQx5ImEgVP5NUEJC6imL6T8QakH57OwZn6LLLqjvO0KAeSL0ImxxIw8s7vRw1RAz+0DRYjoJuByXR+JX6Fqead0aqCy16XPGrzh3kCIFBNFOhN509+3rbXMRmcKswUUKyqaLyQlX7LLdTXuBjVkFlVeom1xseTWSoHZJ6KBnwGwBjE054R7lj+TiDOEKuNPz+qM+i60GAsipxXja2btdMBZWA/VkeiAX9vEV/G4/t6ZyOGNj6OHcmiAxIQ8mnf9nTx4SEKVkXWZm8vry4dfGW8msSk40RHRxKdJzMO0zEUZoh59XvTnvHuJsAEfgVUhE4hkP2BQB5u5LFQB5d+0Li/HWzsknOBRDI2a/yriGFqg66j80p0oI8nZGseYp/uTH22G5TUGt206goGe5VM7dwsmDG0tDqFeCMw8K50muKTVBDHNs66SfCOIJqG8z/FFaw6wrlk0zZj/TPY4Anc24k/3tRds0n8JdxgEOElovyOdO49ohb4QfGvnI43uCciqYa/lLg5eUAZtbMr62OyPMnWA8o0EDJfaE68i13C95XqDmiw5/6M4v46QNdt5dVn9LicFG9W7FTCqTOQBiVUC8ftOEmljas4Za7NoqMs2ovjSVQeJ6pglVIFEL9iacr4ABaSgdDhyLz+R9f/vbv7gQT+VIxzFlBWnjA6HuYp40a/U8o3SK4ANXqZaasqXNLzjgGQA3FhONR9xBQSCNzUcwfrJU64971dirlwQDgwHIo06GqPtYejjR8aEA02oFYQNDz9k8SwS69yRhet5IMRtR+8KvABwid/sMarNHWUzgVi8ENQeu9JYPxj6WH4U3X80hX/YpD4sAUZm1ZUzy2vWp4RkNXo1cu43MUqEd9vMPX3OnKRtdY06cAhnENtIM7rrKLYvPDspgJsW3DbQKElFVkOF4loqW/MioWA4rxTAXKh5KjkNMRmhg9tnD5LdaVzCysbkgGTIA+4kqWV4eGsa5T0cnD/G5A4io4e8HvcTLwBSlmPkxXOTk0xxP/ngEsd1vDanhquQwZFWT4R5dn9kHU18P4dT7K+6Gi1AJBs2yUwnryJfA2t+MRKCYnM+t53PGx4V85NbfIK6UeEb8QoVifW+fb2OuQMHDwIEdVyQtMCV6fwvH4hwLX6pPyDJanmyPQNbbZ8zStM7Fodz3KRF61FoPB/TKZF6cfC2PRG3/IriEK98JGvowXoDe3plSRk48IKf7n5Y7BwRFyoO1atOSawZylPeHKWMfAP3N50uJj3rbp50gzNp4th+XuRACxMXAplZIbvq
Content-Type: multipart/alternative; boundary="_000_BN8PR15MB32818870E42CB776F3A5F1DFB3CCABN8PR15MB3281namp_"
X-OriginatorOrg: meta.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN8PR15MB3281.namprd15.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 6b07c1c9-899f-4095-bd78-08dbcaaa1b5c
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Oct 2023 22:33:35.5207 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 3r8JGccXS4eOGQr41mqE/42driOPC4n7ehrIorW240DCYR1W4J41Umsjnzb2le6C
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH3PR15MB5515
X-Proofpoint-GUID: QWoZv6BfjtGiW-Um1nCl6JdwGuOEXYBm
X-Proofpoint-ORIG-GUID: QWoZv6BfjtGiW-Um1nCl6JdwGuOEXYBm
X-Proofpoint-UnRewURL: 10 URL's were un-rewritten
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.267,Aquarius:18.0.980,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2023-10-11_18,2023-10-11_01,2023-05-22_02
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/5qWJnHwv-dlprWtf5fYYIpJc1so>
Subject: Re: [Add] I-D Action: draft-ietf-add-resolver-info-06.txt
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Oct 2023 22:34:02 -0000

I guess "sig" is based on a security concern I raised about draft-jt-add-dns-server-redirection?  In that draft, an upstream injection attacker could poison the resolver's own SVCB record, allowing the attacker to make the client bypass their chosen resolver entirely, and instead use the attacker's resolver ~forever.  This is a kind of "scope expansion": a transient, injection-only attacker on one path can upgrade themselves into a permanent, read-write attacker on all paths.

RESINFO doesn't have this problem.  Yes, an upstream attacker could inject a RESINFO response, but only to the same extent that they could poison any other query in the cache.  (If the resolver is DNSSEC-validating, injection on resolver.arpa is impossible.)  I don't see a scope expansion attack here.

Operationally, "sig" seems distinctly inconvenient.  Any DNS server that sits behind a TLS terminator or CDN will have extreme difficulty implementing it.

I recommend removing "sig".

If upstream attackers are a concern, I would solve that by moving RESINFO into EDNS, which is not controlled by the authoritative server.  (EDNS could still be manipulated by an attacker between a forwarder and its upstream resolver ... but that attacker can already control the content of all responses, so they effectively are​ the resolver.  Also, if the resolver and forwarder are so tightly integrated that the resolver can sign RESINFO with the forwarder's TLS private key, why aren't they using a secure transport?)

--Ben Schwartz
________________________________
From: Add <add-bounces@ietf.org> on behalf of tirumal reddy <kondtir@gmail.com>
Sent: Wednesday, October 11, 2023 3:30 AM
To: add@ietf.org <add@ietf.org>
Subject: Re: [Add] I-D Action: draft-ietf-add-resolver-info-06.txt

This revision, https: //www. ietf. org/archive/id/draft-ietf-add-resolver-info-06. html, addresses comments from Martin on the "sig" attribute use. The authors consider it ready to advance the draft to the next stage.   -Tiru On Wed, 4
ZjQcmQRYFpfptBannerStart
This Message Is From an External Sender

ZjQcmQRYFpfptBannerEnd
This revision, https://www.ietf.org/archive/id/draft-ietf-add-resolver-info-06.html<https://www.ietf.org/archive/id/draft-ietf-add-resolver-info-06.html>, addresses comments from Martin on the "sig" attribute use. The authors consider it ready to advance the draft to the next stage.

-Tiru

On Wed, 4 Oct 2023 at 13:42, <internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>> wrote:
Internet-Draft draft-ietf-add-resolver-info-06.txt is now available. It is a
work item of the Adaptive DNS Discovery (ADD) WG of the IETF.

   Title:   DNS Resolver Information
   Authors: Tirumaleswar Reddy
            Mohamed Boucadair
   Name:    draft-ietf-add-resolver-info-06.txt
   Pages:   10
   Dates:   2023-10-04

Abstract:

   This document specifies a method for DNS resolvers to publish
   information about themselves.  DNS clients can use the resolver
   information to identify the capabilities of DNS resolvers.  How such
   an information is then used by DNS clients is out of the scope of the
   document.

The IETF datatracker status page for this Internet-Draft is:
https://datatracker.ietf.org/doc/draft-ietf-add-resolver-info/<https://datatracker.ietf.org/doc/draft-ietf-add-resolver-info/>

There is also an HTML version available at:
https://www.ietf.org/archive/id/draft-ietf-add-resolver-info-06.html<https://www.ietf.org/archive/id/draft-ietf-add-resolver-info-06.html>

A diff from the previous version is available at:
https://author-tools.ietf.org/iddiff?url2=draft-ietf-add-resolver-info-06<https://author-tools.ietf.org/iddiff?url2=draft-ietf-add-resolver-info-06>

Internet-Drafts are also available by rsync at:
rsync.ietf.org::internet-drafts


--
Add mailing list
Add@ietf.org<mailto:Add@ietf.org>
https://www.ietf.org/mailman/listinfo/add<https://www.ietf.org/mailman/listinfo/add>

v2.23.0 | Report a Bug | By Email