IETF Logo Mail Archive

Re: [Add] I-D Action: draft-ietf-add-resolver-info-06.txt

Tommy Jensen <Jensen.Thomas@microsoft.com> Wed, 11 October 2023 22:48 UTC

Return-Path: <Jensen.Thomas@microsoft.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 995D6C151069 for <add@ietfa.amsl.com>; Wed, 11 Oct 2023 15:48:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, TRACKER_ID=0.1, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AZbpKPf5mOpW for <add@ietfa.amsl.com>; Wed, 11 Oct 2023 15:48:17 -0700 (PDT)
Received: from BN3PR00CU001.outbound.protection.outlook.com (mail-eastus2azon11020003.outbound.protection.outlook.com [52.101.56.3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 403FFC15107E for <add@ietf.org>; Wed, 11 Oct 2023 15:48:16 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=J6nvH5GFRdmykr9sEjZXtaLBjmd30KERLi0a4gmMTDbkW/PHCdSKtBvPw40kzPdoxpaN7wW4Ab3EmoX4FSICiFkTtbrUwIZafWTtZqkA5KyK5REY13bYGOOrvhQX8zHeeHEvFNpKXGs7jMb9pxraMlYL1SPEQ+jeeJbf0dKkXmw0GWkL/a1vElc4NXkxTG2iZ9T5/YJX7FMTmPJaYBUCyznsy8EW3sB3W+o3JZaCEWaC9cN8wRDy6BQwuW4WglzclENSCB8VRH6rlNIBPGcvJq4QeEgeLfJK1XUATmJlKQK/7HI2Dovf5LqxNNGfxODxppO2BYIQOVkEDxE4XUD8RQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=3fBhxxinBRQI5/6DZOsVxA+NdMt8ItCh30cbYdj6jSs=; b=TqZSK8cpdy7gamQMojA1WlyuBfOYqth0jXTyqoQsrmfsJ7uWoeaCkqZT8TjOsxOb1L/vV0HhOHjGrQh4QYm4FMsGAcDaHdWwBy77+axnSA0s86K2RGWTZJ448yuu+LLF0Tzt34hrWaNVAlc8CAFPC4zOrKN7rzMOm/S85LPaoFBgmkRHFcjOwG1Bztr6wCrJ48wRwbiQnBA4r9kqTZu9lj57H4StRMVHrTrwuYDqy27+VjI/2EwoA0npV+Ilw1iSPltiKuPMwhkBVmAip/F9xsYBTmhdErtejmhEMQAWfwzOEhViBKPTLTBxyXXYz9HrPvITs7Xd97YPXLJVrfU8cw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=3fBhxxinBRQI5/6DZOsVxA+NdMt8ItCh30cbYdj6jSs=; b=TwuxITiUXWpJHqnBnVGCW2RDbQC8Q2cF3cKQbcLvjce/PJ1k7BVaGkxMvCbZKr+qyqPy6iupCshngPPMbsBYom66VphsUBo4NEjISS4AU5JlEi/o2sI2jF7w4Zsij1V9vrnAm1VeVZSSgZvrCWgQ4KTXtoqLNPXPWI0xAaNX1Zs=
Received: from DM6PR00MB0767.namprd00.prod.outlook.com (2603:10b6:5:1bc::8) by SN7PR00MB1650.namprd00.prod.outlook.com (2603:10b6:806:2a9::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6926.0; Wed, 11 Oct 2023 22:48:12 +0000
Received: from DM6PR00MB0767.namprd00.prod.outlook.com ([fe80::55c7:7922:e8de:be3]) by DM6PR00MB0767.namprd00.prod.outlook.com ([fe80::55c7:7922:e8de:be3%4]) with mapi id 15.20.6930.000; Wed, 11 Oct 2023 22:48:12 +0000
From: Tommy Jensen <Jensen.Thomas@microsoft.com>
To: Ben Schwartz <bemasc=40meta.com@dmarc.ietf.org>, tirumal reddy <kondtir@gmail.com>, "add@ietf.org" <add@ietf.org>
Thread-Topic: [Add] I-D Action: draft-ietf-add-resolver-info-06.txt
Thread-Index: AQHZ/JMOkQQ9DpSFkUWyiw8v8pCa4rBFLeWQ
Date: Wed, 11 Oct 2023 22:48:12 +0000
Message-ID: <DM6PR00MB076780F7E8CCDCB1C522E820FACCA@DM6PR00MB0767.namprd00.prod.outlook.com>
References: <169640714475.30083.4833419078785956639@ietfa.amsl.com> <CAFpG3ge7G=0f+sWGqL8ANWG+nd=e3ngf7CdbUfhpjQvRYaatbg@mail.gmail.com> <BN8PR15MB32818870E42CB776F3A5F1DFB3CCA@BN8PR15MB3281.namprd15.prod.outlook.com>
In-Reply-To: <BN8PR15MB32818870E42CB776F3A5F1DFB3CCA@BN8PR15MB3281.namprd15.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=microsoft.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DM6PR00MB0767:EE_|SN7PR00MB1650:EE_
x-ms-office365-filtering-correlation-id: b37c67ad-d065-4693-a5df-08dbcaac263d
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: iaxRinOKd6vYZ8o3Gb511L5RquaooanGqwS4DYoKDKM0yIrUkS+yU4ETh3jnTEY0YKCRDmcUIB9/8LrlQRiw6GoT1m8rbuUSdDO0lTGtQm0fkeRhoW6OQ/9O0GCf6nv/VeScC0qUoLIVSinIrjvEPdRQ+cvLJjpDbCD49TEKtkhINI+gizVhXQOLBvSB9PCDD50NkM0D3Hq8xDxAw7qhx9t2TGl/eneCJbkgHljvhVzxMGQsH93jqYtxYBnDYq8MwD1aVNeYJRUgRmUaKZo34vqOr7wI3iw3A+uLVwnXMWzcYJgBZtWTB/a2VCk7QJ7obd4c++mIiCYNFAXKgDzxVoH6z0fmpE0MUhq6bqKQJtvlZjau1fhNHy8cfGXJrCSY3EF7ApoYKLQXSKT3KNgCZRuR23ScXcyd/Tw//ubfWF87XWYXO7YloRJdqyZrlCYwpI6nC6qmHDtPR7jdeio9+tr5CnorH4ugVt9arRyGVFFF4ApJUkmODf1bwz1yAnP9lG4iU49AhHxS2Ym5kLhZN7EgeBbkiRusDDot4Twv/lbsXv3DHHLgS//jmhNahfpQKUBUfUAwO+5IcNYtCgw1y0TLR7mxE6BUYfh956t5C2TRzv/G7r9WpzoE2M7QlIr741BmQBbNKfNEx5AK8KTxGfp7wUFdBOqsDqibF1rzjR3THA5GCRe5cjLaDJFAAgfy
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR00MB0767.namprd00.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(396003)(346002)(39860400002)(366004)(136003)(376002)(230922051799003)(451199024)(186009)(1800799009)(64100799003)(110136005)(66446008)(66946007)(66476007)(66556008)(64756008)(76116006)(316002)(166002)(38070700005)(38100700002)(71200400001)(122000001)(82950400001)(82960400001)(53546011)(6506007)(10290500003)(7696005)(478600001)(966005)(86362001)(33656002)(2906002)(8990500004)(66574015)(83380400001)(9686003)(55016003)(8676002)(8936002)(5660300002)(52536014)(41300700001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: ZxI5sse2o25LnBcEfrAwYS8mfV5fLLjCAzWr4QBTBRHPS0dLGIC7VosGQbpUR9iuvj/ZrXgyJQdTimIC0wd+bJ4LLdP+6SJQ/fnOm2ILHCwtHDFPgBHuQtQ3IOa3HL4kgTL8rEKKtENL7vikofKGiRTTNZAm+VSddsCV8YjnIyyY9XiE5aYooHRSeJTna3MC0XOx9oWUMoZmK0sw3t6nRqu8+Tg8NhkkE1JCsxvHSEMx3wySFnsLPOuUBZv5fBGHS7YH20AFeFOVR+jCZxroxTDa5nMgjABaWe99edIwnNY8AxZR45FwVK3vejGMz2B1jSFg+CXIcbZOtDlOVotb7JPSx0vPSKgK6ceH0efu4LtWdtnm+bjvf9/fPBz9yxVYx/acsGawOMogzVnsYDbNBqRRTKrCU56tNXFweOMBsmItBbIh7upU1FeRAYNNC+N3exWlFY7g4oL82TbuZs+S5TGgf+WEjj7FCgvB1doRFrtCPEKjyCf7jeIAH2xWr9wEH+TCWctgSYhzy9q+cGDrS+n7b6QgrlbFqo10uKb3NyBUadIviClpqlhvGn9R8lE1yVV7VgXtSHmrzSf3DGxffs9NsjeRo9YoZU+5pqujoFCspxxaga0EhcXy62Bv+fKQtW4ozAoyT5bs+D6rzcmBOgkbRKVgKroo2z5HVWSZyCUVBZm4I8gLF7pOH64Udxv2Mw8FFiX5vQL8FtHdF6bkGQZpWFPNHFcPmfJMB4VaaXuffgRS5cjxJFP11YqQECiBmONPIOYAjVoIJcrO+yr4R38PMDQ/it6truZi0hr7CYxbwibxkShZZczUH3CiIKM4O45MDL7tza3wlUKZ/g2GkOMPTwZhFH3RYj0LU+sL0lQqGv7Yd2v2tSHKkhWExlxZ0cQDoZNttScxKE2Bf1HIewEvePVa8zVnqyFcgKdVfS3HhZt9LgAh/yz2IW5/Nmfbk+iluYDxCck4BchVyKOnKdI8VAWKLtCS6M/68WuNtfOMTI6B0IvhBrODtfMWoLnARslln3JEDPE4a2PzpBYTfrhmZ4TQYYbPE5fpTt/E9RIAoUd/vkGFU70JAdo55raj9vlAyL1X+QmMMoyHNXBcJedutyFYOgFZFT7lukOtq+byds81mOeK9cgiEGDeYauhAfGdjLJKGjluTF6ymoY9wLmSXjuyK7AALyjapAWoNpZZCHLwwlgWZnE/0Rdjl5T/2Zsn+4lGLkajcMVmbjroVrQN26FK9nYY7m6J/G7hMv7RhCKn/3qc461lQO/C8HG7i6hh50vWybtX/CfgN2j0qzlaE7n5YQOGnV4Or79SWjMGP6I1rgXa6bPRwGHxovC6Kvr98uC0SL4PGvHYl3XVuvhkU+4R5RftlxF7wQqiOs5MIDvnPxxrnBYZGVi6dhIiknDNKMVkbno/A5tJhI+Dlms9jLVkj87K0kUPooVG6Da++tPu3Die6ceF2JPM16l+P5QcbNoe7tMoTxuBqOidZfUV+gz66FbMMD8eiHqUws2tkyDfzeP5Jr9fck25ajYToymYbncXGxKL2OyTauD3XRf8cugJQS3f/YOsRwT/elGU+Hlrna8ei13gg/jZhdOTey4Dn22knDjLvGbX+YQemSU4KaplvmxtKHJyFRWk+hDPojtIVnLZ2iWxniO4I1px
Content-Type: multipart/alternative; boundary="_000_DM6PR00MB076780F7E8CCDCB1C522E820FACCADM6PR00MB0767namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR00MB0767.namprd00.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: b37c67ad-d065-4693-a5df-08dbcaac263d
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Oct 2023 22:48:12.7699 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: upd0Xtx4dB3qggTO9P+GkxMJ6hH4NRzdcb7uDKMTcgJYrbXsEEbLZ3KKAMnPMQNiVLPwkQz9Rs7z704iOkxFWg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN7PR00MB1650
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/6BfYdmP2Db59b8Wk8fel6JzsU7E>
Subject: Re: [Add] I-D Action: draft-ietf-add-resolver-info-06.txt
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Oct 2023 22:48:21 -0000

Hey Ben,

>(If the resolver is DNSSEC-validating, injection on resolver.arpa is impossible.)

I fail to see how this closes the issue. This means the stub’s security is dependent on the recursive’s feature set and behavior (just because the recursive supports DNSSEC doesn’t mean it’s strongly enforcing it). I don’t think we should assume the recursive supports DNSSEC the same way we cannot assume they support both DDR and this draft. When they support only DDR, not this draft, and do not strongly enforce DNSSEC, an upstream attack can tell the client whatever it wants when resolver.arpa is used to identify the resolver by this draft without some kind of client-side validation.

Per DDR’s threat model, the name of the resolver cannot be used because it is prone to during-DDR attack (the only trusted identity for the resolver in this case is its IP address).

> I don't see a scope expansion attack here.

Depends on client policy. If the client refuses to use servers that do not support qnamemin, for example, the attacker could influence resolver selection by lying about the resolver’s feature set. Admittedly, this isn’t as scary as “directly sends client to a malicious endpoint” like potential EDSR and DDR attacks could in older text.

Full disclosure: I raised this concern during shepherd review. If the WG can gain consensus that Tommy made this up, let’s hear it. I’m just worried about the lack of discussion volume here.

Thanks,
Tommy

From: Add <add-bounces@ietf.org> On Behalf Of Ben Schwartz
Sent: Wednesday, October 11, 2023 3:34 PM
To: tirumal reddy <kondtir@gmail.com>; add@ietf.org
Subject: [EXTERNAL] Re: [Add] I-D Action: draft-ietf-add-resolver-info-06.txt

I guess "sig" is based on a security concern I raised about draft-jt-add-dns-server-redirection?  In that draft, an upstream injection attacker could poison the resolver's own SVCB record, allowing the attacker to make the client bypass their chosen resolver entirely, and instead use the attacker's resolver ~forever.  This is a kind of "scope expansion": a transient, injection-only attacker on one path can upgrade themselves into a permanent, read-write attacker on all paths.

RESINFO doesn't have this problem.  Yes, an upstream attacker could inject a RESINFO response, but only to the same extent that they could poison any other query in the cache.  (If the resolver is DNSSEC-validating, injection on resolver.arpa is impossible.)  I don't see a scope expansion attack here.

Operationally, "sig" seems distinctly inconvenient.  Any DNS server that sits behind a TLS terminator or CDN will have extreme difficulty implementing it.

I recommend removing "sig".

If upstream attackers are a concern, I would solve that by moving RESINFO into EDNS, which is not controlled by the authoritative server.  (EDNS could still be manipulated by an attacker between a forwarder and its upstream resolver ... but that attacker can already control the content of all responses, so they effectively are​ the resolver.  Also, if the resolver and forwarder are so tightly integrated that the resolver can sign RESINFO with the forwarder's TLS private key, why aren't they using a secure transport?)

--Ben Schwartz
________________________________
From: Add <add-bounces@ietf.org<mailto:add-bounces@ietf.org>> on behalf of tirumal reddy <kondtir@gmail.com<mailto:kondtir@gmail.com>>
Sent: Wednesday, October 11, 2023 3:30 AM
To: add@ietf.org<mailto:add@ietf.org> <add@ietf.org<mailto:add@ietf.org>>
Subject: Re: [Add] I-D Action: draft-ietf-add-resolver-info-06.txt

This revision, https: //www. ietf. org/archive/id/draft-ietf-add-resolver-info-06. html, addresses comments from Martin on the "sig" attribute use. The authors consider it ready to advance the draft to the next stage.   -Tiru On Wed, 4
ZjQcmQRYFpfptBannerStart
This Message Is From an External Sender

ZjQcmQRYFpfptBannerEnd
This revision, https://www.ietf.org/archive/id/draft-ietf-add-resolver-info-06.html, addresses comments from Martin on the "sig" attribute use. The authors consider it ready to advance the draft to the next stage.

-Tiru

On Wed, 4 Oct 2023 at 13:42, <internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>> wrote:
Internet-Draft draft-ietf-add-resolver-info-06.txt is now available. It is a
work item of the Adaptive DNS Discovery (ADD) WG of the IETF.

   Title:   DNS Resolver Information
   Authors: Tirumaleswar Reddy
            Mohamed Boucadair
   Name:    draft-ietf-add-resolver-info-06.txt
   Pages:   10
   Dates:   2023-10-04

Abstract:

   This document specifies a method for DNS resolvers to publish
   information about themselves.  DNS clients can use the resolver
   information to identify the capabilities of DNS resolvers.  How such
   an information is then used by DNS clients is out of the scope of the
   document.

The IETF datatracker status page for this Internet-Draft is:
https://datatracker.ietf.org/doc/draft-ietf-add-resolver-info/

There is also an HTML version available at:
https://www.ietf.org/archive/id/draft-ietf-add-resolver-info-06.html

A diff from the previous version is available at:
https://author-tools.ietf.org/iddiff?url2=draft-ietf-add-resolver-info-06

Internet-Drafts are also available by rsync at:
rsync.ietf.org::internet-drafts


--
Add mailing list
Add@ietf.org<mailto:Add@ietf.org>
https://www.ietf.org/mailman/listinfo/add

v2.23.0 | Report a Bug | By Email