IETF Logo Mail Archive

Re: [Add] draft-ietf-add-resolver-info-09

Mark Andrews <marka@isc.org> Tue, 05 March 2024 21:02 UTC

Return-Path: <marka@isc.org>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1AA09C14F618 for <add@ietfa.amsl.com>; Tue, 5 Mar 2024 13:02:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.405
X-Spam-Level:
X-Spam-Status: No, score=-4.405 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isc.org header.b="Mrlj/C75"; dkim=pass (1024-bit key) header.d=isc.org header.b="M6xwyY2r"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id THpSt2WbAlPp for <add@ietfa.amsl.com>; Tue, 5 Mar 2024 13:02:15 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.2.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7BCDFC14F5F7 for <add@ietf.org>; Tue, 5 Mar 2024 13:02:14 -0800 (PST)
Received: from zimbrang.isc.org (zimbrang.isc.org [149.20.2.31]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id 4AD933AB1B6; Tue, 5 Mar 2024 21:02:14 +0000 (UTC)
ARC-Filter: OpenARC Filter v1.0.0 mx.pao1.isc.org 4AD933AB1B6
Authentication-Results: mx.pao1.isc.org; arc=none smtp.remote-ip=149.20.2.31
ARC-Seal: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1709672534; cv=none; b=KAVRDQ3XsEW5NfFeQyQ7yWqM04fDohliPqk+1h58BNkUv1eAGisW8NeCISCciGFgyusOIdM6+dILFNpdWChrdAbiAzLQFDy4pSiqZ6n6Mdl4MuEUFiejfUBZhOkonkhbbRVqoZreSO1PvQYlccd6Uqac2MmkomkRXi6KvgnQxBE=
ARC-Message-Signature: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1709672534; c=relaxed/relaxed; bh=an8QfYve5VD0MQ9qynp2p0lrTIWNZouBUctXySwmtFk=; h=DKIM-Signature:DKIM-Signature:From:Mime-Version:Subject:Date: Message-Id:To; b=F0QMLeACz6El9inqhodvD8foJH295lBKFolMkfzj5UZE/eGI1WVzAoTO7qftW8tBRjYuMRoUG+R3pZri05+1RXjl1WWdUnRWJUai+D/1CNQK6doxffj4AzRw54Ld7AVsssijwe/HfZIUFAtg0Ygpguh6ES795PeCxQl+q4maLyU=
ARC-Authentication-Results: i=1; mx.pao1.isc.org
DKIM-Filter: OpenDKIM Filter v2.10.3 mx.pao1.isc.org 4AD933AB1B6
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=isc.org; s=ostpay; t=1709672534; bh=unUdmm89havfOywJm8MgAfDDla8IqfUovPcPoobOtpM=; h=From:Subject:Date:References:Cc:In-Reply-To:To; b=Mrlj/C75s/EocYrsBYcBfxiEd7uZM7EVQEqsacLXof1qMs795OoEg5a5wQwm4Tn1e N/H+oLMIorGDKRmDjv4bazCqimFnJ4GunyHK6wi39mpuF6f/6AHZzGNCu9IKgtE73I ZzqVa4hFL7ixpDbaBd0IxY1FqD3NJppH03JTQS68=
Received: from zimbrang.isc.org (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTPS id 3BF131161909; Tue, 5 Mar 2024 21:02:14 +0000 (UTC)
Received: from localhost (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTP id 1A2E01161A0D; Tue, 5 Mar 2024 21:02:14 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.10.3 zimbrang.isc.org 1A2E01161A0D
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=05DFB016-56A2-11EB-AEC0-15368D323330; t=1709672534; bh=an8QfYve5VD0MQ9qynp2p0lrTIWNZouBUctXySwmtFk=; h=From:Mime-Version:Date:Message-Id:To; b=M6xwyY2r08cCVdLnwjIr8ZLimnmacpdnvvJ2jK3D/7p1/h6dQXOV4sWQbjelnlag1 CNKFdtDQdDRDXOOSEu0LkWmFnhOoaucWU7je9g5Qq1F0neSX2jzovWbNJdyxjQGAOZ zPF2pohI+33kTAEyEo+0B8AXCqNQw4QPf5xGFKn8=
Received: from zimbrang.isc.org ([127.0.0.1]) by localhost (zimbrang.isc.org [127.0.0.1]) (amavis, port 10026) with ESMTP id 77kptWQL20hK; Tue, 5 Mar 2024 21:02:14 +0000 (UTC)
Received: from smtpclient.apple (n49-187-18-238.bla1.nsw.optusnet.com.au [49.187.18.238]) by zimbrang.isc.org (Postfix) with ESMTPSA id 9C9A61161909; Tue, 5 Mar 2024 21:02:13 +0000 (UTC)
Content-Type: multipart/alternative; boundary="Apple-Mail-70F583A2-D387-4B18-B78C-CE789DC3E7A4"
Content-Transfer-Encoding: 7bit
From: Mark Andrews <marka@isc.org>
Mime-Version: 1.0 (1.0)
Date: Wed, 06 Mar 2024 08:02:09 +1100
Message-Id: <077D27F8-03C1-4ECC-97BE-579ABF22563F@isc.org>
References: <SA1PR15MB4370C02BF2458CFD28D06265B3222@SA1PR15MB4370.namprd15.prod.outlook.com>
Cc: mohamed.boucadair@orange.com, tirumal reddy <kondtir@gmail.com>, add@ietf.org
In-Reply-To: <SA1PR15MB4370C02BF2458CFD28D06265B3222@SA1PR15MB4370.namprd15.prod.outlook.com>
To: Ben Schwartz <bemasc@meta.com>
X-Mailer: iPhone Mail (19H380)
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/8lJ1u9pfrlzo-u1UtyXrF-HVNo0>
Subject: Re: [Add] draft-ietf-add-resolver-info-09
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Mar 2024 21:02:20 -0000

Stop using +short and look at all of the response including whether aa is set or not in the flags. 

-- 
Mark Andrews

> On 6 Mar 2024, at 07:09, Ben Schwartz <bemasc@meta.com> wrote:
> 
> 
> Mark's suggestion is correct, but I don't think draft-11 captures it correctly.  The draft-11 text only says
> 
>    The DNS client MUST set the Recursion
>    Desired (RD) bit of the query to 0 to ensure that the response is provided by the resolver.
>    If the resolver does not support RESINFO, it will return an authoritative name error.
> 
> This is factually incorrect, as can be observed by sending an RD=0 query to an ordinary recursive resolver:
> 
> % dig +short +norecurse www.google.com @1.1.1.1
> 142.251.167.104
> 142.251.167.147
> 142.251.167.99
> 142.251.167.106
> 142.251.167.103
> 142.251.167.105
> 
> Mark's suggestion is that the client verify that the response has AA=1.  That check ensures that the result was not populated insecurely over the network, but the draft doesn't mention it.
> 
> --Ben
> From: Add <add-bounces@ietf.org> on behalf of mohamed.boucadair@orange.com <mohamed.boucadair@orange.com>
> Sent: Wednesday, February 21, 2024 2:37 AM
> To: Mark Andrews <marka@isc.org>
> Cc: tirumal reddy <kondtir@gmail.com>; add@ietf.org <add@ietf.org>
> Subject: Re: [Add] draft-ietf-add-resolver-info-09
>  
> !-------------------------------------------------------------------|
>   This Message Is From an External Sender
> 
> |-------------------------------------------------------------------!
> 
> Hi Mark, all, 
> 
> We think this is fair. Thanks. 
> 
> We created a PR to fix this: https://github.com/boucadair/add-resolver-information/pull/19/files.
> 
> Cheers,
> Tiru & Med
> 
> > -----Message d'origine-----
> > De : Add <add-bounces@ietf.org> De la part de Mark Andrews
> > Envoyé : mercredi 21 février 2024 01:50
> > À : Steffen Nurpmeso <steffen@sdaoden.eu>
> > Cc : tirumal reddy <kondtir@gmail.com>; add@ietf.org
> > Objet : Re: [Add] draft-ietf-add-resolver-info-09
> > 
> > If a recursive server passes through a response with AA=1 it is
> > broken. If a recursive  server forwards a query with RD=0 it is
> > broken.  If a “recursive server” is just forwarding queries and
> > responses the attacker will just put the response in the authority
> > section.  The change of section provides no security. It doesn’t
> > prevent problems. It is just change for changes sake.
> > 
> > --
> > Mark Andrews
> > 
> > > On 21 Feb 2024, at 06:30, Steffen Nurpmeso <steffen@sdaoden.eu>
> > wrote:
> > >
> > > tirumal reddy wrote in
> > > <CAFpG3gd5GwSAoOs3SX2xWZyKVR7F5y-
> > y1VxxbTmfooC4AWo5Mw@mail.gmail.com>:
> > > |On Thu, 15 Feb 2024 at 06:02, Mark Andrews <marka@isc.org> wrote:
> > > |> Why is it necessary to change the standard processing of queries
> > > |> for RESINFO when we already have a signal (AA=1) about whether
> > the
> > > |> answer is coming from elsewhere or not ?
> > > |
> > > |It is introduced to handle a scenario where SUDN is used to
> > discover
> > > |the encrypted resolver, and if the discovered resolver does not
> > > |support RESINFO, it will forward the query upstream. An attacker
> > > |might provide a RESINFO response with AA=1. The proposed mechanism
> > > |aims to help the client identify whether the response is coming
> > from
> > > |the discovered encrypted resolver.
> > >
> > > By the way i am really not worth being noted for anything
> > > acknowledgeable regarding the work of this WG.  At all.
> > > If you have another iteration of the document, i would prefer if you
> > > would simply scratch my name from your work.
> > > It is solely your work, for sure.
> > > And the above is possibly very smart: my DNS work was two decades
> > ago,
> > > and i could not even tell whether i have ever seen authority section
> > > entries being passed through or not.
> > >
> > > My main topics are simplicity so small teams can still exist
> > > competetively as was true over two decades ago (ie, with knowing the
> > > entire picture, not by delegating to "trusted" external modules in
> > > uncounted numbers), when there were <3000 RFCs.
> > >
> > > As such i very much appreciated RFC 8499, but i alone from my
> > > superficial out-of-interest reading have 17 DNS-related RFCs added
> > > locally since then, plus the draft of yours and whatever else from
> > > this WG.
> > >
> > > And a different way to get the TLS trust (or, rather, use existing
> > > ways of various kind eg rpki, ikev2, or simply public keys as is
> > done
> > > by DKIM (certificates are a bit larger, but with the TCP that is
> > more
> > > and more needed per se, or QUIC; or even the permanent HTTP proxying
> > > of everything, that is "no problem")) away from CA pools, to DNS/TLS
> > +
> > > DNSSEC zone records.  Thank you for that, too!
> > >
> > > Ciao, and greetings from Germany,
> > >
> > > --steffen
> > > |
> > > |Der Kragenbaer,                The moon bear,
> > > |der holt sich munter           he cheerfully and one by one
> > > |einen nach dem anderen runter  wa.ks himself off (By Robert
> > > |Gernhardt)
> > 
> > --
> > Add mailing list
> > Add@ietf.org
> > https://eur03.safelinks.protection.outlook.com/?url=https://www .
> > ietf.org%2Fmailman%2Flistinfo%2Fadd&data=05%7C02%7Cmohamed.boucadair%4
> > 0orange.com%7C3a00adf00f6c4a88f66d08dc32770e24%7C90c7a20af34b40bfbc48b
> > 9253b6f5d20%7C0%7C0%7C638440734117558876%7CUnknown%7CTWFpbGZsb3d8eyJWI
> > joiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7
> > C%7C&sdata=GUI2%2FfrtBz%2FtYaA8ZmAGjR2jzb8mcp%2BmewuFjMiI3CE%3D&reserv
> > ed=0
> ____________________________________________________________________________________________________________
> Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
> pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
> a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
> Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
> 
> This message and its attachments may contain confidential or privileged information that may be protected by law;
> they should not be distributed, used or copied without authorisation.
> If you have received this email in error, please notify the sender and delete this message and its attachments.
> As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
> Thank you.
> -- 
> Add mailing list
> Add@ietf.org
> https://www.ietf.org/mailman/listinfo/add

v2.23.0 | Report a Bug | By Email