Re: [Add] draft-ietf-add-resolver-info-09
Mark Andrews <marka@isc.org> Tue, 05 March 2024 21:02 UTC
Return-Path: <marka@isc.org>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1AA09C14F618 for <add@ietfa.amsl.com>; Tue, 5 Mar 2024 13:02:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.405
X-Spam-Level:
X-Spam-Status: No, score=-4.405 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isc.org header.b="Mrlj/C75"; dkim=pass (1024-bit key) header.d=isc.org header.b="M6xwyY2r"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id THpSt2WbAlPp for <add@ietfa.amsl.com>; Tue, 5 Mar 2024 13:02:15 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.2.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7BCDFC14F5F7 for <add@ietf.org>; Tue, 5 Mar 2024 13:02:14 -0800 (PST)
Received: from zimbrang.isc.org (zimbrang.isc.org [149.20.2.31]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id 4AD933AB1B6; Tue, 5 Mar 2024 21:02:14 +0000 (UTC)
ARC-Filter: OpenARC Filter v1.0.0 mx.pao1.isc.org 4AD933AB1B6
Authentication-Results: mx.pao1.isc.org; arc=none smtp.remote-ip=149.20.2.31
ARC-Seal: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1709672534; cv=none; b=KAVRDQ3XsEW5NfFeQyQ7yWqM04fDohliPqk+1h58BNkUv1eAGisW8NeCISCciGFgyusOIdM6+dILFNpdWChrdAbiAzLQFDy4pSiqZ6n6Mdl4MuEUFiejfUBZhOkonkhbbRVqoZreSO1PvQYlccd6Uqac2MmkomkRXi6KvgnQxBE=
ARC-Message-Signature: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1709672534; c=relaxed/relaxed; bh=an8QfYve5VD0MQ9qynp2p0lrTIWNZouBUctXySwmtFk=; h=DKIM-Signature:DKIM-Signature:From:Mime-Version:Subject:Date: Message-Id:To; b=F0QMLeACz6El9inqhodvD8foJH295lBKFolMkfzj5UZE/eGI1WVzAoTO7qftW8tBRjYuMRoUG+R3pZri05+1RXjl1WWdUnRWJUai+D/1CNQK6doxffj4AzRw54Ld7AVsssijwe/HfZIUFAtg0Ygpguh6ES795PeCxQl+q4maLyU=
ARC-Authentication-Results: i=1; mx.pao1.isc.org
DKIM-Filter: OpenDKIM Filter v2.10.3 mx.pao1.isc.org 4AD933AB1B6
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=isc.org; s=ostpay; t=1709672534; bh=unUdmm89havfOywJm8MgAfDDla8IqfUovPcPoobOtpM=; h=From:Subject:Date:References:Cc:In-Reply-To:To; b=Mrlj/C75s/EocYrsBYcBfxiEd7uZM7EVQEqsacLXof1qMs795OoEg5a5wQwm4Tn1e N/H+oLMIorGDKRmDjv4bazCqimFnJ4GunyHK6wi39mpuF6f/6AHZzGNCu9IKgtE73I ZzqVa4hFL7ixpDbaBd0IxY1FqD3NJppH03JTQS68=
Received: from zimbrang.isc.org (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTPS id 3BF131161909; Tue, 5 Mar 2024 21:02:14 +0000 (UTC)
Received: from localhost (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTP id 1A2E01161A0D; Tue, 5 Mar 2024 21:02:14 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.10.3 zimbrang.isc.org 1A2E01161A0D
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=05DFB016-56A2-11EB-AEC0-15368D323330; t=1709672534; bh=an8QfYve5VD0MQ9qynp2p0lrTIWNZouBUctXySwmtFk=; h=From:Mime-Version:Date:Message-Id:To; b=M6xwyY2r08cCVdLnwjIr8ZLimnmacpdnvvJ2jK3D/7p1/h6dQXOV4sWQbjelnlag1 CNKFdtDQdDRDXOOSEu0LkWmFnhOoaucWU7je9g5Qq1F0neSX2jzovWbNJdyxjQGAOZ zPF2pohI+33kTAEyEo+0B8AXCqNQw4QPf5xGFKn8=
Received: from zimbrang.isc.org ([127.0.0.1]) by localhost (zimbrang.isc.org [127.0.0.1]) (amavis, port 10026) with ESMTP id 77kptWQL20hK; Tue, 5 Mar 2024 21:02:14 +0000 (UTC)
Received: from smtpclient.apple (n49-187-18-238.bla1.nsw.optusnet.com.au [49.187.18.238]) by zimbrang.isc.org (Postfix) with ESMTPSA id 9C9A61161909; Tue, 5 Mar 2024 21:02:13 +0000 (UTC)
Content-Type: multipart/alternative; boundary="Apple-Mail-70F583A2-D387-4B18-B78C-CE789DC3E7A4"
Content-Transfer-Encoding: 7bit
From: Mark Andrews <marka@isc.org>
Mime-Version: 1.0 (1.0)
Date: Wed, 06 Mar 2024 08:02:09 +1100
Message-Id: <077D27F8-03C1-4ECC-97BE-579ABF22563F@isc.org>
References: <SA1PR15MB4370C02BF2458CFD28D06265B3222@SA1PR15MB4370.namprd15.prod.outlook.com>
Cc: mohamed.boucadair@orange.com, tirumal reddy <kondtir@gmail.com>, add@ietf.org
In-Reply-To: <SA1PR15MB4370C02BF2458CFD28D06265B3222@SA1PR15MB4370.namprd15.prod.outlook.com>
To: Ben Schwartz <bemasc@meta.com>
X-Mailer: iPhone Mail (19H380)
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/8lJ1u9pfrlzo-u1UtyXrF-HVNo0>
Subject: Re: [Add] draft-ietf-add-resolver-info-09
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Mar 2024 21:02:20 -0000
Stop using +short and look at all of the response including whether aa is set or not in the flags. -- Mark Andrews > On 6 Mar 2024, at 07:09, Ben Schwartz <bemasc@meta.com> wrote: > > > Mark's suggestion is correct, but I don't think draft-11 captures it correctly. The draft-11 text only says > > The DNS client MUST set the Recursion > Desired (RD) bit of the query to 0 to ensure that the response is provided by the resolver. > If the resolver does not support RESINFO, it will return an authoritative name error. > > This is factually incorrect, as can be observed by sending an RD=0 query to an ordinary recursive resolver: > > % dig +short +norecurse www.google.com @1.1.1.1 > 142.251.167.104 > 142.251.167.147 > 142.251.167.99 > 142.251.167.106 > 142.251.167.103 > 142.251.167.105 > > Mark's suggestion is that the client verify that the response has AA=1. That check ensures that the result was not populated insecurely over the network, but the draft doesn't mention it. > > --Ben > From: Add <add-bounces@ietf.org> on behalf of mohamed.boucadair@orange.com <mohamed.boucadair@orange.com> > Sent: Wednesday, February 21, 2024 2:37 AM > To: Mark Andrews <marka@isc.org> > Cc: tirumal reddy <kondtir@gmail.com>; add@ietf.org <add@ietf.org> > Subject: Re: [Add] draft-ietf-add-resolver-info-09 > > !-------------------------------------------------------------------| > This Message Is From an External Sender > > |-------------------------------------------------------------------! > > Hi Mark, all, > > We think this is fair. Thanks. > > We created a PR to fix this: https://github.com/boucadair/add-resolver-information/pull/19/files. > > Cheers, > Tiru & Med > > > -----Message d'origine----- > > De : Add <add-bounces@ietf.org> De la part de Mark Andrews > > Envoyé : mercredi 21 février 2024 01:50 > > À : Steffen Nurpmeso <steffen@sdaoden.eu> > > Cc : tirumal reddy <kondtir@gmail.com>; add@ietf.org > > Objet : Re: [Add] draft-ietf-add-resolver-info-09 > > > > If a recursive server passes through a response with AA=1 it is > > broken. If a recursive server forwards a query with RD=0 it is > > broken. If a “recursive server” is just forwarding queries and > > responses the attacker will just put the response in the authority > > section. The change of section provides no security. It doesn’t > > prevent problems. It is just change for changes sake. > > > > -- > > Mark Andrews > > > > > On 21 Feb 2024, at 06:30, Steffen Nurpmeso <steffen@sdaoden.eu> > > wrote: > > > > > > tirumal reddy wrote in > > > <CAFpG3gd5GwSAoOs3SX2xWZyKVR7F5y- > > y1VxxbTmfooC4AWo5Mw@mail.gmail.com>: > > > |On Thu, 15 Feb 2024 at 06:02, Mark Andrews <marka@isc.org> wrote: > > > |> Why is it necessary to change the standard processing of queries > > > |> for RESINFO when we already have a signal (AA=1) about whether > > the > > > |> answer is coming from elsewhere or not ? > > > | > > > |It is introduced to handle a scenario where SUDN is used to > > discover > > > |the encrypted resolver, and if the discovered resolver does not > > > |support RESINFO, it will forward the query upstream. An attacker > > > |might provide a RESINFO response with AA=1. The proposed mechanism > > > |aims to help the client identify whether the response is coming > > from > > > |the discovered encrypted resolver. > > > > > > By the way i am really not worth being noted for anything > > > acknowledgeable regarding the work of this WG. At all. > > > If you have another iteration of the document, i would prefer if you > > > would simply scratch my name from your work. > > > It is solely your work, for sure. > > > And the above is possibly very smart: my DNS work was two decades > > ago, > > > and i could not even tell whether i have ever seen authority section > > > entries being passed through or not. > > > > > > My main topics are simplicity so small teams can still exist > > > competetively as was true over two decades ago (ie, with knowing the > > > entire picture, not by delegating to "trusted" external modules in > > > uncounted numbers), when there were <3000 RFCs. > > > > > > As such i very much appreciated RFC 8499, but i alone from my > > > superficial out-of-interest reading have 17 DNS-related RFCs added > > > locally since then, plus the draft of yours and whatever else from > > > this WG. > > > > > > And a different way to get the TLS trust (or, rather, use existing > > > ways of various kind eg rpki, ikev2, or simply public keys as is > > done > > > by DKIM (certificates are a bit larger, but with the TCP that is > > more > > > and more needed per se, or QUIC; or even the permanent HTTP proxying > > > of everything, that is "no problem")) away from CA pools, to DNS/TLS > > + > > > DNSSEC zone records. Thank you for that, too! > > > > > > Ciao, and greetings from Germany, > > > > > > --steffen > > > | > > > |Der Kragenbaer, The moon bear, > > > |der holt sich munter he cheerfully and one by one > > > |einen nach dem anderen runter wa.ks himself off (By Robert > > > |Gernhardt) > > > > -- > > Add mailing list > > Add@ietf.org > > https://eur03.safelinks.protection.outlook.com/?url=https://www . > > ietf.org%2Fmailman%2Flistinfo%2Fadd&data=05%7C02%7Cmohamed.boucadair%4 > > 0orange.com%7C3a00adf00f6c4a88f66d08dc32770e24%7C90c7a20af34b40bfbc48b > > 9253b6f5d20%7C0%7C0%7C638440734117558876%7CUnknown%7CTWFpbGZsb3d8eyJWI > > joiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7 > > C%7C&sdata=GUI2%2FfrtBz%2FtYaA8ZmAGjR2jzb8mcp%2BmewuFjMiI3CE%3D&reserv > > ed=0 > ____________________________________________________________________________________________________________ > Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc > pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler > a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, > Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. > > This message and its attachments may contain confidential or privileged information that may be protected by law; > they should not be distributed, used or copied without authorisation. > If you have received this email in error, please notify the sender and delete this message and its attachments. > As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. > Thank you. > -- > Add mailing list > Add@ietf.org > https://www.ietf.org/mailman/listinfo/add
- [Add] draft-ietf-add-resolver-info-09 Mark Andrews
- Re: [Add] draft-ietf-add-resolver-info-09 tirumal reddy
- Re: [Add] draft-ietf-add-resolver-info-09 Steffen Nurpmeso
- Re: [Add] draft-ietf-add-resolver-info-09 Mark Andrews
- Re: [Add] draft-ietf-add-resolver-info-09 mohamed.boucadair
- Re: [Add] draft-ietf-add-resolver-info-09 mohamed.boucadair
- Re: [Add] draft-ietf-add-resolver-info-09 Steffen Nurpmeso
- Re: [Add] draft-ietf-add-resolver-info-09 Ben Schwartz
- Re: [Add] draft-ietf-add-resolver-info-09 Ben Schwartz
- Re: [Add] draft-ietf-add-resolver-info-09 Mark Andrews
- Re: [Add] draft-ietf-add-resolver-info-09 Mark Andrews
- Re: [Add] draft-ietf-add-resolver-info-09 mohamed.boucadair
- Re: [Add] draft-ietf-add-resolver-info-09 Ben Schwartz
- Re: [Add] draft-ietf-add-resolver-info-09 Mark Andrews