IETF Logo Mail Archive

Re: [Add] I-D Action: draft-ietf-add-resolver-info-06.txt

tirumal reddy <kondtir@gmail.com> Sat, 14 October 2023 06:12 UTC

Return-Path: <kondtir@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 99035C1524DC for <add@ietfa.amsl.com>; Fri, 13 Oct 2023 23:12:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.991
X-Spam-Level:
X-Spam-Status: No, score=-1.991 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, TRACKER_ID=0.1, T_SCC_BODY_TEXT_LINE=-0.01, T_SPF_TEMPERROR=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hheOz1lG-Ubg for <add@ietfa.amsl.com>; Fri, 13 Oct 2023 23:12:06 -0700 (PDT)
Received: from mail-lf1-x12f.google.com (mail-lf1-x12f.google.com [IPv6:2a00:1450:4864:20::12f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 58CEEC152573 for <add@ietf.org>; Fri, 13 Oct 2023 23:12:06 -0700 (PDT)
Received: by mail-lf1-x12f.google.com with SMTP id 2adb3069b0e04-503178a0d7fso779753e87.1 for <add@ietf.org>; Fri, 13 Oct 2023 23:12:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1697263924; x=1697868724; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=fLtP2fv64CIdtGKo+SnDjWmRZGCIcsM6DRoy9e2PihI=; b=EGRqijU6s1dWL3Q62QWM0w/eYcqXuJW+ZE2dx73wM3CeWKZ5n3qEE4w7eN1CQ6GSTN 6tWb9v9ne1ycM9HWRhRtSikVSaLhKdOujOPNnbFa/xLAiMdiQXv0qHBsSgXut+X94PUp XGRleohV1O3EbSM+lYpjho54sOUJUVRrQbRAkqmtAMfp3/2N7Bd1zgh33HHZlV6/3aDn OppM+RdmDuf0fr+iyDS3Uz5TuO8sxN/nUurQ+QJo3b7MufNlASOG+gfMHZs7/CJxCM0r Cnxg+qy6JCPqtW4VUF/BRhkRluIGIUSnWPfW5eXQB53M2iXCxaGvgxBXDBbUMGApj3o0 pBLA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697263924; x=1697868724; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=fLtP2fv64CIdtGKo+SnDjWmRZGCIcsM6DRoy9e2PihI=; b=m3xXKItdb8Wc6fx5e32xRPwdF3EDDNJoIjpmmsVT8eAZS2LQKdMxL7U9oRc09AUW+b Sru7jRta+sVGRNYSbGD7EsoWHIQMobA1I/3sEOl3la0kQZd61Pnhus6S2INJpav2jHaS yJIsOxcG9L2yFPwDJGcjj8xuubqMgDyYVuQeAEzZDQEJuTsePvXlHukJk0fWc1OqVwL1 uF8t4CvEde5z/xGLBkN9iUw6I3dSM0wj7Pxt/46NoEFKVuJOoPx5s+lPDOtC7FiCGYJF Lf6K+gRTf2qqgj4K1jZdBaiGMWncVBVC6bfTtnfRo39IhIa3kJBB4NnPjfWWJWLUHuej KLEw==
X-Gm-Message-State: AOJu0YyifJR3wad22vQdPbgXgE+rNHMeanmjWTrO3VhrsuhlUigZHUta G3i1LA/Zc9RPTYHIZKFn7WJ7bu5DPmX3inSod5Xi0V0uAj8=
X-Google-Smtp-Source: AGHT+IHB6ARjqVqSr3l+uTObJDzKJYAP2JT1xu1TcjUaAiuoWDOqdf49yDbDSoLzKPajRwmlwKvM/XSYQhLSjMgtozA=
X-Received: by 2002:a2e:3906:0:b0:2c0:1959:fe59 with SMTP id g6-20020a2e3906000000b002c01959fe59mr16508370lja.3.1697263923391; Fri, 13 Oct 2023 23:12:03 -0700 (PDT)
MIME-Version: 1.0
References: <169640714475.30083.4833419078785956639@ietfa.amsl.com> <CAFpG3ge7G=0f+sWGqL8ANWG+nd=e3ngf7CdbUfhpjQvRYaatbg@mail.gmail.com> <BN8PR15MB32818870E42CB776F3A5F1DFB3CCA@BN8PR15MB3281.namprd15.prod.outlook.com> <CAFpG3gcnL1Fmx5hbQEBJUzTVsoBf7CMOOUuHiV-8DRQOLrbY4A@mail.gmail.com> <BN8PR15MB32816A104B16005165DA5C75B3D2A@BN8PR15MB3281.namprd15.prod.outlook.com> <DM6PR00MB07677636CDF58B2CD25F13C0FAD2A@DM6PR00MB0767.namprd00.prod.outlook.com>
In-Reply-To: <DM6PR00MB07677636CDF58B2CD25F13C0FAD2A@DM6PR00MB0767.namprd00.prod.outlook.com>
From: tirumal reddy <kondtir@gmail.com>
Date: Sat, 14 Oct 2023 11:41:51 +0530
Message-ID: <CAFpG3gcRzVWTtJ7cL=yD9k_qi36FncCR5ibL59qun6_O16T1WA@mail.gmail.com>
To: Tommy Jensen <Jensen.Thomas@microsoft.com>
Cc: Ben Schwartz <bemasc=40meta.com@dmarc.ietf.org>, "add@ietf.org" <add@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000003e72d40607a70d05"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/9kNb4XxU0rlSsBOfkWxN5aNfGGs>
Subject: Re: [Add] I-D Action: draft-ietf-add-resolver-info-06.txt
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 14 Oct 2023 06:12:11 -0000

On Fri, 13 Oct 2023 at 22:23, Tommy Jensen <Jensen.Thomas@microsoft.com>
wrote:

> > Instead of asking "does this enable an attack", we have to ask "does
> this make the attacks worse in some scenario"?
>
>
>
> Agreed. I still argue that the ability to poison an arbitrary record is
> not as bad as the ability to lie about the current resolver’s properties,
> which include an arbitrary URL, especially knowing that a DNSSEC-validating
> client can raise trust in the answer in the non-DDR case versus in the DDR
> case.
>

The proposed mechanism will help identify the attack and warn the client
that an upstream attacker is spoofing the DNS response.


>
>
> > In general, RESINFO claims are not verifiable by the client.
>
>
>
> True, the claims themselves are not verifiable, as in the client cannot
> verify the resolver is in fact using QNAME minimalization, without some
> kind of ridiculously expensive, out of band, TEE powered relationship, but…
>
>
>
> > The client simply has to trust that the server is telling the truth,
> which means it needs a particular kind of pre-existing trust relationship
> with that server operator
>
>
>
> In the non-DDR case, the record will be for a name the client used to
> connect to the resolver over encrypted DNS. In this case, the record’s
> authenticity can be confirmed using DNSSEC to be as trustworthy as the
> original resolver choice configuration (detect upstream forgery). The same
> cannot be said of the DDR case, since resolver.arpa cannot be validly
> signed (no detection of forgery).
>

Agreed. In the DNR case, if the client does not perform DNSSEC validation,
it can initiate a RESINFO query after the DNS server is authenticated (I
mean after the TLS handshake is complete). If the resolver does not support
RESINFO RRtype, it will return "not implemented" response code and on-path
attacker spoofing RESINFO is not possible.


>
>
> > I think the simplest solution is to note in the draft that clients MUST
> NOT rely on RESINFO unless they have an out-of-band agreement with the
> server operator to abide by its published RESINFO policy
>
>
>
> No argument that this is the simplest solution. However, I believe the
> authors and those interested in adopting the draft may take issue with
> that, as it will reduce its useful deployment scale, but there’s no doubt
> it would address this concern. I would be interested to hear from other
> interested adopters to see what their target scenario is and if this is
> problematic. For the record, my first suggestion during shepherd review was
> to declare that clients MUST NOT rely on RESINFO when the resolver was
> discovered using DDR, and the sig solution was proposed because excluding
> DDR discovered resolvers was undesirable.
>

Yes, the "sig" attribute is specifically introduced to support DDR. One
possible way forward would be to relax the rule to validate the "sig"
attribute from "MUST" and "SHOULD". In cases where the "sig" attribute is
not provided, clients can process the response if and only if they have an
out-of-band agreement with the server operator to abide by its published
RESINFO policy.

-Tiru


>
>
> Who else is actively planning to implement RESINFO? Please weigh in.
>
>
>
> Thanks,
>
> Tommy
>
>
>
> *From:* Add <add-bounces@ietf.org> *On Behalf Of *Ben Schwartz
> *Sent:* Friday, October 13, 2023 8:59 AM
> *To:* tirumal reddy <kondtir@gmail.com>
> *Cc:* add@ietf.org
> *Subject:* [EXTERNAL] Re: [Add] I-D Action:
> draft-ietf-add-resolver-info-06.txt
>
>
>
> Reasoning about the security properties of insecure systems is tricky.
> Instead of asking "does this enable an attack", we have to ask "does this
> make the attacks worse in some scenario"?
>
>
>
> In this thread, we are discussing attackers who are falsifying RESINFO
> records.  This is only possible if (1) the attacker is upstream of the
> server* (which could be a resolver or forwarder) AND (2) that server is not
> DNSSEC-validating AND (3) that server is not using authenticated encryption
> on this connection AND (4) that server is not RESINFO-aware.
>
>
>
> Given these preconditions, we can then ask: does accepting RESINFO make
> anything worse for the client?  Under these conditions, the attacker can
> already observe all upstream queries and generate arbitrary responses.
> They essentially have taken over the resolver.  For example, the attacker
> controls the effective QNAME minimization policy: the attacker could
> capture all queries until the full QNAME is revealed, then pass that name
> un-minimized to the root servers and other parent zones.
>
>
>
> The same logic applies to Kaminsky attacks and off-path cache poisoning:
> this attacker could point the IP addresses of popular TLD nameservers (or
> maybe even the root) back to themselves, allowing them to capture virtually
> all queries and control the responses.
>
>
>
> Adding special cryptographic protections to RESINFO is not helpful when
> the actual functions of the resolver remain unprotected.
>
>
>
> In general, RESINFO claims are not verifiable by the client.  The client
> simply has to trust that the server is telling the truth, which means it
> needs a particular kind of pre-existing trust relationship with that server
> operator.  I think the simplest solution is to note in the draft that
> clients MUST NOT rely on RESINFO unless they have an out-of-band agreement
> with the server operator to abide by its published RESINFO policy ... which
> implicitly prevents this attack (via point 4 above).
>
>
>
> If we really feel the need to provide authenticated-but-still-untrusted
> RESINFO, we can move it to EDNS, which is not vulnerable except in
> pathologically insecure deployments.
>
>
>
> --Ben
>
>
>
> *Excluding off-path cache poisoning attacks for the moment.
> ------------------------------
>
> *From:* tirumal reddy <kondtir@gmail.com>
> *Sent:* Friday, October 13, 2023 8:14 AM
> *To:* Ben Schwartz <bemasc@meta.com>
> *Cc:* add@ietf.org <add@ietf.org>
> *Subject:* Re: [Add] I-D Action: draft-ietf-add-resolver-info-06.txt
>
>
>
> On Thu, 12 Oct 2023 at 04: 03, Ben Schwartz <bemasc@ meta. com> wrote: I
> guess "sig" is based on a security concern I raised about
> draft-jt-add-dns-server-redirection? In that draft, an upstream injection
> attacker could poison
>
> ZjQcmQRYFpfptBannerStart
>
> *This Message Is From an External Sender *
>
>
>
> ZjQcmQRYFpfptBannerEnd
>
> On Thu, 12 Oct 2023 at 04:03, Ben Schwartz <bemasc@meta.com> wrote:
>
> I guess "sig" is based on a security concern I raised
> about draft-jt-add-dns-server-redirection?  In that draft, an upstream
> injection attacker could poison the resolver's own SVCB record, allowing
> the attacker to make the client bypass their chosen resolver entirely, and
> instead use the attacker's resolver ~forever.  This is a kind of "scope
> expansion": a transient, injection-only attacker on one path can upgrade
> themselves into a permanent, read-write attacker on all paths.
>
>
>
> RESINFO doesn't have this problem.  Yes, an upstream attacker could inject
> a RESINFO response, but only to the same extent that they could poison any
> other query in the cache.  (If the resolver is DNSSEC-validating, injection
> on resolver.arpa is impossible.)  I don't see a scope expansion attack here.
>
>
>
> Yes, scope expansion attack is not possible but DNSSEC protection is not
> possible with SUDN "resolver.arpa". In case of DDR, the client will not
> know whether RESINFO RR is originating from the discovered encrypted
> resolver or not.
>
>
>
> -Tiru
>
>
>
>
>
> Operationally, "sig" seems distinctly inconvenient.  Any DNS server that
> sits behind a TLS terminator or CDN will have extreme difficulty
> implementing it.
>
>
>
> I recommend removing "sig".
>
>
>
> If upstream attackers are a concern, I would solve that by moving RESINFO
> into EDNS, which is not controlled by the authoritative server.  (EDNS
> could still be manipulated by an attacker between a forwarder and its
> upstream resolver ... but that attacker can already control the content of
> all responses, so they effectively *are* the resolver.  Also, if the
> resolver and forwarder are so tightly integrated that the resolver can sign
> RESINFO with the forwarder's TLS private key, why aren't they using a
> secure transport?)
>
>
>
> --Ben Schwartz
> ------------------------------
>
> *From:* Add <add-bounces@ietf.org> on behalf of tirumal reddy <
> kondtir@gmail.com>
> *Sent:* Wednesday, October 11, 2023 3:30 AM
> *To:* add@ietf.org <add@ietf.org>
> *Subject:* Re: [Add] I-D Action: draft-ietf-add-resolver-info-06.txt
>
>
>
> This revision, https: //www. ietf.
> org/archive/id/draft-ietf-add-resolver-info-06. html, addresses comments
> from Martin on the "sig" attribute use. The authors consider it ready to
> advance the draft to the next stage.   -Tiru On Wed, 4
>
> ZjQcmQRYFpfptBannerStart
>
> *This Message Is From an External Sender *
>
>
>
> ZjQcmQRYFpfptBannerEnd
>
> This revision,
> https://www.ietf.org/archive/id/draft-ietf-add-resolver-info-06.html, addresses
> comments from Martin on the "sig" attribute use. The authors consider it
> ready to advance the draft to the next stage.
>
>
>
> -Tiru
>
>
>
> On Wed, 4 Oct 2023 at 13:42, <internet-drafts@ietf.org> wrote:
>
> Internet-Draft draft-ietf-add-resolver-info-06.txt is now available. It is
> a
> work item of the Adaptive DNS Discovery (ADD) WG of the IETF.
>
>    Title:   DNS Resolver Information
>    Authors: Tirumaleswar Reddy
>             Mohamed Boucadair
>    Name:    draft-ietf-add-resolver-info-06.txt
>    Pages:   10
>    Dates:   2023-10-04
>
> Abstract:
>
>    This document specifies a method for DNS resolvers to publish
>    information about themselves.  DNS clients can use the resolver
>    information to identify the capabilities of DNS resolvers.  How such
>    an information is then used by DNS clients is out of the scope of the
>    document.
>
> The IETF datatracker status page for this Internet-Draft is:
> https://datatracker.ietf.org/doc/draft-ietf-add-resolver-info/
>
> There is also an HTML version available at:
> https://www.ietf.org/archive/id/draft-ietf-add-resolver-info-06.html
>
> A diff from the previous version is available at:
> https://author-tools.ietf.org/iddiff?url2=draft-ietf-add-resolver-info-06
>
> Internet-Drafts are also available by rsync at:
> rsync.ietf.org::internet-drafts
>
>
> --
> Add mailing list
> Add@ietf.org
> https://www.ietf.org/mailman/listinfo/add
>
>

v2.23.0 | Report a Bug | By Email