[Add] Warren Kumari's Discuss on draft-ietf-add-resolver-info-12: (with DISCUSS and COMMENT)
Warren Kumari via Datatracker <noreply@ietf.org> Wed, 03 April 2024 20:09 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: add@ietf.org
Delivered-To: add@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 374A1C151084; Wed, 3 Apr 2024 13:09:42 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Warren Kumari via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-add-resolver-info@ietf.org, add-chairs@ietf.org, add@ietf.org, tojens@microsoft.com, tojens@microsoft.com
X-Test-IDTracker: no
X-IETF-IDTracker: 12.9.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Warren Kumari <warren@kumari.net>
Message-ID: <171217498221.10117.2764285055937915803@ietfa.amsl.com>
Date: Wed, 03 Apr 2024 13:09:42 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/AfFPBm8wgkA3ke6uw_3W91g3w2o>
Subject: [Add] Warren Kumari's Discuss on draft-ietf-add-resolver-info-12: (with DISCUSS and COMMENT)
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.39
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Apr 2024 20:09:42 -0000
Warren Kumari has entered the following ballot position for draft-ietf-add-resolver-info-12: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-add-resolver-info/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- Be ye not afraid -- see https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ on handling ballots, especially DISCUSS ballots... I'd like to start off by apologizing for the tone of this DISCUSS - I know that you've put a lot of work into this document, and getting a review like this is frustrating. I suspect that a fair bit of my concern can be addressed by having the document be much clearer about the intended use case / what the actual problem is that it is solving. My DISCUSS is quite similar to Paul Wouters' -- there is much in this document which seems unclear and/or underspecified and/or incomplete. As an initial example, the Introduction starts off with: "Historically, DNS clients communicated with recursive resolvers without needing to know anything about the features supported by these resolvers. However, recent developments (e.g., Extended Error Reporting [RFC8914] or encrypted DNS) imply that earlier assumption no longer generally applies." I don't really see how "that earlier assumption no longer generally applies" -- my laptop is configured to use Google Public DNS, which happens to support RFC 8914 (Extended DNS Errors) and QNAME Minimization. My laptop happily communicates with 8.8.8. without knowing **anything about the "features supported by these resolvers"**. I *could* see an argument being made that my laptop should know if the resolver supports various flavors of encrypted DNS so that it knows to connect over an encrypted transport, but that's what RFC9462, RFC9463 are for, no? "Instead of depending on opportunistic approaches, DNS clients need a more reliable mechanism to discover the features that are supported by resolvers." Similar to the prior -- why do clients *need* this? My laptop is currently working just fine without it. The document seems to have this base assumption throughout, but it doesn't really seem to justify it -- I'm hoping / assuming that this is sufficiently obvious within the WG that it was just omitted because "everyone knows". "Retrieved information can be used to feed the server selection procedure. However, that selection procedure is out of the scope of this document." -- is this the justification for all of the above assertions? If so, I think that A: the document needs to be much more explicit about this (don't "bury the lede") and B: some sort of advice about *how* is would be used seems needed -- I get that you don't want to specify the whole selection procedure, but something like "the server selection procedure could use this to prioritize privacy-preserving resolvers over those that don't do QNAME minimization" or similar... Section 3: "If the Special-Use Domain Name "resolver.arpa", defined in [RFC9462], is used to discover an encrypted DNS resolver, the client can retrieve the resolver information using the RESINFO RR type and QNAME of "resolver.arpa". In this case, a client has to contend with the risk that a resolver does not support RESINFO. The resolver might pass the query upstream, and then the client can receive a positive RESINFO response either from a legitimate DNS resolver or an attacker. The DNS client MUST set the Recursion Desired (RD) bit of the query to 0. The DNS client MUST discard the response if the AA flag in the response is set to 0, indicating that the encrypted DNS resolver is not authoritative for the response." This says "In this case, a client has to contend with the risk that a resolver does not support RESINFO." -- but surely that is true for the other cases too? Many clients live behind DNS forwarders / middle-boxes, which will happily pass unknown RR types upstream, but won't necessarily pass e.g EDNS responses back. If one of these clients sees that the "resolver" supports EDE, but the forwarder drops these, the client is being lied to. Perhaps the techniques in this document are only allowed to be used over encrypted DNS transports? This might be implied by the fact that you are supposed to use "resolver.arpa" or "the QNAME of the domain name that is used to authenticate the DNS resolver", but if so, this is really not clear in the document. If that is indeed the case, the document needs to be much much more explicit about this, and also discuss what happens if you query for this over a non-encrypted protocol (which many resolvers won't actually know). In addition, this says: "The DNS client MUST set the Recursion Desired (RD) bit of the query to 0. The DNS client MUST discard the response if the AA flag in the response is set to 0, indicating that the encrypted DNS resolver is not authoritative for the response." - is the "indicating that the *encrypted* DNS resolver" (and this section) implying that the RD bit must only be set to 0 when using the RFC9462 resolver.arpa mechanism, or whenever looking up RESINFO? I'd assume the latter, but that conflicts with the "*encrypted* DNS resolver" bit. Why is it useful / important for a client to know that a resolver supports specific EDE errors? E.g If RESINFO says that Resolver X supports "exterr=15,16,17", and the resolver suddenly sends back Extended DNS Error Code 5 - DNSSEC Indeterminate, what should the client *do*? Is it a violation to send back an EDE Code not covered by the capability list? What if I run a resolver, and advertise "exterr=42", and then add additional support for codes 1, 2 and 3? I guess I have to wait for the TTL to expire before advertising these? Seeing as the document doesn't really explain what the information is used for, it's not clear when (other than at initial connection) a client would re-query for it. Many resolvers are also anycast at this point -- what capabilities should be advertised if the set is not uniform across all members? The minimum enclosing set? The maximal set? The document also lists qnamemin and exterr as the supported capabilities - it's not at all clear why those ones were selected as important capabilities and not e.g 0x20, port randomization, jurisdiction, logging level and retention, favorite flavor of ice-cream, etc. If it is just that these happened to be two capabilities that you happened to choose, I think that it would be worth clarifying this -- the document does say "New keys can be defined as per the procedure defined in Section 8.2.", but the focus on qname and EDE in the text makes it sound like these are the primary uses. infourl: "It is not intended for end user consumption as the URL can possibly provide misleading information. A DNS client MAY choose to display the URL to the end user, if and only if the encrypted resolver has sufficient reputation, according to some local policy" -- so, which is it? If a DNS client does display this to the end user, they will consume it (and possibly be misled). This also seems like it is ripe for phishing / advertising -- "Welcome to BestHotels, thank you for using our wonderful Encrypted DNS server. For only $19.95 per day, you can get the DNSSEC validating version of this service, enter your Credit Card Below!!!" Security Considerations: "An encrypted resolver may return incorrect information in RESINFO. If the client cannot validate the attributes received from the resolver, that will be used for resolver selection or displayed to the end-user, the client should process those attributes only if the encrypted resolver has sufficient reputation according to local policy (e.g., user configuration, administrative configuration, or a built-in list of reputable resolvers). " This feels very hand-wavey / underspecified - "If the client cannot validate the attributes received from the resolver, [...] the client should process those attributes only if the encrypted resolver has sufficient reputation according to local policy." I don't really understand this -- how could a client validate the attributes? Surely not because they are DNSSEC signed / delivered over encrypted DNS? (That doesn't prove that the data is correct, only that it is what the resolver operator sent) So, how would a client validate that Resolver X supports e.g EDE Codes 9, 10, 11? Does this just boil down to "Don't trust any of this unless local policy says to?" ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Nits: 1: "imply that earlier assumption no longer generally applies." s/assumption/assumptions/ (or "the earlier assumptions"). Also, I think s/applies/apply/, or just rewrite this ending part. 2: It is not intended for end user consumption as the URL can possibly provide misleading information. s/consumption as/consumption, as/ Also, I think that "end-user" is the preferred usage, but I'm not sure.
- [Add] Warren Kumari's Discuss on draft-ietf-add-r… Warren Kumari via Datatracker
- Re: [Add] Warren Kumari's Discuss on draft-ietf-a… mohamed.boucadair
- Re: [Add] Warren Kumari's Discuss on draft-ietf-a… tirumal reddy
- Re: [Add] Warren Kumari's Discuss on draft-ietf-a… mohamed.boucadair
- Re: [Add] Warren Kumari's Discuss on draft-ietf-a… mohamed.boucadair