IETF Logo Mail Archive

Re: [Add] draft-ietf-add-resolver-info-09

Ben Schwartz <bemasc@meta.com> Tue, 05 March 2024 21:20 UTC

Return-Path: <prvs=879478b896=bemasc@meta.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C2D8C14F6BD for <add@ietfa.amsl.com>; Tue, 5 Mar 2024 13:20:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.803
X-Spam-Level:
X-Spam-Status: No, score=-2.803 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=meta.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uSHs0RWut-wn for <add@ietfa.amsl.com>; Tue, 5 Mar 2024 13:20:02 -0800 (PST)
Received: from mx0a-00082601.pphosted.com (mx0a-00082601.pphosted.com [67.231.145.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BDE43C14F686 for <add@ietf.org>; Tue, 5 Mar 2024 13:20:02 -0800 (PST)
Received: from pps.filterd (m0044010.ppops.net [127.0.0.1]) by mx0a-00082601.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 425KHinu023129; Tue, 5 Mar 2024 13:20:01 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=meta.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=s2048-2021-q4; bh=crDuL5w6RQR8MjIywBP9D5Tkidpk1iwrqvjSSdwh/gk=; b=EN7RIpTn9+5y5XcGLo3HmkddqCvkK0KZ3x9iYL2oR0N9dN21sjNp7X5lrJdIMn3vNNE4 8abYpvleTOh2Po7tY9PIovl+BLU1raH5RYX4cPsA0Ql0sYT8b70I+XfcFwanTEKe82iP d2/4YUznRcZFD1eZ9YKQ//o5GP3ZgbEmaKcL1Aeu+VvUjFjiadrwI8aYXCThjcYazpAQ WFp18+I35aSrhovtstuVKDy3JEOMr4CmZ/Ifog5g6oebAArI2yNzCWzg9j2cpj2x4zGF mNE08q+UN5V28PB7Rf/Ik1zFwFD8dgdSaP1rL1R+xpWVky1cmyhwpBc5NgrG+ydVhqTk UA==
Received: from nam02-dm3-obe.outbound.protection.outlook.com (mail-dm3nam02lp2040.outbound.protection.outlook.com [104.47.56.40]) by mx0a-00082601.pphosted.com (PPS) with ESMTPS id 3wp5cs32k8-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 05 Mar 2024 13:20:01 -0800
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=cFw9Zr4D2IzwcgzvsQF2nPcfZMDY2SwDxEN3omWG4GdJOz37Xz9d8zcoL8kbmiazw2uoIXWPqzT6JZKMULVfvM/0Q+JMpvX52yVBFBjQOMwkTtTQ7N+cATEdFz8Vniv5x4+pUusZ7zcSbmF4QhqogTwo5KtpY7APb4zGX5ACk0MijCLesHR8x6He/9A/UAuH9cDzZndMKZBUPQFi5rYe91E35JQE+LOLIL4uRMz4kz0Ikrw5rS5Cz4DmN3B1C97SM0RV9+PQLg3aM9h7UD9dXueO5d2RCza+O9WhwueRGVcRAGBWbdJMaBOMrn6eC8xnH0/gREXQgEfOfTfyu79hbA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=rVYkq06fZXtReDG6eQJZCzc85C9VGIbYrxC+HYUPFPo=; b=er/EmahuyZP+cE+3KqH0pcZ9aXQl0SHe81VDzs5IJPx/l7xApJWnn+RlLXlaD+KbNaOXc8ShUZKMgoyTA+nySmqPiP+5MZWmC/KtKiD126tIVVdeEvSX+SP0LvTzStD8JzyXUWxTTcByi/s8EDKnpdWi2e2Xxzzq7VTnhoLMYfj2BnF25Mg2IdroIR6bf0pLjxLEkk7n3FyIBqrDNBm7hr1l01KKLb47b1hCkHCUFhj2H0HI7Qzfvqi3WYb1TkBWoWsopNUArsDc9aYIfO52tukcT0R7UZm+ksnsBdcysBRqBQECYmZQWn3WHO1wFs/fibrTYUK4kWIm3wDwCBQ3hg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=meta.com; dmarc=pass action=none header.from=meta.com; dkim=pass header.d=meta.com; arc=none
Received: from SA1PR15MB4370.namprd15.prod.outlook.com (2603:10b6:806:191::8) by MW4PR15MB4714.namprd15.prod.outlook.com (2603:10b6:303:10b::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7362.24; Tue, 5 Mar 2024 21:19:43 +0000
Received: from SA1PR15MB4370.namprd15.prod.outlook.com ([fe80::50:3dc9:3ace:9a3a]) by SA1PR15MB4370.namprd15.prod.outlook.com ([fe80::50:3dc9:3ace:9a3a%5]) with mapi id 15.20.7362.019; Tue, 5 Mar 2024 21:19:43 +0000
From: Ben Schwartz <bemasc@meta.com>
To: Mark Andrews <marka@isc.org>
CC: "mohamed.boucadair@orange.com" <mohamed.boucadair@orange.com>, tirumal reddy <kondtir@gmail.com>, "add@ietf.org" <add@ietf.org>
Thread-Topic: [Add] draft-ietf-add-resolver-info-09
Thread-Index: AQHaX6ZqtEjuUSvbvE2KC+5fRqzto7ETVWqAgABRx4CAAFlBAIAAccMAgBU/DAOAABA4gIAABNsA
Date: Tue, 05 Mar 2024 21:19:43 +0000
Message-ID: <0F58ECB8-29EC-4592-98A8-6019356C72B6@meta.com>
References: <SA1PR15MB4370C02BF2458CFD28D06265B3222@SA1PR15MB4370.namprd15.prod.outlook.com> <077D27F8-03C1-4ECC-97BE-579ABF22563F@isc.org>
In-Reply-To: <077D27F8-03C1-4ECC-97BE-579ABF22563F@isc.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SA1PR15MB4370:EE_|MW4PR15MB4714:EE_
x-ms-office365-filtering-correlation-id: 33e87211-e48e-4736-a7ff-08dc3d59f9ce
x-fb-source: Internal
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: DLwsv5ITYUHdIEdjhnJyER3PvJnkBh3bUmZyf9ws4W4RolXGJzuZ22pZKotoAznrtReM2qXCzK9oInQ3Z9TXMEntp2m0/KUL1TYnZsDypPcywd+pAdW3+9Id0UryhqdXI0GX6CKZ7e8GDPa4uo0CDa3j2zTi9s/gksIgNWH+lh/M7DArPDNFuUJdYmphvG9Mx+5edP83dND9Na17vA1bHMOwdY5eSjNy1rKZwJ7Q64rPxHRsRrquhN1Hf538XxlW31C3BUKOUvp0HJMSRCnGFW830ZvU2ak/E6R3CCe11CbgSVi8DHW7Gknh/DXFlfMt/KsaE4Pj+wFPLYFDXCxvuQUWyWNA+OnToF4kngipsh0lJpQLeYnzOQo0glI0sr7nZLiXCcpyOC6DAXhR0B8QAUCyytSgzF8utQR/Lrfw3Hj158+JGHgvczGccAEHGI/G/A6JpsZ0C6Fljivc8s/3r2AwWoc+zxC9xT7X6lrCmkwO2rD/6KjYAb/1Ov33C1vcIaVEGKQbxsdihz5p5u0fI1sFXYTi1+/6rXME6lNeCSRGn3PoS6hnUPyrM9oXmT4EfyOeETinVWT7zRe+s2PlPzMbR1nT8PWwTI6ni/sbWehHjCNXgBCuPddK7uycJnBWOlCHrXTa72Dz1z2JtMbIphuJ71BVp7ZVzMCg0jmBo9s=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SA1PR15MB4370.namprd15.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(376005)(38070700009); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: gRyjgTn5nDORXQbbPW733reS2FKHc+fG7JAOHMgstUK/UDeGGNX1sW0XJq0XtoQyQHQxXw4YUswSbYMFDDNeBdWJPSAUkru/Vz7awbUfEGNlskz9sM7KAHXYWaOxxnyu0tLOjDEaC0gjSVxf4SLAY8/NrUjQ5x32x7wtY64pXhOgH+JrO3Rkp6DP4YIUIdVGFpU1KI3ZnaGOqNMPKLGq2cErh3GvY+sxD3tLlfN6obG3En8Vb8dRRLINY9OLbJNNf+wU0X/IlIpsA4twgJPbJ9/ooKqHPgUbjGnIcHJiYCFujKqzSMRsppYJG2WZF0gWF9Yg6IDiaX88iBx8+F54dRkHpnu0f/OwQhWnu/AVMVhshac8AFpgNtayw0Laz2DU+7Izdpc1y+cUTPslbDJ7NKrKvVPPsXvchQ92Igbdvlvln/LNVG5Ag8ZfbA0gThSw9d7wLL2KX7vv21yh7ocMkusICknvkJa0HLJd+sJzuyrm+36Uw7UOuDDMh3KuC25HjEXnlVHpMSUbKXjoYu6D30mno5+kMBC1Txa4Gd3axyMi5uBuHPGm+LLI44rQ4fm8VEqtmQSVSoWT2JEdz3+K032ZUSrcp5zHPjAK0yU849zfROpRpxZizqy1xMUNZElQ5xwLvcay75Uv+uaAK+peUxq5of89eAP9XOzSuGQoI0/jZbOnv3Wi/maxPVVnnxaDExbMWKxZNXWbbIkfJkNku3LIMdrPPVMnSc3i42Iy+4+MbyVDkwFlSxFTRX2mCH2wTg+UVtdS5asZFZ7NnKv16IRJeE8pxBhHgi7fKqWP+Re4KykDuOfJYdZ1G+BPOxIuZ+CkJDOYVWz2YJXgYw9uRrA1i4wtL5/xZRrHWlxZ7rE7bzu1eoaXNf6qpuVOON+U+cCjrgZjqVBD4KnYm5tAUINDeBrRj4SJk+8nujil05RbnOim8DODTmLdOG1S3BGQIUYw4NOjL5RhlpCLeQ6u9jDIyTAj1opCVIK8MImUWpb0/OinZ1pNjWlkOuOkwWp048b9RDdr2DQtw78afFoCK36ud8CQZTEcQhIrBcYq608+4r/SjyuuK94fAWVqU2rnIr1AX1f/ai57q9uuQVx/2tC6s9CKAYYfHa9hfnElUzqBguv78EoXjqs1aC8ghvwI7UNrt17ALRKSgjhg24AmNhvBoTCn8jmlPKcqat2NqAECosusf2zENavxK5hhKMSOSBQm8OIAKdZMFvrfhRVQjOdaVUc//sPcsF4fI3Ed03VBqL9fyFTuUdapcMRHXoQlazXozCrGBIoEqn8XBekbXdKKjoggUEks9ATFtgNpqTHgNwPLXRp/sFCGP3nH8kqauRFANMMZqFdAYbBZB5CO345L53rP+UyeIhgo6SfJEZvkWWAMVQnjmL/EEAygA+cznkSjR+PDo1N/c/Vjqtj0DtRl80WDAnhA5zgkoK3Zj8Kt4P00t6neQyAuTdpWzrFARwYo3V/M4wC/Y6zVTKeFvegzfSlPPYxtWaUd8Et9SFsfsVDIAITwAp9Ww76j2SztCeWTCtCibcOVXj4ZbmSgxrBxUU5465S5hLFWBczSPPdmIpDIulHxSRFtzcQX1TppEavbQibHQFIhHIFXxDCHnA==
Content-Type: multipart/alternative; boundary="_000_0F58ECB829EC459298A86019356C72B6metacom_"
X-OriginatorOrg: meta.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SA1PR15MB4370.namprd15.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 33e87211-e48e-4736-a7ff-08dc3d59f9ce
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Mar 2024 21:19:43.2075 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: f0Pxhy6UZgUxnqYHeixGgxeM+tRVsvkZy5XXSpY7WNsSOBDr0LN6+4+lV4RpRKle
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW4PR15MB4714
X-Proofpoint-GUID: Wh9ta2kD5IadvhDFVrT8ItOZ1Kunx7xA
X-Proofpoint-ORIG-GUID: Wh9ta2kD5IadvhDFVrT8ItOZ1Kunx7xA
X-Proofpoint-UnRewURL: 6 URL's were un-rewritten
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.1011,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2024-03-05_18,2024-03-05_01,2023-05-22_02
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/BbyQR3C85HsoeyJ4lLqFDLK6JF8>
Subject: Re: [Add] draft-ietf-add-resolver-info-09
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Mar 2024 21:20:07 -0000

On Mar 5, 2024, at 4:02 PM, Mark Andrews <marka@isc.org> wrote:

Stop using +short and look at all of the response including whether aa is set or not in the flags.

It is not set.  My complaint is that draft-ietf-add-resolver-info-11 doesn’t mention the AA bit at all.  It needs to instruct the client to inspect this bit, and reject the response if AA=0.

draft-11 still contains text about the record appearing in the Authority section, which could be equivalent to this, but that text is in a different section and its normative effect on the client is unclear.  I don’t object to that text, but I don’t think it’s sufficient as written, and I don’t think it’s necessary if the client is required to enforce AA=1.

—Ben


--
Mark Andrews

On 6 Mar 2024, at 07:09, Ben Schwartz <bemasc@meta.com> wrote:


Mark's suggestion is correct, but I don't think draft-11 captures it correctly.  The draft-11 text only says

   The DNS client MUST set the Recursion
   Desired (RD) bit of the query to 0 to ensure that the response is provided by the resolver.
   If the resolver does not support RESINFO, it will return an authoritative name error.

This is factually incorrect, as can be observed by sending an RD=0 query to an ordinary recursive resolver:

% dig +short +norecurse www.google.com<http://www.google.com> @1.1.1.1
142.251.167.104
142.251.167.147
142.251.167.99
142.251.167.106
142.251.167.103
142.251.167.105

Mark's suggestion is that the client verify that the response has AA=1.  That check ensures that the result was not populated insecurely over the network, but the draft doesn't mention it.

--Ben
________________________________
From: Add <add-bounces@ietf.org> on behalf of mohamed.boucadair@orange.com <mohamed.boucadair@orange.com>
Sent: Wednesday, February 21, 2024 2:37 AM
To: Mark Andrews <marka@isc.org>
Cc: tirumal reddy <kondtir@gmail.com>; add@ietf.org <add@ietf.org>
Subject: Re: [Add] draft-ietf-add-resolver-info-09

!-------------------------------------------------------------------|
  This Message Is From an External Sender

|-------------------------------------------------------------------!

Hi Mark, all,

We think this is fair. Thanks.

We created a PR to fix this: https://github.com/boucadair/add-resolver-information/pull/19/files.

Cheers,
Tiru & Med

> -----Message d'origine-----
> De : Add <add-bounces@ietf.org> De la part de Mark Andrews
> Envoyé : mercredi 21 février 2024 01:50
> À : Steffen Nurpmeso <steffen@sdaoden.eu>
> Cc : tirumal reddy <kondtir@gmail.com>; add@ietf.org
> Objet : Re: [Add] draft-ietf-add-resolver-info-09
>
> If a recursive server passes through a response with AA=1 it is
> broken. If a recursive  server forwards a query with RD=0 it is
> broken.  If a “recursive server” is just forwarding queries and
> responses the attacker will just put the response in the authority
> section.  The change of section provides no security. It doesn’t
> prevent problems. It is just change for changes sake.
>
> --
> Mark Andrews
>
> > On 21 Feb 2024, at 06:30, Steffen Nurpmeso <steffen@sdaoden.eu>
> wrote:
> >
> > tirumal reddy wrote in
> > <CAFpG3gd5GwSAoOs3SX2xWZyKVR7F5y-
> y1VxxbTmfooC4AWo5Mw@mail.gmail.com>:
> > |On Thu, 15 Feb 2024 at 06:02, Mark Andrews <marka@isc.org> wrote:
> > |> Why is it necessary to change the standard processing of queries
> > |> for RESINFO when we already have a signal (AA=1) about whether
> the
> > |> answer is coming from elsewhere or not ?
> > |
> > |It is introduced to handle a scenario where SUDN is used to
> discover
> > |the encrypted resolver, and if the discovered resolver does not
> > |support RESINFO, it will forward the query upstream. An attacker
> > |might provide a RESINFO response with AA=1. The proposed mechanism
> > |aims to help the client identify whether the response is coming
> from
> > |the discovered encrypted resolver.
> >
> > By the way i am really not worth being noted for anything
> > acknowledgeable regarding the work of this WG.  At all.
> > If you have another iteration of the document, i would prefer if you
> > would simply scratch my name from your work.
> > It is solely your work, for sure.
> > And the above is possibly very smart: my DNS work was two decades
> ago,
> > and i could not even tell whether i have ever seen authority section
> > entries being passed through or not.
> >
> > My main topics are simplicity so small teams can still exist
> > competetively as was true over two decades ago (ie, with knowing the
> > entire picture, not by delegating to "trusted" external modules in
> > uncounted numbers), when there were <3000 RFCs.
> >
> > As such i very much appreciated RFC 8499, but i alone from my
> > superficial out-of-interest reading have 17 DNS-related RFCs added
> > locally since then, plus the draft of yours and whatever else from
> > this WG.
> >
> > And a different way to get the TLS trust (or, rather, use existing
> > ways of various kind eg rpki, ikev2, or simply public keys as is
> done
> > by DKIM (certificates are a bit larger, but with the TCP that is
> more
> > and more needed per se, or QUIC; or even the permanent HTTP proxying
> > of everything, that is "no problem")) away from CA pools, to DNS/TLS
> +
> > DNSSEC zone records.  Thank you for that, too!
> >
> > Ciao, and greetings from Germany,
> >
> > --steffen
> > |
> > |Der Kragenbaer,                The moon bear,
> > |der holt sich munter           he cheerfully and one by one
> > |einen nach dem anderen runter  wa.ks himself off (By Robert
> > |Gernhardt)
>
> --
> Add mailing list
> Add@ietf.org
> https://eur03.safelinks.protection.outlook.com/?url=https://www<https://eur03.safelinks.protection.outlook.com/?url=https://www> .
> ietf.org<http://ietf.org/>%2Fmailman%2Flistinfo%2Fadd&data=05%7C02%7Cmohamed.boucadair%4
> 0orange.com<http://0orange.com/>%7C3a00adf00f6c4a88f66d08dc32770e24%7C90c7a20af34b40bfbc48b
> 9253b6f5d20%7C0%7C0%7C638440734117558876%7CUnknown%7CTWFpbGZsb3d8eyJWI
> joiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7
> C%7C&sdata=GUI2%2FfrtBz%2FtYaA8ZmAGjR2jzb8mcp%2BmewuFjMiI3CE%3D&reserv
> ed=0
____________________________________________________________________________________________________________
Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.
--
Add mailing list
Add@ietf.org<mailto:Add@ietf.org>
https://www.ietf.org/mailman/listinfo/add<https://www.ietf.org/mailman/listinfo/add>

v2.23.0 | Report a Bug | By Email