IETF Logo Mail Archive

Re: [Add] Secdir last call review of draft-ietf-add-split-horizon-authority-06

tirumal reddy <kondtir@gmail.com> Mon, 11 December 2023 09:30 UTC

Return-Path: <kondtir@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C25EC14F5E2; Mon, 11 Dec 2023 01:30:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ngWPU9ZQHwY2; Mon, 11 Dec 2023 01:30:42 -0800 (PST)
Received: from mail-ej1-x631.google.com (mail-ej1-x631.google.com [IPv6:2a00:1450:4864:20::631]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6BBF0C14F5FD; Mon, 11 Dec 2023 01:30:42 -0800 (PST)
Received: by mail-ej1-x631.google.com with SMTP id a640c23a62f3a-a1b6524f24fso134295166b.0; Mon, 11 Dec 2023 01:30:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1702287040; x=1702891840; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=WOlnk/uREBU94jv8RxSp6Ube+ADFeM6c2ZhagFQy3vA=; b=VLp0b///EwEnBwRq0Xxey2LbMgLfnAQuZbac4cqh92FG1uPglq4Omj1/uYeUVsRJVK lYLqaKhahKhQk/VBngmM76nGagyLGQuFHpHKvKAq3WbW0+qdYLO4znNWaQi2sx71PrCQ IJiIe55Q+cze+HlCxwj2PfSWNOsVrtrTnH002uc1nnERmp6ph+uGksNCxAV6KB5p3z8a aZLMYeLbpxoOYytKxTU+eurnbuYemKrFtQwKj3Z+oyiCPjpZWfiZ07nCG9NBE2yQvnfv CRSnCAhmd3P5LcN4Z1A7VnMyyNDYKg4NjXJRSsIqEMaQjbScG644A9BefbO2O5cBWRng tDfQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1702287040; x=1702891840; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=WOlnk/uREBU94jv8RxSp6Ube+ADFeM6c2ZhagFQy3vA=; b=MMXHs9FUGcpq1g20YKTLtnxACFSB223v4mAtd8vCBMbWnFArhBb3s0xUmJaqLyM+MS OTQAHqyVc2QVl2Np1xbzU2Lf/CMy7bUMSVZ9jxiMvW00u1RisqSDRL0JYkgJIZHHnrYj 41wcp6XUjnefHcPcP+28Ta4P1kaj3lPwzPUMkp9/lnC2p9wgLHGoryvlEfoPG3H+duGn coQ1aJWFbIcrVhFTjg2/JK3RIYuZOm7PQP7oUR84bpSxAlTAA6DBKcx7lTF25GtKP4de piJsnszNEgBmhgTVww3FuntRFneCEN3mR2Ec2DY90P+GQPA5J9hXzhKrnc+KNVeI4xVa nScA==
X-Gm-Message-State: AOJu0YyQ6BdzEUQgnuhhAite47ZgLH3JNJIjD77uLYhqDq2DjAQECH1x V9a1/sEC0ocN97brKZZtUBHZEg5y+hXXqf0lYSo=
X-Google-Smtp-Source: AGHT+IExgB9hhLaoLSOygw2ngQnM4YG0jPDpdexxweqWgvTqFd5vYzRBrE3JAJ0+ynBmIrMf2yicKkvWIf3i3VUb8XU=
X-Received: by 2002:a17:907:a789:b0:9e6:c282:5bd5 with SMTP id vx9-20020a170907a78900b009e6c2825bd5mr4064359ejc.3.1702287039966; Mon, 11 Dec 2023 01:30:39 -0800 (PST)
MIME-Version: 1.0
References: <170083930871.21994.4048146604458912427@ietfa.amsl.com> <CAFpG3gdyNaemuj1Rw39bt7U6NukO8ASX7NVrj89aDqdKB3Rz0Q@mail.gmail.com> <CACsn0ckKUJLsRvxfFvBfp2vKqGykZQzH27BobkH12y_zdgJNrw@mail.gmail.com>
In-Reply-To: <CACsn0ckKUJLsRvxfFvBfp2vKqGykZQzH27BobkH12y_zdgJNrw@mail.gmail.com>
From: tirumal reddy <kondtir@gmail.com>
Date: Mon, 11 Dec 2023 15:00:03 +0530
Message-ID: <CAFpG3gfA=oKv-y7cgq1-EVf0+R-Z3qmsC0RNgCOSU4aWyJ7oeQ@mail.gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
Cc: secdir@ietf.org, add@ietf.org, draft-ietf-add-split-horizon-authority.all@ietf.org, last-call@ietf.org
Content-Type: multipart/alternative; boundary="00000000000052b1b9060c38960a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/DVp0q5AjaVxluSNiJCkt0l4tWZQ>
Subject: Re: [Add] Secdir last call review of draft-ietf-add-split-horizon-authority-06
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Dec 2023 09:30:47 -0000

On Sat, 9 Dec 2023 at 06:02, Watson Ladd <watsonbladd@gmail.com> wrote:

> On Mon, Nov 27, 2023 at 10:23 PM tirumal reddy <kondtir@gmail.com> wrote:
> >
> > On Fri, 24 Nov 2023 at 20:51, Watson Ladd via Datatracker <
> noreply@ietf.org> wrote:
> >>
> >> Reviewer: Watson Ladd
> >> Review result: Has Issues
> >>
> >> I have reviewed this document as part of the security directorate's
> ongoing
> >> effort to review all IETF documents being processed by the IESG. These
> comments
> >> were written primarily for the benefit of the security area directors.
> Document
> >> editors and WG chairs should treat these comments just like any other
> last call
> >> comments.
> >>
> >> The summary of the review is has issues. I found a few editorial
> things, and
> >> have one question, but I suspect that these can be resolved easily.
> >>
> >> Firstly the description of split horizon seems to say that any time the
> >> resolver is authoritative for just some names and recurses for others.
> I don't
> >> think this is right: the split is that the answers given are different
> from
> >> what they are for any other resolver, and that's what creates the need
> for this
> >> draft. This is defined correctly in section 2, it's just a need to
> reword the
> >> intro slightly.
> >
> >
> > Sure, we will fix the text as follows:
> > If this resolver acts as an authoritative server for some names and
> provides different answers for those domains depending on the source of the
> query, we say that the network has "split-horizon DNS", because those names
> resolve in this way only from inside the network.
>
> Sounds good.
>
> >
> >>
> >>
> >> In Section 5 I think more clarity is needed about which DNS name needs
> to
> >> match, and how the matching is to be done, perhaps citing a UTA doc. I
> think
> >> what's supposed to be said is that the ADN is a subjectAltName matching
> under
> >> RFC 6125.
> >
> >
> > It is discussed in the third paragraph of Section 5. For instance, in
> the case of DNR, the DNS client would anyway do PKIX validation and
> validation technique in RFC 6125 (see
> https://www.rfc-editor.org/rfc/rfc9463.html#section-3.3). The DNS client
> would have to check if the name of the local encrypted resolver matches the
> ADN in any one of the authorization claims.
>
> I was about to say that now that I've looked again at it I'm
> deconfused, but on thinking some more I'm confused again.
>
> How about switching to the following to make it clear? "If the local
> resolver is identifed by name, the name used to find it must equal the
> ADN in an authorization name used to convey authority for the domain
> being looked up. Otherwise the ADN must be presented on an X509
> certificate shown by the resolver, according to the rules in RFC
> 6125".
>

I propose the following change:

If the local encrypted resolver is identified by name (e.g., DNR), that
identifying name MUST be the one used in any corresponding Authorization
Claim. Otherwise (e.g., DDR using IP addresses), the resolver MUST present
a PKIX certificate containing a subjectAltName that matches the
Authorization Claim using the validation techniques for matching as
described in [RFC6125].

-Tiru


>
> Sincerely,
> Watson
>
> --
> Astra mortemque praestare gradatim
>

v2.23.0 | Report a Bug | By Email