IETF Logo Mail Archive

Re: [Add] Paul Wouters' Discuss on draft-ietf-add-resolver-info-12: (with DISCUSS)

Paul Wouters <paul@nohats.ca> Tue, 02 April 2024 14:03 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F0409C14F61C; Tue, 2 Apr 2024 07:03:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U0nzYGs1Zr8w; Tue, 2 Apr 2024 07:03:36 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6535AC14F5E4; Tue, 2 Apr 2024 07:03:33 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 4V88jt0Y0HzFVq; Tue, 2 Apr 2024 16:03:30 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1712066610; bh=lB2lDJZ941mu7tYp1m3igjTossj05MJpJPrIVutHb08=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=PMaEpuh1xcgAvf0Odih8zZQLruOXUDrt2PdtgLmm40e2oA/I7pVc+B568il4DwbON 5mMFcCrGJpCaYNqJnSVwB8FXlDqnvQ15mSjNL0s9Pc5/caPigK7odpbp5517FG45iw Vquehzw0AWfQnTlbyAplgjANjETizAyF5BPzwOmc=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id sTwh6xEVyVkP; Tue, 2 Apr 2024 16:03:29 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [193.110.157.194]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Tue, 2 Apr 2024 16:03:28 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id D642B11AE95F; Tue, 2 Apr 2024 10:03:27 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id D4F8A11AE95E; Tue, 2 Apr 2024 10:03:27 -0400 (EDT)
Date: Tue, 02 Apr 2024 10:03:27 -0400
From: Paul Wouters <paul@nohats.ca>
To: mohamed.boucadair@orange.com
cc: tirumal reddy <kondtir@gmail.com>, Paul Wouters <paul.wouters@aiven.io>, The IESG <iesg@ietf.org>, "draft-ietf-add-resolver-info@ietf.org" <draft-ietf-add-resolver-info@ietf.org>, "add-chairs@ietf.org" <add-chairs@ietf.org>, "add@ietf.org" <add@ietf.org>, "tojens@microsoft.com" <tojens@microsoft.com>
In-Reply-To: <DU2PR02MB1016011E1C399D5EC90BD1FFE883E2@DU2PR02MB10160.eurprd02.prod.outlook.com>
Message-ID: <eb7273d2-307b-5c19-8ba7-0fd7691c07ca@nohats.ca>
References: <171184989711.29383.9811877433419506782@ietfa.amsl.com> <CAFpG3gdGMgv6H=CkVLvwk=EBXQBFWXfwSbbC-M1z0P_kqukF2w@mail.gmail.com> <DU2PR02MB1016011E1C399D5EC90BD1FFE883E2@DU2PR02MB10160.eurprd02.prod.outlook.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/Q4dMyHZ-eBlg42RyfODj5cXAxGw>
Subject: Re: [Add] Paul Wouters' Discuss on draft-ietf-add-resolver-info-12: (with DISCUSS)
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Apr 2024 14:03:40 -0000

On Tue, 2 Apr 2024, mohamed.boucadair@orange.com wrote:

> De : tirumal reddy <kondtir@gmail.com>
> Envoyé : lundi 1 avril 2024 14:30
> À : Paul Wouters <paul.wouters@aiven.io>
> Cc : The IESG <iesg@ietf.org>; draft-ietf-add-resolver-info@ietf.org; add-chairs@ietf.org; add@ietf.org; tojens@microsoft.com
> Objet : Re: Paul Wouters' Discuss on draft-ietf-add-resolver-info-12: (with DISCUSS)

>               DNS clients can use the resolver information to identify the
>               capabilities of DNS resolvers.
>
>       It then defines qnamein, exterr and infourl. The latter should not be used
>       by the DNS client. So what should a DNS client do with the information
>       that QNAME Minimalization is used, or that the DNS resolver code base
>       supports EDE (but EDE might not be in use anyway). What behavioral
>       change is expected from "DNS Clients" that are targeted by this document?
>       If no change in behavior is expected, why should a DNS client support and
>       perform this query?
> 
> The specific policy on how the client will use the discovered resolver information is outside the scope of ADD WG charter.

This is sadly another instance of this problem yes. You are defining
protocol and server side but not client side. Whenever a security
issue comes up that would need client consideration, this escape
hatch is used. It is basically ignoring security issues raised.

>  Hence, the behavior change
> expected from DNS clients is not explicitly defined. For instance, the client may give higher precedence to a resolver that offers QNAME minimization

Sure, although I would be surprised if a network rolls out handing out
different nameservers to use with different policies enabled on them.

> versus a resolver that does not support it. Another example, could be the client could notify the end-user that the resolver will perform filtering (e.g.,
> EDE codes 4 and 16). This notification can help to inform the end-user and client about the resolver's error handling capability. 

If it notifies the DNS client, this becomes a security issue. It is
basically telling the client "expect DNSSEC indeterminate or bogus
resolutions". It is exactly what a rogue network would say that
is attacking the user.

> [Med] ACK. The WG charter has the following:
> 
> “Making any recommendations about specific policies for clients
> or servers is out of scope.”

As previously discussed on other documents, you can't really specify
server behaviour without client behaviour. It is an incomplete security
model.

>       Furthermore, none of the answers can be trusted without some form of
>       enterprise provisioning.
> 
> No, browsers can be pre-configured with trusted recursive resolvers offered by ISPs.

Which is provisioning (by enterprise or phone vendor) and leads to more
(DNS) centralization that I consider harmful for the internet to build
into our protocols.

>       Why inform the resolver is using qname minimalization? What makes this
>       optional special, compared to other things like 0x20 support, the infra-rr
>       hardering support, DNSSEC support? Why is it not providing keywords for
>       DoH or DoT or DoQ support? Why not show what normally would be in the
>       CHAOS version.bind data like dns implementation name and version?
> 
> The WG has agreed on the three attributes and a registry is added with specification required as the registry procedure to add new 
> attributes in future specifications.

That does not answer my qustion.

> [Med] Added a new sentence to clarify the rationale for selecting this **initial** set of information:
> 
> NEW:
> 
>    That information is selected because it
>    provides benefits to the security and privacy of DNS data.  Other
>    information can be registered in the future per the guidance in
>    Section 8.2.

Now it gets more complicated. Benefiting the DNS client, but we can't
talk about exactly how this affects the DNS client behaviour as it is
out of scope. So it says "this helps the DNS client's security, but
we cannot discuss this in detail as DNS client policy is out of scope".

>       If the DNS client would behave differently based on the setting of
>       qnamein, what would it be and how would it determine the security of
>       the returned value (eg why wouldn't the target DNS resolver just lie to
>       cause the DNS Client to do whatever behavior it does differently when
>       it sees qnamein?). If this is meant only for administrators doing DNS
>       diagnostics, why not ONLY return an infourl and have qnamein and exterr
>       contained in infourl, or even more keywords based on a DNS yang model
>       list of keywords?

This is unanswered.

>       What is the DNS Client expected to do with the exterr values returned?
>       What does "supported" mean, eg versus "configured".
> 
> It means the DNS server is configured to return the exterr values. we will replace "supported" with "configured" for clarity. 

Okay, that is clearer, thanks.

> [Med] Please see: Paul's review by boucadair · Pull Request #29 · boucadair/add-resolver-information (github.com)
> 
>  
>
>       What different
>       DNS Client behavior is expected based on this value?
>
>       The "infourl" seems a bit risky. While the documents tries to limit
>       the impact, I don't understand its approach.
>  
> 
> The "infourl" is typically meant for IT staff for troubleshooting purposes.

The goal I understand, the approach to get to that goal I don't.

>
>       Why insist on "https" ? It's a public API that anyone that can query
>       the nameserver can presumably retrieve anyway? That is, I assume such
>       a infourl would not require HTTP level authentication. I don't see why
>       it should be forced over https.
> 
> Yes, HTTP level authentication is not required. HTTPS was explicitly mentioned to avoid providing the information over insecure HTTP.

What is insecure about HTTP when the target URL is advertised and
available to everyone? Are you afraid someone attacks this stream
of data and rewrites it? What would be attack be useful for ?

>       Why is the information presented a text/html and not plaintext ? Or
>       json? Or yang? This would avoid various risks of exposure to the enduser
>       which are not meant to consume this anyway according to the document.
>
>               The URL SHOULD be treated only as diagnostic
>
>       Why is that not the case for qnamein and exterr?
>       Why is that not a MUST?
>
>        
>
>       [Med] because this can be relaxed by the condition in the MAY right after.
> 
> 
>
>               A DNS client MAY choose to display the URL to the end user
>
>       Why is this not a MUST NOT ?
>
>       [Med] Because a user can have a policy to trust a specific resolver.

But we are not talking about endusers here but about IT administrators,
so whether or not the enduser trusts this is not relevant?

>
>               if and only if the encrypted resolver has sufficient reputation
>
>       This is not something an implementer can write code for reading the RFC.
>       It further more pushes centralization towards "reputable DNS resolvers".
>       How does the DNS client get updates about the reputable status of a DNS
>       resolver?
> 
> DNS clients, such as web browsers, typically update their trusted recursive resolvers (TRR). The process of updating the TRR can happen through software
> updates or other automated mechanisms.

See my earlier point about this protoocl stimulating internet centralization.


I will think about what to do with my ballot. Thanks for the answers
provided.

Paul

v2.23.0 | Report a Bug | By Email