IETF Logo Mail Archive

Re: [Add] I-D Action: draft-ietf-add-resolver-info-08.txt

tirumal reddy <kondtir@gmail.com> Fri, 15 December 2023 08:07 UTC

Return-Path: <kondtir@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 98612C14F736 for <add@ietfa.amsl.com>; Fri, 15 Dec 2023 00:07:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.904
X-Spam-Level:
X-Spam-Status: No, score=-6.904 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, TRACKER_ID=0.1, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, URI_HEX=0.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 46RUfUkoaSab for <add@ietfa.amsl.com>; Fri, 15 Dec 2023 00:07:24 -0800 (PST)
Received: from mail-ed1-x533.google.com (mail-ed1-x533.google.com [IPv6:2a00:1450:4864:20::533]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C3892C14F5F2 for <add@ietf.org>; Fri, 15 Dec 2023 00:07:23 -0800 (PST)
Received: by mail-ed1-x533.google.com with SMTP id 4fb4d7f45d1cf-5451faa3aa7so87919a12.0 for <add@ietf.org>; Fri, 15 Dec 2023 00:07:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1702627642; x=1703232442; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=SSTYzng6OJeLOCdYWe5Hn2p/CEkoUovfxXdWg1nPv9Y=; b=f1CPrCnJi9tsgLbQ9ZAImESxIEgZOHmIgKtVUG5Dtbs4MDGeLr3Ik+POHvCIzQwM+n Ia+0WfyiSFACKeBLG+J4Xcaxm4Ddrn7JRVw+MYk0tryBpS/1vHKNgjEkgfNJE1DBxIzL vooGTxB0/fdVdCduSBuJXRBPA9GYYWKkxg4eAtBbB4rbwcqF1iPmdF+FbQmeiC50ztDk JqyBiVKqVZkTdZb07C9ew9pZG63Ko6b2EMJ06MkQSTQuZtB1TBeV3TMJyffocfBzl/E7 uabdFMf5+Kk07gH9Q8jqpuriOlCR6ZwQCrhzgQRruEzBDeMHO0MG0VAKu3Q2NCS6Bz4T siUQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1702627642; x=1703232442; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=SSTYzng6OJeLOCdYWe5Hn2p/CEkoUovfxXdWg1nPv9Y=; b=kbc349BaTHVeWc0vIknuh1BIuvXJUBHi4Hwc0muFKrqzyNQuRbsL2vXuqJqh+h2ECm /EuTjE59LKqyuYScFuMbbvPx91vh9UPnZPzkuZmIFMmqulXiZ1x4wvG2Iy1o89R+rOcG 8z1Icy/ET+VE70hvCLLqp93Ev1qVji6F+AOCTRnhS5nyO+QEY3BIJ7+Gku1SXNMAxpxk Sdg6OB8CC2IT+fAglQNWDMkhACKYd1hVk8fohCOY6g94oEtLkrEZ7ZKF/jz+NXzvDi26 1UbooqFGqYeBq+OWT+bFDIo/4jDi4PuhJ4/9pHzppVvGMITxBMuAntqCgabZxSSg94Ak 7geg==
X-Gm-Message-State: AOJu0YxAZ2QuI7DId02J2Jv89FQ/UN2qNPHyBKfAwRFFM5g17xVvFoc9 9W4JB7vQXkSxv3CS6hm4eknQjzCQNQBtehkw6/yGBM9cORw=
X-Google-Smtp-Source: AGHT+IGzGYGhmgU+DlcepkI0joHQhbklwYnvsTAxgdHObpNSYQAVQVp5Mlz5IvzHI1JOTJbDdAWVx7+v+758vdNC+z0=
X-Received: by 2002:a50:c099:0:b0:54c:c31d:a808 with SMTP id k25-20020a50c099000000b0054cc31da808mr13604563edf.0.1702627641483; Fri, 15 Dec 2023 00:07:21 -0800 (PST)
MIME-Version: 1.0
References: <170081382418.6627.11212053139133230296@ietfa.amsl.com> <CAFpG3geefWGUZOx_4OkL=g_Oj0Lw+vDehdimkX8ckH5OfMpOgg@mail.gmail.com> <BN8PR15MB32817DF02BCA15535651F07BB38AA@BN8PR15MB3281.namprd15.prod.outlook.com> <CAFpG3gfyD_dhDk5nGUeWSajGP+4nBKuocdy_Ra8jEtx4HntVNw@mail.gmail.com> <BN8PR15MB3281A26AB9613B98361DC40FB38DA@BN8PR15MB3281.namprd15.prod.outlook.com>
In-Reply-To: <BN8PR15MB3281A26AB9613B98361DC40FB38DA@BN8PR15MB3281.namprd15.prod.outlook.com>
From: tirumal reddy <kondtir@gmail.com>
Date: Fri, 15 Dec 2023 13:36:44 +0530
Message-ID: <CAFpG3gcrLiZrg8gAs47be3=zgsbbSipExtuqzfzVOtn6pd_ZSQ@mail.gmail.com>
To: Ben Schwartz <bemasc@meta.com>
Cc: "add@ietf.org" <add@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000c16664060c87e3a8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/W_4oPLZ53GajIjqLmKnlhfCLn4c>
Subject: Re: [Add] I-D Action: draft-ietf-add-resolver-info-08.txt
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Dec 2023 08:07:27 -0000

Hi Ben,

Please see inline

On Thu, 14 Dec 2023 at 00:10, Ben Schwartz <bemasc@meta.com> wrote:

>
>
> On 12/13/23, 4:12 AM, "tirumal reddy" <kondtir@gmail.com> wrote:
>
>
>
> I am uncertain about how moving the RESINFO to the authority section
> addresses the issue of a resolver not supporting RESINFO. In such a case,
> the resolver will forward the query upstream, and the client could
> potentially receive a positive RESINFO response either from a legitimate
> upstream DNS resolver or an attacker.
>
>
>
> I believe that resolvers never place received information in the Authority
> section.
>

Yes.


> If relevant information is sent by the authority in the Authority section,
> the resolver will move it to the Answer section.
>

Got it, if a client sees the RESINFO in the Answer section it would detect
that the response is not provided by the resolver and discards the
response. I like the proposed change.


> Thus, requiring RESINFO records from a resolver to appear in the Authority
> section is sufficient to prove that those records were produced locally by
> the resolver, not forwarded (potentially insecurely) from an upstream
> authority.
>

Agreed and RESINFO can be retrieved once a secure connection is established
with the encrypted DNS server, preventing any modification by an on-path
attacker.


>
>
>
>
>
>
> Detailed notes:
>
>
>
> Section 3:
>
>
>
> "By using the DNS server's domain name from the DDR SVCB response to issue
> the RESINFO query, a client accepts the risk that a resolver supports DDR
> but does not support RESINFO."
>
> -> The "server's domain name for the DDR SVCB response" is not a defined
> value.  Maybe you mean "The SVCB TargetName"?
>
>
>
> Yes, we will update the draft to use "SVCB TargetName".
>
>
>
> This is an abuse of the SVCB TargetName, which is explicitly not intended
> to serve as an identity anchor for the service.  It is also incompatible
> with services like NextDNS that host many DNS servers with distinct
> behaviors on a single hostname (at different DoH paths or DoT ports).
>

I don't see different DoH paths discussed in
https://my.nextdns.io/b7d9e4/setup#setup-guide, please point me to the
relevant link. The client would learn the ADN of resolver "
b7d9e4.dns.nextdns.io" using DNR and send DNS requests to the resolver to
get a signed response for RESINFO. Please elaborate on the attack possible
in the above scenario.

Anyways, with the change you proposed, there is no need to rely on 'SVCB
TargetName' :)


>
>
>
>
> …
>
>
>
>
>
> "clients wishing to retrieve resolver information from resolvers
> discovered when performing DDR discovery using resolver IP address (Section
> 4 of [RFC9462]) MUST ensure during the TLS handshake that the TLS
> certificate presented by the resolver contains in its SubjectAltName (SAN)
> the domain name in the TargetName of the DDR SVCB response"
>
> -> This rules out the use of RESINFO in Opportunistic DDR scenarios, which
> seems like a serious loss for debugging small networks.  It also interferes
> with the usual interpretation of SVCB TargetName and renders RESINFO
> incompatible with DANE.  It also fails to accomplish the desired
> authentication: if the name is unsigned or the resolver is non-validating,
> an upstream attacker could still have injected an arbitrary RESINFO
> response despite this attempted protection.
>
>
>
> In the case of debugging, the validation rule discussed in the draft can
> be disabled using a configuration knob.
>
>
>
> This seems strange to me. RESINFO can replace “bind.version”, but only if
> the user changes a configuration knob ?
>

>
> However, I am uncertain about how RESINFO is incompatible with DANE. Could
> you please elaborate ?
>
>
>
> DANE does not require an X.509 certificate to exist at all: it can
> authorize bare keys.  If a certificate does exist, it is not always
> required to cover the name that would be expected without DANE.
>

I don't think DDR works with DANE for verified discovery (it requires the
server to use a PKIX certificate).

Cheers,
-Tiru


>
>
>
>
> Section 6:
>
>
>
> "If the client cannot validate the attributes received from the resolver,
> which will be used for resolver selection or display to the end-user, the
> client should process those attributes only if the encrypted resolver has
> sufficient reputation according to local policy"
>
> -> As above, this does not accomplish the desired authentication unless
> the reputation assessment specifically requires that the resolver is
> "RESINFO-aware" (which would be false of all resolvers today, regardless of
> reputation).
>
>
>
> I don't see a problem. In cases where the trusted resolver does not
> support RESINFO, the client can identify a spoofed DNS response.
>
>
>
> How?  A trusted resolver is still vulnerable to DNS cache poisoning on
> unsigned domains.
>

>
> When RESINFO is provided by the trusted resolver, the client can process
> the attributes.
>
>
>
> -Tiru
>
>
>
>
> ------------------------------
>
> *From:* Add <add-bounces@ietf.org> on behalf of tirumal reddy <
> kondtir@gmail.com>
> *Sent:* Friday, December 1, 2023 7:42 AM
> *To:* add@ietf.org <add@ietf.org>
> *Subject:* Re: [Add] I-D Action: draft-ietf-add-resolver-info-08.txt
>
>
>
> This revision of the draft https: //www. ietf.
> org/archive/id/draft-ietf-add-resolver-info-08. html has been updated based
> on discussions during the presentation at IETF-118. Special thanks to Tommy
> Jensen for contributing text to this revision.
>
> ZjQcmQRYFpfptBannerStart
>
> *This Message Is From an External Sender *
>
>
>
> ZjQcmQRYFpfptBannerEnd
>
> This revision of the draft
> https://www.ietf.org/archive/id/draft-ietf-add-resolver-info-08.html has
> been updated based on discussions during the presentation at IETF-118.
> Special thanks to Tommy Jensen for contributing text to this revision. The
> draft is now ready for progression to the next stage.
>
>
> Cheers,
> -Tiru
>
>
>
> On Fri, 24 Nov 2023 at 13:47, <internet-drafts@ietf.org> wrote:
>
> Internet-Draft draft-ietf-add-resolver-info-08.txt is now available. It is
> a
> work item of the Adaptive DNS Discovery (ADD) WG of the IETF.
>
>    Title:   DNS Resolver Information
>    Authors: Tirumaleswar Reddy
>             Mohamed Boucadair
>    Name:    draft-ietf-add-resolver-info-08.txt
>    Pages:   9
>    Dates:   2023-11-24
>
> Abstract:
>
>    This document specifies a method for DNS resolvers to publish
>    information about themselves.  DNS clients can use the resolver
>    information to identify the capabilities of DNS resolvers.  How such
>    an information is then used by DNS clients is out of the scope of the
>    document.
>
> The IETF datatracker status page for this Internet-Draft is:
> https://datatracker.ietf.org/doc/draft-ietf-add-resolver-info/
>
> There is also an HTML version available at:
> https://www.ietf.org/archive/id/draft-ietf-add-resolver-info-08.html
>
> A diff from the previous version is available at:
> https://author-tools.ietf.org/iddiff?url2=draft-ietf-add-resolver-info-08
>
> Internet-Drafts are also available by rsync at:
> rsync.ietf.org::internet-drafts
>
>
> --
> Add mailing list
> Add@ietf.org
> https://www.ietf.org/mailman/listinfo/add
>
>

v2.23.0 | Report a Bug | By Email