Re: [Add] I-D Action: draft-ietf-add-resolver-info-08.txt
tirumal reddy <kondtir@gmail.com> Fri, 15 December 2023 08:07 UTC
Return-Path: <kondtir@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 98612C14F736 for <add@ietfa.amsl.com>; Fri, 15 Dec 2023 00:07:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.904
X-Spam-Level:
X-Spam-Status: No, score=-6.904 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, TRACKER_ID=0.1, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, URI_HEX=0.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 46RUfUkoaSab for <add@ietfa.amsl.com>; Fri, 15 Dec 2023 00:07:24 -0800 (PST)
Received: from mail-ed1-x533.google.com (mail-ed1-x533.google.com [IPv6:2a00:1450:4864:20::533]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C3892C14F5F2 for <add@ietf.org>; Fri, 15 Dec 2023 00:07:23 -0800 (PST)
Received: by mail-ed1-x533.google.com with SMTP id 4fb4d7f45d1cf-5451faa3aa7so87919a12.0 for <add@ietf.org>; Fri, 15 Dec 2023 00:07:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1702627642; x=1703232442; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=SSTYzng6OJeLOCdYWe5Hn2p/CEkoUovfxXdWg1nPv9Y=; b=f1CPrCnJi9tsgLbQ9ZAImESxIEgZOHmIgKtVUG5Dtbs4MDGeLr3Ik+POHvCIzQwM+n Ia+0WfyiSFACKeBLG+J4Xcaxm4Ddrn7JRVw+MYk0tryBpS/1vHKNgjEkgfNJE1DBxIzL vooGTxB0/fdVdCduSBuJXRBPA9GYYWKkxg4eAtBbB4rbwcqF1iPmdF+FbQmeiC50ztDk JqyBiVKqVZkTdZb07C9ew9pZG63Ko6b2EMJ06MkQSTQuZtB1TBeV3TMJyffocfBzl/E7 uabdFMf5+Kk07gH9Q8jqpuriOlCR6ZwQCrhzgQRruEzBDeMHO0MG0VAKu3Q2NCS6Bz4T siUQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1702627642; x=1703232442; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=SSTYzng6OJeLOCdYWe5Hn2p/CEkoUovfxXdWg1nPv9Y=; b=kbc349BaTHVeWc0vIknuh1BIuvXJUBHi4Hwc0muFKrqzyNQuRbsL2vXuqJqh+h2ECm /EuTjE59LKqyuYScFuMbbvPx91vh9UPnZPzkuZmIFMmqulXiZ1x4wvG2Iy1o89R+rOcG 8z1Icy/ET+VE70hvCLLqp93Ev1qVji6F+AOCTRnhS5nyO+QEY3BIJ7+Gku1SXNMAxpxk Sdg6OB8CC2IT+fAglQNWDMkhACKYd1hVk8fohCOY6g94oEtLkrEZ7ZKF/jz+NXzvDi26 1UbooqFGqYeBq+OWT+bFDIo/4jDi4PuhJ4/9pHzppVvGMITxBMuAntqCgabZxSSg94Ak 7geg==
X-Gm-Message-State: AOJu0YxAZ2QuI7DId02J2Jv89FQ/UN2qNPHyBKfAwRFFM5g17xVvFoc9 9W4JB7vQXkSxv3CS6hm4eknQjzCQNQBtehkw6/yGBM9cORw=
X-Google-Smtp-Source: AGHT+IGzGYGhmgU+DlcepkI0joHQhbklwYnvsTAxgdHObpNSYQAVQVp5Mlz5IvzHI1JOTJbDdAWVx7+v+758vdNC+z0=
X-Received: by 2002:a50:c099:0:b0:54c:c31d:a808 with SMTP id k25-20020a50c099000000b0054cc31da808mr13604563edf.0.1702627641483; Fri, 15 Dec 2023 00:07:21 -0800 (PST)
MIME-Version: 1.0
References: <170081382418.6627.11212053139133230296@ietfa.amsl.com> <CAFpG3geefWGUZOx_4OkL=g_Oj0Lw+vDehdimkX8ckH5OfMpOgg@mail.gmail.com> <BN8PR15MB32817DF02BCA15535651F07BB38AA@BN8PR15MB3281.namprd15.prod.outlook.com> <CAFpG3gfyD_dhDk5nGUeWSajGP+4nBKuocdy_Ra8jEtx4HntVNw@mail.gmail.com> <BN8PR15MB3281A26AB9613B98361DC40FB38DA@BN8PR15MB3281.namprd15.prod.outlook.com>
In-Reply-To: <BN8PR15MB3281A26AB9613B98361DC40FB38DA@BN8PR15MB3281.namprd15.prod.outlook.com>
From: tirumal reddy <kondtir@gmail.com>
Date: Fri, 15 Dec 2023 13:36:44 +0530
Message-ID: <CAFpG3gcrLiZrg8gAs47be3=zgsbbSipExtuqzfzVOtn6pd_ZSQ@mail.gmail.com>
To: Ben Schwartz <bemasc@meta.com>
Cc: "add@ietf.org" <add@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000c16664060c87e3a8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/W_4oPLZ53GajIjqLmKnlhfCLn4c>
Subject: Re: [Add] I-D Action: draft-ietf-add-resolver-info-08.txt
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Dec 2023 08:07:27 -0000
Hi Ben, Please see inline On Thu, 14 Dec 2023 at 00:10, Ben Schwartz <bemasc@meta.com> wrote: > > > On 12/13/23, 4:12 AM, "tirumal reddy" <kondtir@gmail.com> wrote: > > > > I am uncertain about how moving the RESINFO to the authority section > addresses the issue of a resolver not supporting RESINFO. In such a case, > the resolver will forward the query upstream, and the client could > potentially receive a positive RESINFO response either from a legitimate > upstream DNS resolver or an attacker. > > > > I believe that resolvers never place received information in the Authority > section. > Yes. > If relevant information is sent by the authority in the Authority section, > the resolver will move it to the Answer section. > Got it, if a client sees the RESINFO in the Answer section it would detect that the response is not provided by the resolver and discards the response. I like the proposed change. > Thus, requiring RESINFO records from a resolver to appear in the Authority > section is sufficient to prove that those records were produced locally by > the resolver, not forwarded (potentially insecurely) from an upstream > authority. > Agreed and RESINFO can be retrieved once a secure connection is established with the encrypted DNS server, preventing any modification by an on-path attacker. > > > > > > > Detailed notes: > > > > Section 3: > > > > "By using the DNS server's domain name from the DDR SVCB response to issue > the RESINFO query, a client accepts the risk that a resolver supports DDR > but does not support RESINFO." > > -> The "server's domain name for the DDR SVCB response" is not a defined > value. Maybe you mean "The SVCB TargetName"? > > > > Yes, we will update the draft to use "SVCB TargetName". > > > > This is an abuse of the SVCB TargetName, which is explicitly not intended > to serve as an identity anchor for the service. It is also incompatible > with services like NextDNS that host many DNS servers with distinct > behaviors on a single hostname (at different DoH paths or DoT ports). > I don't see different DoH paths discussed in https://my.nextdns.io/b7d9e4/setup#setup-guide, please point me to the relevant link. The client would learn the ADN of resolver " b7d9e4.dns.nextdns.io" using DNR and send DNS requests to the resolver to get a signed response for RESINFO. Please elaborate on the attack possible in the above scenario. Anyways, with the change you proposed, there is no need to rely on 'SVCB TargetName' :) > > > > > … > > > > > > "clients wishing to retrieve resolver information from resolvers > discovered when performing DDR discovery using resolver IP address (Section > 4 of [RFC9462]) MUST ensure during the TLS handshake that the TLS > certificate presented by the resolver contains in its SubjectAltName (SAN) > the domain name in the TargetName of the DDR SVCB response" > > -> This rules out the use of RESINFO in Opportunistic DDR scenarios, which > seems like a serious loss for debugging small networks. It also interferes > with the usual interpretation of SVCB TargetName and renders RESINFO > incompatible with DANE. It also fails to accomplish the desired > authentication: if the name is unsigned or the resolver is non-validating, > an upstream attacker could still have injected an arbitrary RESINFO > response despite this attempted protection. > > > > In the case of debugging, the validation rule discussed in the draft can > be disabled using a configuration knob. > > > > This seems strange to me. RESINFO can replace “bind.version”, but only if > the user changes a configuration knob ? > > > However, I am uncertain about how RESINFO is incompatible with DANE. Could > you please elaborate ? > > > > DANE does not require an X.509 certificate to exist at all: it can > authorize bare keys. If a certificate does exist, it is not always > required to cover the name that would be expected without DANE. > I don't think DDR works with DANE for verified discovery (it requires the server to use a PKIX certificate). Cheers, -Tiru > > > > > Section 6: > > > > "If the client cannot validate the attributes received from the resolver, > which will be used for resolver selection or display to the end-user, the > client should process those attributes only if the encrypted resolver has > sufficient reputation according to local policy" > > -> As above, this does not accomplish the desired authentication unless > the reputation assessment specifically requires that the resolver is > "RESINFO-aware" (which would be false of all resolvers today, regardless of > reputation). > > > > I don't see a problem. In cases where the trusted resolver does not > support RESINFO, the client can identify a spoofed DNS response. > > > > How? A trusted resolver is still vulnerable to DNS cache poisoning on > unsigned domains. > > > When RESINFO is provided by the trusted resolver, the client can process > the attributes. > > > > -Tiru > > > > > ------------------------------ > > *From:* Add <add-bounces@ietf.org> on behalf of tirumal reddy < > kondtir@gmail.com> > *Sent:* Friday, December 1, 2023 7:42 AM > *To:* add@ietf.org <add@ietf.org> > *Subject:* Re: [Add] I-D Action: draft-ietf-add-resolver-info-08.txt > > > > This revision of the draft https: //www. ietf. > org/archive/id/draft-ietf-add-resolver-info-08. html has been updated based > on discussions during the presentation at IETF-118. Special thanks to Tommy > Jensen for contributing text to this revision. > > ZjQcmQRYFpfptBannerStart > > *This Message Is From an External Sender * > > > > ZjQcmQRYFpfptBannerEnd > > This revision of the draft > https://www.ietf.org/archive/id/draft-ietf-add-resolver-info-08.html has > been updated based on discussions during the presentation at IETF-118. > Special thanks to Tommy Jensen for contributing text to this revision. The > draft is now ready for progression to the next stage. > > > Cheers, > -Tiru > > > > On Fri, 24 Nov 2023 at 13:47, <internet-drafts@ietf.org> wrote: > > Internet-Draft draft-ietf-add-resolver-info-08.txt is now available. It is > a > work item of the Adaptive DNS Discovery (ADD) WG of the IETF. > > Title: DNS Resolver Information > Authors: Tirumaleswar Reddy > Mohamed Boucadair > Name: draft-ietf-add-resolver-info-08.txt > Pages: 9 > Dates: 2023-11-24 > > Abstract: > > This document specifies a method for DNS resolvers to publish > information about themselves. DNS clients can use the resolver > information to identify the capabilities of DNS resolvers. How such > an information is then used by DNS clients is out of the scope of the > document. > > The IETF datatracker status page for this Internet-Draft is: > https://datatracker.ietf.org/doc/draft-ietf-add-resolver-info/ > > There is also an HTML version available at: > https://www.ietf.org/archive/id/draft-ietf-add-resolver-info-08.html > > A diff from the previous version is available at: > https://author-tools.ietf.org/iddiff?url2=draft-ietf-add-resolver-info-08 > > Internet-Drafts are also available by rsync at: > rsync.ietf.org::internet-drafts > > > -- > Add mailing list > Add@ietf.org > https://www.ietf.org/mailman/listinfo/add > >
- [Add] I-D Action: draft-ietf-add-resolver-info-08… internet-drafts
- Re: [Add] I-D Action: draft-ietf-add-resolver-inf… tirumal reddy
- Re: [Add] I-D Action: draft-ietf-add-resolver-inf… Ben Schwartz
- Re: [Add] I-D Action: draft-ietf-add-resolver-inf… tirumal reddy
- Re: [Add] I-D Action: draft-ietf-add-resolver-inf… Ben Schwartz
- Re: [Add] I-D Action: draft-ietf-add-resolver-inf… tirumal reddy