Re: [Add] [EXTERNAL] New Version Notification for draft-jt-add-dns-server-redirection-02.txt
Ben Schwartz <bemasc@meta.com> Tue, 24 October 2023 19:48 UTC
Return-Path: <prvs=3661e43420=bemasc@meta.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 71DDDC1519A3; Tue, 24 Oct 2023 12:48:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.102
X-Spam-Level:
X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=meta.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QP-y-Rr8n5wy; Tue, 24 Oct 2023 12:48:24 -0700 (PDT)
Received: from mx0b-00082601.pphosted.com (mx0b-00082601.pphosted.com [67.231.153.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A4A51C15171B; Tue, 24 Oct 2023 12:48:24 -0700 (PDT)
Received: from pps.filterd (m0148460.ppops.net [127.0.0.1]) by mx0a-00082601.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 39OId0Ei016506; Tue, 24 Oct 2023 12:48:23 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=meta.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=s2048-2021-q4; bh=25ZNKk+HHeBS+m08dy3LISZNvX4tihoDEJfDAuh5Caw=; b=RRCM4qXbZ1BhbNcJ74k5TzfliYD+S0RjSeVhBoRT3KbLq7fSwBfupIG5KK4FqylEyuhO HHPXigIzSmbMIGL8S4cMRZR0w2Qcx3iXQrS44J++W0dc8mpViWMsnVcF35dXO6Y+naWU V0q8X15HfrCnC48D1lmQlWgk1YtUbnNIz4k9EnioXPjB2XDNfjDfONtR99OI3F20Pa/A K9tDH84afvCioBWiIm/3EXE571T89algxmY1nCYu0roVwspYwAxiKf/V6HvWvFjlkKgo mcE0e/Ax4FeWFfsz8kn/p93yw/AoAKQ6pS6ibzx5N41SNkCxcZpJsaYj1G2Nwallm/BF ug==
Received: from nam12-bn8-obe.outbound.protection.outlook.com (mail-bn8nam12lp2168.outbound.protection.outlook.com [104.47.55.168]) by mx0a-00082601.pphosted.com (PPS) with ESMTPS id 3txkcwrest-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 24 Oct 2023 12:48:23 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=J4tkEi8IjCe50RB0wrs9Ni1m1Ss1GIaozra5mpk+P89oEeAurQh5W4DYbreK1jz5J3Murzaf1zutylzJLcFW4yfW38cDbYKg9Y81FEmqMbUgxB2xdsRNEuVkVbUEwbea7TEnSWgk1hygGF8MBZO5ypoNKZi4sLpla2pFFtWJDPoidkzrEbBSQcmHGwNw6zIaOYB6LlYtEWKqHcXLL6gQ7Ynh7eMIBY+u+6I5KP88/Io42Bsgw5d+/HVPmfhBJYeKuouVY8HnkSuVGtmMWb0c4RsmphJUxAQRjkJ/gRZfQOb4zuVbhIulC/07GHWjFBoXg+c7llWzFCqjp5K4cZ16tQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=cbi6AyZKOs4peRemYJ/yDlGcegcrpkaREgF6QhLzMFw=; b=HlMStVAnRDwAb5iFknnP3qjHrBPLIM8quAv7lNtqUtGTMHdEUQ7KZJz4xiZ0jklgMrxEAHJSF7D8ZX2+1HXjFM9l+FjhFQRLcblJN909N2mov+a6Okm90P+nIfSAWaVvcqivBs9vsZQq2Zdt8W3JU1HeNOvQDn7+615ipF8oM3SqW1f4qh08dKX+PtzU7fA2SwrxoMwhCdolQB/kZNXl2m9mz7Xlf1D2NS71fMUmI2caoQDH3/vG1dxMxWqmdMdhxlvHLwilXIy1/JfLOhROWtOrElYNCm+ymTzuoS7TKTRuvfp46k0LQtNxNer0VD0r0Be2LDTpXisAfIUuvYxxYQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=meta.com; dmarc=pass action=none header.from=meta.com; dkim=pass header.d=meta.com; arc=none
Received: from BN8PR15MB3281.namprd15.prod.outlook.com (2603:10b6:408:aa::24) by SN7PR15MB5828.namprd15.prod.outlook.com (2603:10b6:806:352::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6933.16; Tue, 24 Oct 2023 19:48:20 +0000
Received: from BN8PR15MB3281.namprd15.prod.outlook.com ([fe80::9c64:2469:8d10:5f1e]) by BN8PR15MB3281.namprd15.prod.outlook.com ([fe80::9c64:2469:8d10:5f1e%6]) with mapi id 15.20.6933.011; Tue, 24 Oct 2023 19:48:20 +0000
From: Ben Schwartz <bemasc@meta.com>
To: Tommy Jensen <Jensen.Thomas=40microsoft.com@dmarc.ietf.org>, ADD Mailing list <add@ietf.org>
Thread-Topic: [EXTERNAL] New Version Notification for draft-jt-add-dns-server-redirection-02.txt
Thread-Index: AQHaBUQoUgZtzMDAAUW91oog1adDm7BWfj2ggALNk8U=
Date: Tue, 24 Oct 2023 19:48:20 +0000
Message-ID: <BN8PR15MB32812396866BB44F3DBA6B6CB3DFA@BN8PR15MB3281.namprd15.prod.outlook.com>
References: <169801928729.1159.5021005492020937930@ietfa.amsl.com> <BY5PR00MB0758C8932265F1BE5291BFF2FAD8A@BY5PR00MB0758.namprd00.prod.outlook.com>
In-Reply-To: <BY5PR00MB0758C8932265F1BE5291BFF2FAD8A@BY5PR00MB0758.namprd00.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BN8PR15MB3281:EE_|SN7PR15MB5828:EE_
x-ms-office365-filtering-correlation-id: f92942f1-0993-4718-ddee-08dbd4ca2d0a
x-fb-source: Internal
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: sgvI6NoXeVwlmdfnF+0TtdHd76lFX613sHeq4raNPoyBEQL1e/xaocY5f4Hpj/Gei18cn2LUBqTbzL8fHPrOIOAR+n1Zwv3Y4yo2Yr9HNWVmUT+U4aPuKkE7y81FdbVPNooiJ7hCD4ViADZdvarkGCQZK/1TLKx/wWvl+3EAvOs2XLn6dzbFIO/NGlBmGFIkKZ94Ksopaa8hEY31ywJdTChneApphfXGChnwSyz7WYIlyV3T4iL+bX4o9SwVBK1KJSE1XWsrHPMrmkGnu2ySRuEkXykBP4VSZq8LPx0PMfsmn6s/KRGkQ632nuB6U6AregfuHmwnkvZrQWWeq6IVnmKLGkUPvW4CxIpeC8Bfid3uE2zrc9mEJfgT4NCOEUnclvxGe3YjAfRlf/lDxxhdmhnwFHwyST45v8m7T8RaJNkrqqiwInPcT3h759fx6UTvM+3GGJ6QQcBuLfAKbvhA+9Htupmj71gowijLVHR2loRETQG52sMXhQVg99ZLvwsUD2Q37Raiaj77WI5OwWE9k/LLeC277emuQRR7IVgOq3f+0u1f8xhk8Cv0WuM7Oume7KxNLYI4BdIIkdPQG9b3CvJRyWUuZb91vnwcF1y/jMY=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN8PR15MB3281.namprd15.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(346002)(39860400002)(366004)(136003)(396003)(376002)(230922051799003)(186009)(1800799009)(451199024)(64100799003)(38070700009)(83380400001)(55016003)(19627405001)(2906002)(8936002)(4001150100001)(52536014)(5660300002)(15650500001)(8676002)(41300700001)(86362001)(478600001)(122000001)(53546011)(166002)(71200400001)(38100700002)(66574015)(6506007)(316002)(7696005)(966005)(9686003)(45080400002)(33656002)(91956017)(110136005)(76116006)(66446008)(64756008)(66946007)(66476007)(66556008); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: V2vfjY2Acy9GYtZaxE5gKciwxqYDu1UfLChOgmG16/DPysNcbKtxWLO35gBcrSYWPDxvMfxEGm6LQ8sQS7fa9aoPb6gycIrTvakslo6MtKqySalfo5Y/0LoDmshtUOaQqHy0XAGws4TuGXX1NVnLOOibewkhoccuoGoPC/AVao1J48XMIjTM8vAnNxxPNKOAtLsg1eD4mjiuRlBXvpRDoOWZVbTsOXOP3X8brT73WkjsO2VmuVQ7DDJwI+al5QxikeEwJQ1SnebvWLrQVLEyFw4dIAeU9yNcvWesW1snn1tG2YCV5qjDufpsS3gwv8PZy5Gw1pPF2RnNKAnVQD+bZqwJrZTl0pmXApDiiozLJyFRiZXmFoAkUlKF0i0Ed9W+N8/P1e8URx5eEo74o0+3MhK+4QbBEJLgHhSpPaSGMadzoQfmBVs6nn7QmrGtIMnvED9zzaVthCtMJkqefv/tlMOX/kotg+n8NNJmjnlBnPUHfn3Zryk+vBEkgf8OJ4skw0AZHUE036Zz8Ozupny1NBfWF5JNIQe390/90tk9sqBKvOLONxT6I24iO701tf5hgr0Oh6mcLvcWqWhIXHiQgyUZCCVIYWh+j/3jvWypzXG24rf6JdBC7sdr6duAgnQs/d1XsaEWBfyvhhV7/4aJhOxFSHcgzDSc5ag9j0TpG7okMGG+ewMZm8vGwSK4CKGKqAdyg2D1/98NzuULMmcaxUSrNUC4+8NMoM4YDmUpvxP0jhwZU9yFnZZSjFvMIg/Q02VuSbNzrTskX3dmRzACbXiqjmD3nMi76rAZlrPSAMDwHuyqTd5Nc/e4WBcs4D7Xh0HePRzh65rsawxjZz6fjQe27bpCHIUqmGfT8ip1D5jOY4g6+f8HqtQ1SJBgPfW0LP6CCaYL12UifbDz4Ene2Tb9v5lXh0BjY3FAmsRETzpGKE0ngHpHidFupmlhqemRvN2e/tCTU/ueA8RyL1Y2sssm8GrUJPX9kV1u9y/NmuuNSPeEMvWGJWGNCS9a9Bo1LVM8oKJxwo/2c6NOV/ujYuKW2rkHBUk73lPRUBT+OUVenyLiRR67GeIy16Y8K/jkgN6oWTouht2W9VCEmM6XTNuhR+KkH1G21clImY/2Y/UFa1YkD59QrHbqMGKot6kBXiYNJMmbAETVlyjkFvCElejerTw1DxuFQVcYvqXSBAsx0f5YrwbR8OmmCDNSsvVGn6dbRAOADZYQcgU9YTY4lG/jXD23GA3Dz93k1hH5GshbBkG8CX5qbeqlzS26JdBhfY2A4FZ5dD975WmcJ1AfXjKfvFWveL5pX9ZaPJIyYgfzj8dHmVNQ6BN5ecY4R+Ji6Rx6vKO5+DmKhMXanm58Xbd0eEDVFgJh9vI2/raMK/XQejuhUWkxeIddL+wCZq7caWTszoUD8X7dkMKOoZtGDyBA3gz72Tz2q0IQeMt083vFubJ9nZxZ/ymW8zHbKk+G6jTCeOn1ubFiVhy8/nX9dDk1pLz5+bwn6g7PkLVkeeKh4a8do2MXKF2qF48pSDRY1zlVYHfc2NLFGdxa/o04OHGSZZKqOqMZZzHB7/cN7O98UANPt6d9/fTMVPbWHdCdTDjl5kdK2pRljS88wi2Ki289V/ob3QIFZ9FaP87r4N4=
Content-Type: multipart/alternative; boundary="_000_BN8PR15MB32812396866BB44F3DBA6B6CB3DFABN8PR15MB3281namp_"
X-OriginatorOrg: meta.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN8PR15MB3281.namprd15.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: f92942f1-0993-4718-ddee-08dbd4ca2d0a
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Oct 2023 19:48:20.6865 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 3pWdLTSzUVqX1zNmtlmaNtKQmLICnKuj8V8h7P2rzZbHIgNx0t2pyGCd3AIyINPo
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN7PR15MB5828
X-Proofpoint-GUID: qyVNTvFrmLqKGuAwfW_eXtwmw4uQ1621
X-Proofpoint-ORIG-GUID: qyVNTvFrmLqKGuAwfW_eXtwmw4uQ1621
X-Proofpoint-UnRewURL: 28 URL's were un-rewritten
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.980,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2023-10-24_19,2023-10-24_01,2023-05-22_02
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/dJY4JFX3b0xhFDUKIgXiDEll0nI>
Subject: Re: [Add] [EXTERNAL] New Version Notification for draft-jt-add-dns-server-redirection-02.txt
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Oct 2023 19:48:28 -0000
Thanks for this revision. I think the separation between Strict and Overlapping modes is helpful for reasoning about the behavior, and the Overlapping mode is a clever approach to inter-origin authorization. I'm pretty sure that Overlapping mode still doesn't achieve the intended security property. From a formal security perspective, it seems there's an assumption that the adversary and victim never share control of any domain. That would a bit weird today, but if we are imagining an international federated resolver network (as has been discussed in relation to this draft) then it's actually plausible. Ultimately, this step seems like a very complicated workaround for DNS cache poisoning vulnerabilities, and I think the right solution is to simply remove those vulnerabilities. That could be done by mandating DNSSEC (on the zone and at the resolver; no need for a validating stub) or by moving "edsr-domain" into a poisoning-resistant channel like EDNS. Some more detailed notes: Section 3.1.1: "if the returned SVCB record indicates a server with a different domain name than the current encrypted DNS connection, the redirection MUST NOT be followed by the client". Could you clarify? Do you mean "If TargetName is not the same as the DNS server's hostname"? That restriction would seem to preclude any redirection. Maybe you mean "if the returned SVCB record leads the user to a server that cannot prove ownership of the DNS server's hostname (e.g., via a valid X.509 certificate or TLSA record)"? If so, please rephrase, and clearly specify the SNI and authentication name (ADN). "The destination server MAY use delegated credentials" Delegated credentials are not compatible with arbitrary existing Encrypted DNS clients, so this strikes me as unsafe. What if a pre-existing client follows this SVCB record and doesn't support delegated credentials? I can think of various possible solutions, but the one that was mentioned at the last meeting was to define a new "delegated-credentials" SvcParamKey and put "mandatory=delegated-credentials" in the SvcParams for these endpoints. Section 3.1.2: "The presence of the "edsr-domain" key indicates that the redirection is going to a server with a different domain name than the current server. For DoT and DoQ redirection, this is sufficient." I think "edsr-domain" should indicate a new DNS server hostname, causing the client to resolve _dns.$NEW_HOSTNAME/SVCB. Otherwise, you are trying to share SvcParams across two different hosts, resulting in a variety of potential conflicts. (For example, consider how "ech" would behave.) "edsr-apex-domain" seems to be misnamed (there's no guarantee about where the zone cuts fall). Also, it seems like it could just be a wildcard in the edsr-domain SvcParam. Also, I can't understand how it's supposed to work, so maybe you could add an example. --Ben ________________________________ From: Add <add-bounces@ietf.org> on behalf of Tommy Jensen <Jensen.Thomas=40microsoft.com@dmarc.ietf.org> Sent: Sunday, October 22, 2023 8:12 PM To: ADD Mailing list <add@ietf.org> Subject: [Add] FW: [EXTERNAL] New Version Notification for draft-jt-add-dns-server-redirection-02.txt !-------------------------------------------------------------------| This Message Is From an External Sender |-------------------------------------------------------------------! Greetings ADD, JT, Corey, and I have submitted a long-overdue revision to the EDSR proposal. It's a pretty heavy re-write, so we recommend you re-read it. Spoiler alert: the draft requires "strict origin" redirection support and recommends use of Delegated Credentials when the threat model calls for redirection to servers the DNS operator does not want to directly possess the name's private key. The "redirect to another name" concept has been made into an alternative, totally optional mode called "overlapping origin" that requires each hop in the redirection to have a valid cert both for the new name and the previous name. The draft goes into detail about the scenario that would lead an implementor to use overlapping origin but describes why the scope is limited (general clients should never be expected to support it in the absence of client policy that dictates it's ok for some reason, such as expected name/server relationships). Yes, I was that lazy and left TODOs instead of validating doc references. Consider that editorial work we will do after adoption; there should be no ambiguity about the docs being referenced for the purposes of adoption consideration. Datatracker link: https://datatracker.ietf.org/doc/draft-jt-add-dns-server-redirection/ Thanks, Tommy -----Original Message----- From: internet-drafts@ietf.org <internet-drafts@ietf.org> Sent: Sunday, October 22, 2023 5:01 PM To: C. Mosher <cmosher@gmail.com>; J. Todd <jtodd@quad9.net>; Tommy Jensen <Jensen.Thomas@microsoft.com>; Corey Mosher <cmosher@gmail.com>; John Todd <jtodd@quad9.net>; Tommy Jensen <Jensen.Thomas@microsoft.com> Subject: [EXTERNAL] New Version Notification for draft-jt-add-dns-server-redirection-02.txt A new version of Internet-Draft draft-jt-add-dns-server-redirection-02.txt has been successfully submitted by T. Jensen and posted to the IETF repository. Name: draft-jt-add-dns-server-redirection Revision: 02 Title: Handling Encrypted DNS Server Redirection Date: 2023-10-22 Group: Individual Submission Pages: 15 URL: https://www.ietf.org/archive/id/draft-jt-add-dns-server-redirection-02.txt Status: https://datatracker.ietf.org/doc/draft-jt-add-dns-server-redirection/ HTML: https://www.ietf.org/archive/id/draft-jt-add-dns-server-redirection-02.html HTMLized: https://datatracker.ietf.org/doc/html/draft-jt-add-dns-server-redirection Diff: https://author-tools.ietf.org/iddiff?url2=draft-jt-add-dns-server-redirection-02 Abstract: This document defines Encrypted DNS Server Redirection (EDSR), a mechanism for encrypted DNS servers to redirect clients to other encrypted DNS servers. This enables dynamic routing to geo-located or otherwise more desirable encrypted DNS servers without modifying DNS client endpoint configurations or the use of anycast by the DNS server. The IETF Secretariat -- Add mailing list Add@ietf.org https://www.ietf.org/mailman/listinfo/add
- [Add] FW: [EXTERNAL] New Version Notification for… Tommy Jensen
- Re: [Add] [EXTERNAL] New Version Notification for… Ben Schwartz