IETF Logo Mail Archive

Re: [Add] I-D Action: draft-ietf-add-resolver-info-08.txt

Ben Schwartz <bemasc@meta.com> Wed, 13 December 2023 18:41 UTC

Return-Path: <prvs=5711ec8a8c=bemasc@meta.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 521A3C14F602 for <add@ietfa.amsl.com>; Wed, 13 Dec 2023 10:41:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.703
X-Spam-Level:
X-Spam-Status: No, score=-2.703 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, TRACKER_ID=0.1, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=meta.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sJVTOK42VzDZ for <add@ietfa.amsl.com>; Wed, 13 Dec 2023 10:40:58 -0800 (PST)
Received: from mx0a-00082601.pphosted.com (mx0a-00082601.pphosted.com [67.231.145.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 49C0EC14F5E4 for <add@ietf.org>; Wed, 13 Dec 2023 10:40:58 -0800 (PST)
Received: from pps.filterd (m0109333.ppops.net [127.0.0.1]) by mx0a-00082601.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 3BDIXhrC006367; Wed, 13 Dec 2023 10:40:57 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=meta.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=s2048-2021-q4; bh=vchl58HLpmORsT94ipFlAvQFYtNPHULSfb9HSOjR6i0=; b=f4mPbzZuiHtzLdsFE/LXwBrlEum/ACY3MQDqbv3hnin9AJakdWyeAlxqnRGkS8Q+0pCq JhPjmM5eiET7nTPVJp7dUfWItBRXRc9u8EYxkZsHHKdwPn32kQHbCRQ9eXS7NhWjyQoQ RTkPLDVAzz5s+UnquCUZ0Z5TYMHlpekZ5rmLRElcryKj5wDIgIYBvQXfmP9SMVqaEe0J xbEeAzgWeWBW91MLPwAN4oYnWOH8tESKsaI/5QSsUuVA216FDSEkMv8DVKyQ5zfCXnLg fwhNkFFDjnQAFyj6xYLEWvFJ3KzniRFBB2lSRN5pyDwxRPIqv8XsjKd4ceR7NM2BBOWL LA==
Received: from nam12-bn8-obe.outbound.protection.outlook.com (mail-bn8nam12lp2168.outbound.protection.outlook.com [104.47.55.168]) by mx0a-00082601.pphosted.com (PPS) with ESMTPS id 3uy0sdp456-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 13 Dec 2023 10:40:56 -0800
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ZuPYIxd4+vHpxiMHYUiZSDx0fwIpR4zzS92g14Xl3rUcGM9OYHQ9PwUPkxZLrkIMa61jyR6jswiNC76pd9UR81Kh++EaZxXO+w97C8XWilLqgKg1E70ZaUMkG5jeX4Ssk6cqqVXcQIHrUDjn+dZLJG/vUkMUg4/4vFkvNkCXgxd6w1rjMIPMYhZ8l1vybRd6YbrkWNn4zfzFjsZavtCfZeLR9OcQx/23ySWOfpuuKHNad4skFJ9jOCTY18B4HGFWd0TrPTui1vQA4srp6JMlY2xeUfqVehxqIlv2kDPqzx1T2ENdX+SRR2u6t8uVrYKc0g1c8KjUZHk/+vLGtDVTxQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=a8UlGMlhLizwpqYLbXB6WQ8MlPUggGeSM8qYTDOswiE=; b=K2r5N1jGnfn9+Qbplf+/ivnBvWz2GkOWIOzY+6NNKoy9+s5bOBh+pzNTj9inZvdeQcJh5Fb0Jp9QjO99fnQ8Wza0IU6owSvqh2FsihEaTckRZbyvMJNVSE9/edANYs/PwhzTAZuuCFNmjMmO60DSonSyUJ+khNAs1YiuSncQOsem3OOXLRoNbTFTE+qaUbt9b1UDzG7ezpq9s/59oJPGJx7WQ5Gv4l2lG9VTSpuW2sKDnD/hQkKlMvtIGqAgEfkShUpOHEVB7/svd9HNO7ekN3dyFDmFgh48vNGghHjBfaW+gZTwyakVY7XbMIQcT4Ey+1TvHdjFc8W2k9LljxTXRQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=meta.com; dmarc=pass action=none header.from=meta.com; dkim=pass header.d=meta.com; arc=none
Received: from BN8PR15MB3281.namprd15.prod.outlook.com (2603:10b6:408:aa::24) by SJ0PR15MB4327.namprd15.prod.outlook.com (2603:10b6:a03:358::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7091.26; Wed, 13 Dec 2023 18:40:53 +0000
Received: from BN8PR15MB3281.namprd15.prod.outlook.com ([fe80::d54d:eea6:c930:d1e6]) by BN8PR15MB3281.namprd15.prod.outlook.com ([fe80::d54d:eea6:c930:d1e6%2]) with mapi id 15.20.7091.022; Wed, 13 Dec 2023 18:40:53 +0000
From: Ben Schwartz <bemasc@meta.com>
To: tirumal reddy <kondtir@gmail.com>
CC: "add@ietf.org" <add@ietf.org>
Thread-Topic: [Add] I-D Action: draft-ietf-add-resolver-info-08.txt
Thread-Index: AQHaHq6eKhzxPwgDkEe16ytqMY6MzrCUanEAgAuU5SSABww3gIAAi2R3
Date: Wed, 13 Dec 2023 18:40:38 +0000
Message-ID: <BN8PR15MB3281A26AB9613B98361DC40FB38DA@BN8PR15MB3281.namprd15.prod.outlook.com>
References: <170081382418.6627.11212053139133230296@ietfa.amsl.com> <CAFpG3geefWGUZOx_4OkL=g_Oj0Lw+vDehdimkX8ckH5OfMpOgg@mail.gmail.com> <BN8PR15MB32817DF02BCA15535651F07BB38AA@BN8PR15MB3281.namprd15.prod.outlook.com> <CAFpG3gfyD_dhDk5nGUeWSajGP+4nBKuocdy_Ra8jEtx4HntVNw@mail.gmail.com>
In-Reply-To: <CAFpG3gfyD_dhDk5nGUeWSajGP+4nBKuocdy_Ra8jEtx4HntVNw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BN8PR15MB3281:EE_|SJ0PR15MB4327:EE_
x-ms-office365-filtering-correlation-id: 371ef7e3-dbe4-44a2-a97c-08dbfc0b095d
x-fb-source: Internal
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: cJvsTaR9xQCZRrAcytj/hmKy3NOiwvrOtXrRRvt25mjW9GrQsgdeKjaWNuIUYaIe8Hf4a5fFMH3Z66UuDq137JkIHeWlVq2iynPuhl0wmOOV8eUq9rreo7R97diAQwa+7Iq+okBCISIc5xb1J4iFaWKKt6m6jkCWOEHX/ZH9Pfspm4OgyzaHwD+TJhwjlLO+Xa0N5v4MjAX8koPt5oTeuhExW+TjpB1GeXg1VtiFrC+tOK59mnQ4tMNPO5GLV7Eimp9kL/rM3mZ2IgYKwOYnZqsP5I/DkJy0Ff4n+GSFbchnFZFdh41o/KT+mq2rNws+Skgs4zKZYTx9TD4qG9jDBdl8Jjs67BuUQK91KEF0IKoO75rLPLkE8k8jRlAM9fQ7M9t/+D6uyZ9X2FKJx/8H7JRXVoQN3FOdWb24FrifnVo7bVth+MQefcXor8u8xuZ5vGr6ldrC/FQFN8hbNSqNoXlzLn6DASEMLpV2J9HSAxocv7GpCgud2bbJ3jBQFtF9y6D7G0ZpbY8s/vHZbp/KbCiNbkIb3mKdDiF3z/2cbYXYn27ym3p6Mx3yHl0IbmLma6l1+eIDYOAP/POaJnXMkQ86xA74YvA0/Xgry6/HXUktWCL0cCcYxoMCZatSZlAYIozO3HRA40ZGAWUKcUoxzEgZm8VQ1ARhcWVDLWOcTFE=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN8PR15MB3281.namprd15.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(136003)(39860400002)(396003)(376002)(366004)(346002)(230922051799003)(230173577357003)(230273577357003)(186009)(451199024)(1800799012)(64100799003)(38070700009)(55016003)(66574015)(76116006)(66946007)(66476007)(122000001)(38100700002)(166002)(33656002)(86362001)(66556008)(6506007)(66446008)(83380400001)(7696005)(9686003)(53546011)(2906002)(4001150100001)(966005)(64756008)(6916009)(316002)(478600001)(6666004)(71200400001)(4326008)(5660300002)(8936002)(8676002)(41300700001)(52536014)(835385004); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: v4ND3dPi4dLk+pEuqpHepnQ20LJQex7D4kf2wr88lZx11UTphCH5cIZ5pxsiitYjaCoUbdO/+/Zy5Dldu5NaTwPsjVY8dKvttgGapU0vXnAcU56kOyCNaLtgC+NMsCbmCwileEFWdHMINuHTd5NjZh0obGCahp5ooGuoK7qG/B/b1yHTVS1yuMFjfVKfKV5bQT5LeLatJDNDY+KzX8WKzplHDntHA+hqJYmrdMuev+QGJMhYpoK3vYifOPJY3kcGcQHnHZFKII9xct17rBuPu+Xa3KRsl9t5m2KiQd6SwY4F/V15RdfUdo7PJkCRtkaEqlUAubiWpmImPtntykfpJf3NPuqmBfvpiu+gJDxqXZXg0NWyQT/m2MS3/4lpep/GuWZDPtRysm2GPsKrQSTQgMTp+QiZHE2d2rsDvUJ2N4CC9PUYaLsDtj+sQ9GvPzUSIl2GelWpciTj7ZO+TmFsPGj8+MDX07QCMo+ptpoHGZ8bdSmnHoap9dxu6xrKPWZhcYzdg7ZMIj8L+yvjXwpaRgrOUXV/ssp0D3gQAcb3XBaIRa7R+6b0nOyGt8alDXAkeWhH9cW8APHgJ4TjytVa91Xjis32SJUWWSBk1HRy6dOZdalMxUnkbhhats1MO0pYRV9eUNybBJVE6iQmcAmCqcwoMsYxROccJ4999FsfcH5vv+wB6io8iABmEiH5Wf5fvHq2iFldtaCL5fdDfIA9XcqznKR42KaCdVb2TAL6YSVL9GMxB67nJdc0x7X0L2jaQmKUkM3NCJnc1zFv48SdzxJA8tn3P2gq9d8OJtRGJ0439h5F/2MZFRpWBuODSKDyj4HITBViFT3TH1PHLfxLM648s/oad7TTiWch/uSVVMHP4FOFxseu+w++Enl3OS+S3IFnWkzEClkSAW+eJetM6FQjgfcDdMK+7Pqc+RXSOvxAgy7qjEZcPrAdVhvxb6Mud6P0bxPb7pbmabK74iz2fpi0xXwqVWq4uALmBpX2RPlXJ+B2TSJPwcAkcCSJanXpgHs4nPn5r0VaJEo7Q6IrPRuK06F/wdiIm8mOiSV4p0IV24IXQuOGqMUX4uCOl1nao45N9/h8JWB/22oskedWJ906nPffpHak/T/gsx5AZMdeRFLj+nAMlxEvWYuEKaZn4bJkgGuoCVgwssr7Xv8VnqfQluiyOqldWRVLZKIu9XaSh6g6SslyW3Lb77FsC8k1G3LMILfiWWlSkmEYfawE9slEs0x+JWFxyMRqC5RGpyKOpJ2XiVe4uLKBa5pejT80yLxkOd5dIYPCfhYmpMFnamySAECZwpvXUlvSCTf+LQwYzhnaZsI/bbaWWZOjlzunmvY4FBNcQvwH9KGjon3uHGTlJ0rwYr9UEHB7caol10OYK8RIm/cE0hLxDIKPXBjIknjctCsNO4eD29tH7Ey4uH/6xijpaDf9CTf7PN0p3ZKeQqw9eP02/cjQIjkfE6Ne6TTq73V+yTc0Fdo3JajNXNkIl6AU3AnvMco6yylpOdeZGWqQjGIBnPjV1bek6+7N4DDVktLNdVAeh3nZ+MTjR2IBLTa1YvTzHPg6ALfUvSCZ0Igddnatk7+6BHIuKlqrhDwympexYL0jLQC+bv6ZsA==
Content-Type: multipart/alternative; boundary="_000_BN8PR15MB3281A26AB9613B98361DC40FB38DABN8PR15MB3281namp_"
X-OriginatorOrg: meta.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN8PR15MB3281.namprd15.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 371ef7e3-dbe4-44a2-a97c-08dbfc0b095d
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Dec 2023 18:40:53.4406 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: BeaTAGT1PLQyd73WN5uuD4Ud1WLpXfldVZBl3ocyPd/XXa9iutCJwDQ/u2ahuaZI
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR15MB4327
X-Proofpoint-GUID: lg5zqTxlfSXoFrOmIkYaFbomj7FRoxit
X-Proofpoint-ORIG-GUID: lg5zqTxlfSXoFrOmIkYaFbomj7FRoxit
X-Proofpoint-UnRewURL: 10 URL's were un-rewritten
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.997,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2023-12-13_12,2023-12-13_01,2023-05-22_02
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/eZLMMU752EKdgb4xOpTLkGT0NvY>
Subject: Re: [Add] I-D Action: draft-ietf-add-resolver-info-08.txt
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Dec 2023 18:41:02 -0000

On 12/13/23, 4:12 AM, "tirumal reddy" <kondtir@gmail.com> wrote:

I am uncertain about how moving the RESINFO to the authority section addresses the issue of a resolver not supporting RESINFO. In such a case, the resolver will forward the query upstream, and the client could potentially receive a positive RESINFO response either from a legitimate upstream DNS resolver or an attacker.

I believe that resolvers never place received information in the Authority section.  If relevant information is sent by the authority in the Authority section, the resolver will move it to the Answer section.  Thus, requiring RESINFO records from a resolver to appear in the Authority section is sufficient to prove that those records were produced locally by the resolver, not forwarded (potentially insecurely) from an upstream authority.



Detailed notes:

Section 3:

"By using the DNS server's domain name from the DDR SVCB response to issue the RESINFO query, a client accepts the risk that a resolver supports DDR but does not support RESINFO."
-> The "server's domain name for the DDR SVCB response" is not a defined value.  Maybe you mean "The SVCB TargetName"?

Yes, we will update the draft to use "SVCB TargetName".

This is an abuse of the SVCB TargetName, which is explicitly not intended to serve as an identity anchor for the service.  It is also incompatible with services like NextDNS that host many DNS servers with distinct behaviors on a single hostname (at different DoH paths or DoT ports).


…


"clients wishing to retrieve resolver information from resolvers discovered when performing DDR discovery using resolver IP address (Section 4 of [RFC9462]) MUST ensure during the TLS handshake that the TLS certificate presented by the resolver contains in its SubjectAltName (SAN) the domain name in the TargetName of the DDR SVCB response"
-> This rules out the use of RESINFO in Opportunistic DDR scenarios, which seems like a serious loss for debugging small networks.  It also interferes with the usual interpretation of SVCB TargetName and renders RESINFO incompatible with DANE.  It also fails to accomplish the desired authentication: if the name is unsigned or the resolver is non-validating, an upstream attacker could still have injected an arbitrary RESINFO response despite this attempted protection.

In the case of debugging, the validation rule discussed in the draft can be disabled using a configuration knob.

This seems strange to me.  RESINFO can replace “bind.version”, but only if the user changes a configuration knob?

However, I am uncertain about how RESINFO is incompatible with DANE. Could you please elaborate ?

DANE does not require an X.509 certificate to exist at all: it can authorize bare keys.  If a certificate does exist, it is not always required to cover the name that would be expected without DANE.


Section 6:

"If the client cannot validate the attributes received from the resolver, which will be used for resolver selection or display to the end-user, the client should process those attributes only if the encrypted resolver has sufficient reputation according to local policy"
-> As above, this does not accomplish the desired authentication unless the reputation assessment specifically requires that the resolver is "RESINFO-aware" (which would be false of all resolvers today, regardless of reputation).

I don't see a problem. In cases where the trusted resolver does not support RESINFO, the client can identify a spoofed DNS response.

How?  A trusted resolver is still vulnerable to DNS cache poisoning on unsigned domains.

When RESINFO is provided by the trusted resolver, the client can process the attributes.

-Tiru


________________________________
From: Add <add-bounces@ietf.org<mailto:add-bounces@ietf.org>> on behalf of tirumal reddy <kondtir@gmail.com<mailto:kondtir@gmail.com>>
Sent: Friday, December 1, 2023 7:42 AM
To: add@ietf.org<mailto:add@ietf.org> <add@ietf.org<mailto:add@ietf.org>>
Subject: Re: [Add] I-D Action: draft-ietf-add-resolver-info-08.txt

This revision of the draft https: //www. ietf. org/archive/id/draft-ietf-add-resolver-info-08. html has been updated based on discussions during the presentation at IETF-118. Special thanks to Tommy Jensen for contributing text to this revision. 
ZjQcmQRYFpfptBannerStart
This Message Is From an External Sender

ZjQcmQRYFpfptBannerEnd
This revision of the draft https://www.ietf.org/archive/id/draft-ietf-add-resolver-info-08.html<https://www.ietf.org/archive/id/draft-ietf-add-resolver-info-08.html> has been updated based on discussions during the presentation at IETF-118. Special thanks to Tommy Jensen for contributing text to this revision. The draft is now ready for progression to the next stage.

Cheers,
-Tiru

On Fri, 24 Nov 2023 at 13:47, <internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>> wrote:
Internet-Draft draft-ietf-add-resolver-info-08.txt is now available. It is a
work item of the Adaptive DNS Discovery (ADD) WG of the IETF.

   Title:   DNS Resolver Information
   Authors: Tirumaleswar Reddy
            Mohamed Boucadair
   Name:    draft-ietf-add-resolver-info-08.txt
   Pages:   9
   Dates:   2023-11-24

Abstract:

   This document specifies a method for DNS resolvers to publish
   information about themselves.  DNS clients can use the resolver
   information to identify the capabilities of DNS resolvers.  How such
   an information is then used by DNS clients is out of the scope of the
   document.

The IETF datatracker status page for this Internet-Draft is:
https://datatracker.ietf.org/doc/draft-ietf-add-resolver-info/<https://datatracker.ietf.org/doc/draft-ietf-add-resolver-info/>

There is also an HTML version available at:
https://www.ietf.org/archive/id/draft-ietf-add-resolver-info-08.html<https://www.ietf.org/archive/id/draft-ietf-add-resolver-info-08.html>

A diff from the previous version is available at:
https://author-tools.ietf.org/iddiff?url2=draft-ietf-add-resolver-info-08<https://author-tools.ietf.org/iddiff?url2=draft-ietf-add-resolver-info-08>

Internet-Drafts are also available by rsync at:
rsync.ietf.org::internet-drafts


--
Add mailing list
Add@ietf.org<mailto:Add@ietf.org>
https://www.ietf.org/mailman/listinfo/add<https://www.ietf.org/mailman/listinfo/add>

v2.23.0 | Report a Bug | By Email