Re: [Add] draft-ietf-add-resolver-info-09
Mark Andrews <marka@isc.org> Tue, 05 March 2024 23:30 UTC
Return-Path: <marka@isc.org>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD31CC14F695 for <add@ietfa.amsl.com>; Tue, 5 Mar 2024 15:30:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isc.org header.b="JvZRmm+x"; dkim=pass (1024-bit key) header.d=isc.org header.b="fnoTjOlK"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7IVXm43RK107 for <add@ietfa.amsl.com>; Tue, 5 Mar 2024 15:30:53 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.2.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1C4C8C14F618 for <add@ietf.org>; Tue, 5 Mar 2024 15:30:52 -0800 (PST)
Received: from zimbrang.isc.org (zimbrang.isc.org [149.20.2.31]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id A27AF3AB1B9; Tue, 5 Mar 2024 23:30:51 +0000 (UTC)
ARC-Filter: OpenARC Filter v1.0.0 mx.pao1.isc.org A27AF3AB1B9
Authentication-Results: mx.pao1.isc.org; arc=none smtp.remote-ip=149.20.2.31
ARC-Seal: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1709681451; cv=none; b=cugpNJnDJse5En+dnPgfFEw6tjRRDl2DvoYhPSNq21uZkQZ+fRgAGcJ7ddtmXAXXES5SSuXkD84Ly8F7AXoBt2tTEuPhdUmekBPAjisv6KW0pOROnNzzo6wmmbQWyTAiQoarL/b2b7QWBXkcd4YR33bS951mooLTqP1A24J3piY=
ARC-Message-Signature: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1709681451; c=relaxed/relaxed; bh=72ZEebFj9H7ehrXmLlZhmMF1hkcimZdghToIX9IMGH0=; h=DKIM-Signature:DKIM-Signature:Mime-Version:Subject:From:Date: Message-Id:To; b=hlOhOacdedWYy/uy9ELo7vmXF8zn18ytopz2clkHg56cY/rnfpi4DiWteR2CTMiqKCbm0emtt/07TezNgaq4f/6HihMQHf+it8PkcGphNincSL4pXa9uZpEtoc5LosW2QkHEOWHPTmxENuv/D7KYCbv1rCsG/9YO/pb3E4GhWdY=
ARC-Authentication-Results: i=1; mx.pao1.isc.org
DKIM-Filter: OpenDKIM Filter v2.10.3 mx.pao1.isc.org A27AF3AB1B9
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=isc.org; s=ostpay; t=1709681451; bh=QYj4WeD1LEWLQHDkoXDpSJEpVSXvZjgk4TC9sOAqdGU=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=JvZRmm+xKDASEcx36P8r+VX1WwLlIp8diipn0d7StjFRHFlpJvVwW7sVQ1R24Td9i TCAxhA4aeG2xJYQPXiy0d9Iywcf/KBz7obmarkKx+jT+rmNTTYTh6VgoIhx7Xfobeq ouT2v9xxggOZwxIwBLwi5izo0CAGrry1xTiXTdUM=
Received: from zimbrang.isc.org (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTPS id 9AAAE1160E87; Tue, 5 Mar 2024 23:30:51 +0000 (UTC)
Received: from localhost (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTP id 780581161AD7; Tue, 5 Mar 2024 23:30:51 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.10.3 zimbrang.isc.org 780581161AD7
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=05DFB016-56A2-11EB-AEC0-15368D323330; t=1709681451; bh=72ZEebFj9H7ehrXmLlZhmMF1hkcimZdghToIX9IMGH0=; h=Mime-Version:From:Date:Message-Id:To; b=fnoTjOlKOo+PGdPhR3lO/C/8CxDX/h5LHsh9zaFaIQlzflo9VbwtVAX4baztqmjCT oKlcWgDRQT+SlnKIh66Y/xvOuFWJ2g4HIY5828BFb4HUS//UsAwu1zvU30Cv5UCNP3 5qVp7gCYtc3IiA69m4mOXJWdCCyJHXFMX1/Mlv6o=
Received: from zimbrang.isc.org ([127.0.0.1]) by localhost (zimbrang.isc.org [127.0.0.1]) (amavis, port 10026) with ESMTP id VWe4Wo-U8RcY; Tue, 5 Mar 2024 23:30:51 +0000 (UTC)
Received: from smtpclient.apple (n49-187-18-238.bla1.nsw.optusnet.com.au [49.187.18.238]) by zimbrang.isc.org (Postfix) with ESMTPSA id 5EE181160E87; Tue, 5 Mar 2024 23:30:50 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.700.6.1.1\))
From: Mark Andrews <marka@isc.org>
In-Reply-To: <0F58ECB8-29EC-4592-98A8-6019356C72B6@meta.com>
Date: Wed, 06 Mar 2024 10:30:45 +1100
Cc: "mohamed.boucadair@orange.com" <mohamed.boucadair@orange.com>, tirumal reddy <kondtir@gmail.com>, "add@ietf.org" <add@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <E845DAED-6428-4EA1-855C-861411F56A2D@isc.org>
References: <SA1PR15MB4370C02BF2458CFD28D06265B3222@SA1PR15MB4370.namprd15.prod.outlook.com> <077D27F8-03C1-4ECC-97BE-579ABF22563F@isc.org> <0F58ECB8-29EC-4592-98A8-6019356C72B6@meta.com>
To: Ben Schwartz <bemasc@meta.com>
X-Mailer: Apple Mail (2.3731.700.6.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/edRaHPjlf2UERONWgO25ANlEP6I>
Subject: Re: [Add] draft-ietf-add-resolver-info-09
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Mar 2024 23:30:57 -0000
> On 6 Mar 2024, at 08:19, Ben Schwartz <bemasc@meta.com> wrote: > > >> On Mar 5, 2024, at 4:02 PM, Mark Andrews <marka@isc.org> wrote: > >> Stop using +short and look at all of the response including whether aa is set or not in the flags. > > It is not set. My complaint is that draft-ietf-add-resolver-info-11 doesn’t mention the AA bit at all. It needs to instruct the client to inspect this bit, and reject the response if AA=0. Yep. > draft-11 still contains text about the record appearing in the Authority section, which could be equivalent to this, but that text is in a different section and its normative effect on the client is unclear. I don’t object to that text, but I don’t think it’s sufficient as written, and I don’t think it’s necessary if the client is required to enforce AA=1. That whole paragraph should be removed. > —Ben > >> >> -- >> Mark Andrews >> >>> On 6 Mar 2024, at 07:09, Ben Schwartz <bemasc@meta.com> wrote: >>> >>> Mark's suggestion is correct, but I don't think draft-11 captures it correctly. The draft-11 text only says >>> >>> The DNS client MUST set the Recursion >>> Desired (RD) bit of the query to 0 to ensure that the response is provided by the resolver. >>> If the resolver does not support RESINFO, it will return an authoritative name error. >>> >>> This is factually incorrect, as can be observed by sending an RD=0 query to an ordinary recursive resolver: >>> >>> % dig +short +norecurse www.google.com @1.1.1.1 >>> 142.251.167.104 >>> 142.251.167.147 >>> 142.251.167.99 >>> 142.251.167.106 >>> 142.251.167.103 >>> 142.251.167.105 >>> >>> Mark's suggestion is that the client verify that the response has AA=1. That check ensures that the result was not populated insecurely over the network, but the draft doesn't mention it. >>> >>> --Ben >>> From: Add <add-bounces@ietf.org> on behalf of mohamed.boucadair@orange.com <mohamed.boucadair@orange.com> >>> Sent: Wednesday, February 21, 2024 2:37 AM >>> To: Mark Andrews <marka@isc.org> >>> Cc: tirumal reddy <kondtir@gmail.com>; add@ietf.org <add@ietf.org> >>> Subject: Re: [Add] draft-ietf-add-resolver-info-09 !-------------------------------------------------------------------| >>> This Message Is From an External Sender >>> >>> |-------------------------------------------------------------------! >>> >>> Hi Mark, all, >>> >>> We think this is fair. Thanks. >>> >>> We created a PR to fix this: https://github.com/boucadair/add-resolver-information/pull/19/files. >>> >>> Cheers, >>> Tiru & Med >>> >>> > -----Message d'origine----- >>> > De : Add <add-bounces@ietf.org> De la part de Mark Andrews >>> > Envoyé : mercredi 21 février 2024 01:50 >>> > À : Steffen Nurpmeso <steffen@sdaoden.eu> >>> > Cc : tirumal reddy <kondtir@gmail.com>; add@ietf.org >>> > Objet : Re: [Add] draft-ietf-add-resolver-info-09 >>> > >>> > If a recursive server passes through a response with AA=1 it is >>> > broken. If a recursive server forwards a query with RD=0 it is >>> > broken. If a “recursive server” is just forwarding queries and >>> > responses the attacker will just put the response in the authority >>> > section. The change of section provides no security. It doesn’t >>> > prevent problems. It is just change for changes sake. >>> > >>> > -- >>> > Mark Andrews >>> > >>> > > On 21 Feb 2024, at 06:30, Steffen Nurpmeso <steffen@sdaoden.eu> >>> > wrote: >>> > > >>> > > tirumal reddy wrote in >>> > > <CAFpG3gd5GwSAoOs3SX2xWZyKVR7F5y- >>> > y1VxxbTmfooC4AWo5Mw@mail.gmail.com>: >>> > > |On Thu, 15 Feb 2024 at 06:02, Mark Andrews <marka@isc.org> wrote: >>> > > |> Why is it necessary to change the standard processing of queries >>> > > |> for RESINFO when we already have a signal (AA=1) about whether >>> > the >>> > > |> answer is coming from elsewhere or not ? >>> > > | >>> > > |It is introduced to handle a scenario where SUDN is used to >>> > discover >>> > > |the encrypted resolver, and if the discovered resolver does not >>> > > |support RESINFO, it will forward the query upstream. An attacker >>> > > |might provide a RESINFO response with AA=1. The proposed mechanism >>> > > |aims to help the client identify whether the response is coming >>> > from >>> > > |the discovered encrypted resolver. >>> > > >>> > > By the way i am really not worth being noted for anything >>> > > acknowledgeable regarding the work of this WG. At all. >>> > > If you have another iteration of the document, i would prefer if you >>> > > would simply scratch my name from your work. >>> > > It is solely your work, for sure. >>> > > And the above is possibly very smart: my DNS work was two decades >>> > ago, >>> > > and i could not even tell whether i have ever seen authority section >>> > > entries being passed through or not. >>> > > >>> > > My main topics are simplicity so small teams can still exist >>> > > competetively as was true over two decades ago (ie, with knowing the >>> > > entire picture, not by delegating to "trusted" external modules in >>> > > uncounted numbers), when there were <3000 RFCs. >>> > > >>> > > As such i very much appreciated RFC 8499, but i alone from my >>> > > superficial out-of-interest reading have 17 DNS-related RFCs added >>> > > locally since then, plus the draft of yours and whatever else from >>> > > this WG. >>> > > >>> > > And a different way to get the TLS trust (or, rather, use existing >>> > > ways of various kind eg rpki, ikev2, or simply public keys as is >>> > done >>> > > by DKIM (certificates are a bit larger, but with the TCP that is >>> > more >>> > > and more needed per se, or QUIC; or even the permanent HTTP proxying >>> > > of everything, that is "no problem")) away from CA pools, to DNS/TLS >>> > + >>> > > DNSSEC zone records. Thank you for that, too! >>> > > >>> > > Ciao, and greetings from Germany, >>> > > >>> > > --steffen >>> > > | >>> > > |Der Kragenbaer, The moon bear, >>> > > |der holt sich munter he cheerfully and one by one >>> > > |einen nach dem anderen runter wa.ks himself off (By Robert >>> > > |Gernhardt) >>> > >>> > -- >>> > Add mailing list >>> > Add@ietf.org >>> > https://eur03.safelinks.protection.outlook.com/?url=https://www . >>> > ietf.org%2Fmailman%2Flistinfo%2Fadd&data=05%7C02%7Cmohamed.boucadair%4 >>> > 0orange.com%7C3a00adf00f6c4a88f66d08dc32770e24%7C90c7a20af34b40bfbc48b >>> > 9253b6f5d20%7C0%7C0%7C638440734117558876%7CUnknown%7CTWFpbGZsb3d8eyJWI >>> > joiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7 >>> > C%7C&sdata=GUI2%2FfrtBz%2FtYaA8ZmAGjR2jzb8mcp%2BmewuFjMiI3CE%3D&reserv >>> > ed=0 >>> ____________________________________________________________________________________________________________ >>> Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc >>> pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler >>> a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, >>> Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. >>> >>> This message and its attachments may contain confidential or privileged information that may be protected by law; >>> they should not be distributed, used or copied without authorisation. >>> If you have received this email in error, please notify the sender and delete this message and its attachments. >>> As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. >>> Thank you. >>> -- >>> Add mailing list >>> Add@ietf.org >>> https://www.ietf.org/mailman/listinfo/add > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
- [Add] draft-ietf-add-resolver-info-09 Mark Andrews
- Re: [Add] draft-ietf-add-resolver-info-09 tirumal reddy
- Re: [Add] draft-ietf-add-resolver-info-09 Steffen Nurpmeso
- Re: [Add] draft-ietf-add-resolver-info-09 Mark Andrews
- Re: [Add] draft-ietf-add-resolver-info-09 mohamed.boucadair
- Re: [Add] draft-ietf-add-resolver-info-09 mohamed.boucadair
- Re: [Add] draft-ietf-add-resolver-info-09 Steffen Nurpmeso
- Re: [Add] draft-ietf-add-resolver-info-09 Ben Schwartz
- Re: [Add] draft-ietf-add-resolver-info-09 Ben Schwartz
- Re: [Add] draft-ietf-add-resolver-info-09 Mark Andrews
- Re: [Add] draft-ietf-add-resolver-info-09 Mark Andrews
- Re: [Add] draft-ietf-add-resolver-info-09 mohamed.boucadair
- Re: [Add] draft-ietf-add-resolver-info-09 Ben Schwartz
- Re: [Add] draft-ietf-add-resolver-info-09 Mark Andrews