IETF Logo Mail Archive

Re: [Add] I-D Action: draft-ietf-add-ddr-09.txt

Tommy Pauly <tpauly@apple.com> Thu, 04 August 2022 22:27 UTC

Return-Path: <tpauly@apple.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2EBE5C14CF09; Thu, 4 Aug 2022 15:27:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.686
X-Spam-Level:
X-Spam-Status: No, score=-2.686 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.582, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FDov72jkATFI; Thu, 4 Aug 2022 15:27:43 -0700 (PDT)
Received: from rn-mailsvcp-ppex-lapp44.apple.com (rn-mailsvcp-ppex-lapp44.rno.apple.com [17.179.253.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C1DF0C14F74A; Thu, 4 Aug 2022 15:27:40 -0700 (PDT)
Received: from pps.filterd (rn-mailsvcp-ppex-lapp44.rno.apple.com [127.0.0.1]) by rn-mailsvcp-ppex-lapp44.rno.apple.com (8.16.1.2/8.16.1.2) with SMTP id 274MEBTi025191; Thu, 4 Aug 2022 15:27:39 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=from : message-id : content-type : mime-version : subject : date : in-reply-to : cc : to : references; s=20180706; bh=xrh+fDRNktzSZsCxW4G6onBr5/yWU3P7efDiJ0bNW0Q=; b=V3tDH7Nlf74qupQx298Is55JOGSaVzDL4rj0ura2Iv/uuarhQuRaZYBmCnkb6yHzZEdX SzUnF+sU4BlGu8AtF8tcSPpVRfPfXVFmLro+sQPgIvqasDEqeKcfy93MsC36X9dwLf/a vyOQn8+JnqR/hwCxkJfd64heke9JBlLWoX4gfPtHykmRsKluhgldVR3DV3UdbrBeoHUN ckaqxQcI9UTRnR9o0OvutOn+lvOTQsLtz63EbsxQ5kHEhaX2YfSGR93nGLLaeDsOCD6D +u9SRXTgnPlrUFPNP9AaSkZ6rZ/mkF9IVoco6+jXdjlt3ayWlJrRtaBSrLO3NoJJoGtG EA==
Received: from rn-mailsvcp-mta-lapp01.rno.apple.com (rn-mailsvcp-mta-lapp01.rno.apple.com [10.225.203.149]) by rn-mailsvcp-ppex-lapp44.rno.apple.com with ESMTP id 3hnm8v83dx-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Thu, 04 Aug 2022 15:27:39 -0700
Received: from rn-mailsvcp-mmp-lapp03.rno.apple.com (rn-mailsvcp-mmp-lapp03.rno.apple.com [17.179.253.16]) by rn-mailsvcp-mta-lapp01.rno.apple.com (Oracle Communications Messaging Server 8.1.0.18.20220407 64bit (built Apr 7 2022)) with ESMTPS id <0RG4004N83Q33HB0@rn-mailsvcp-mta-lapp01.rno.apple.com>; Thu, 04 Aug 2022 15:27:39 -0700 (PDT)
Received: from process_milters-daemon.rn-mailsvcp-mmp-lapp03.rno.apple.com by rn-mailsvcp-mmp-lapp03.rno.apple.com (Oracle Communications Messaging Server 8.1.0.18.20220407 64bit (built Apr 7 2022)) id <0RG400W003K48500@rn-mailsvcp-mmp-lapp03.rno.apple.com>; Thu, 04 Aug 2022 15:27:39 -0700 (PDT)
X-Va-A:
X-Va-T-CD: e72da815dcb01dab2f988f94f1719970
X-Va-E-CD: de694d6c59107a27da47f9e5ddd42970
X-Va-R-CD: 28d126396b0eeeac9d4986e6af2c028a
X-Va-CD: 0
X-Va-ID: 31180e7c-db67-44ac-b453-9f590406496d
X-V-A:
X-V-T-CD: e72da815dcb01dab2f988f94f1719970
X-V-E-CD: de694d6c59107a27da47f9e5ddd42970
X-V-R-CD: 28d126396b0eeeac9d4986e6af2c028a
X-V-CD: 0
X-V-ID: 5f9e5aff-54ca-4bf1-bab2-74fae6642c10
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.517, 18.0.883 definitions=2022-08-04_05:2022-08-04, 2022-08-04 signatures=0
Received: from smtpclient.apple (unknown [17.11.215.73]) by rn-mailsvcp-mmp-lapp03.rno.apple.com (Oracle Communications Messaging Server 8.1.0.18.20220407 64bit (built Apr 7 2022)) with ESMTPSA id <0RG400W6A3Q21N00@rn-mailsvcp-mmp-lapp03.rno.apple.com>; Thu, 04 Aug 2022 15:27:39 -0700 (PDT)
From: Tommy Pauly <tpauly@apple.com>
Message-id: <7ECC02B7-DFC4-48EB-AA64-B1D775468BF6@apple.com>
Content-type: multipart/alternative; boundary="Apple-Mail=_E967C2B5-37BA-4D2D-B67E-8FBB421CC3CD"
MIME-version: 1.0 (Mac OS X Mail 16.0 \(3730.0.21\))
Date: Thu, 04 Aug 2022 15:27:27 -0700
In-reply-to: <CAHbrMsDkGduk7+KZR7mjUfJdvaKAe93=Ri4qAhaab65kEpAt6g@mail.gmail.com>
Cc: ADD Mailing list <add@ietf.org>, i-d-announce@ietf.org
To: Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>
References: <165957021701.56614.13895069148730646596@ietfa.amsl.com> <CAHbrMsDkGduk7+KZR7mjUfJdvaKAe93=Ri4qAhaab65kEpAt6g@mail.gmail.com>
X-Mailer: Apple Mail (2.3730.0.21)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.517, 18.0.883 definitions=2022-08-04_05:2022-08-04, 2022-08-04 signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/euGdJeFMdUiD4qbquYrad4SHxoY>
Subject: Re: [Add] I-D Action: draft-ietf-add-ddr-09.txt
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Aug 2022 22:27:47 -0000

Hi Ben, 

> On Aug 4, 2022, at 2:17 PM, Ben Schwartz <bemasc=40google.com@dmarc.ietf.org> wrote:
> 
> Following up on my SECDIR review:
> 
> Section 4
> 
>    Because this query is for an SUDN, which no entity can claim
>    ownership over, the ServiceMode SVCB response MUST NOT use the "."
>    value for the TargetName.  Instead, the domain name used for DoT/DoQ
>    or used to construct the DoH template MUST be provided.  This ensures
>    that different designated resolver configurations can be correctly
>    associated with IP addresses in A and AAAA records.  As such, clients
>    MUST NOT perform A and AAAA queries for "resolver.arpa".
> 
> Thanks for updating this paragraph, but I think there are still several major issues here.
> 
> The guidance not to use "." is weird because using "." here would be unnatural anyway.  The natural thing would be to set TargetName to "resolver.arpa".  This is also forbidden, but the text doesn't address it.

We can clarify that this shouldn’t include “resolver.arpa”.
> 
> The text about what to put in the TargetName is very strange.  It conflicts directly with the guidance in Section 4.2 ("The client MUST verify that the certificate contains the IP address of the designating Unencrypted DNS Resolver") and Section 6.3 ("clients MUST use the original IP address of the Unencrypted DNS Resolver as the URI host for DoH requests”).


Ah, I see what you mean. That sentence ("the domain name used for DoT/DoQ") is leftover.

> 
> Also, as I noted in my review, the justification that "no entity can claim" this name is illogical, as the resolver is already serving a response for this name.  Clearly, the resolver can indeed "claim" this name, and is already doing so.
> 
> Possible replacement text (along the lines suggested in my review):
> 
> > To enable reliable identification of the Designated Resolver for debugging and future extensions, the TargetName SHOULD NOT indicate a SUDN (either explicitly or via the special value ".").  Clients SHOULD NOT issue speculative queries for A or AAAA records associated with this SVCB RRSet.  Note that the TargetName itself does not influence the encrypted connection in any way.

Talking with my other authors, I think we don’t think that this needs to limit to only speculative queries — the client should not be performing A or AAAA queries for resolver.arpa at all, regardless of if they are speculative.

I also think these should remain MUST NOTs, since there is no good reason to allow them (which is the bar for a MUST NOT), but otherwise clarifying that the restriction applies to both “resolver.arpa” and “.” sounds fine.

I’ve written up this: https://github.com/ietf-wg-add/draft-ietf-add-ddr/pull/106

> 
> Section 7:
> 
>    Section 8.2 of [I-D.ietf-add-svcb-dns] describes a second downgrade
>    attack where an attacker can block connections to the encrypted DNS
>    server.  For DDR, clients need to validate a Designated Resolver
>    using a connection to the server before trusting it, so attackers
>    that can block these connections can prevent clients from switching
>    to use encrypted DNS.
> 
> I would prefer to make this more explicit, e.g. replacing the second sentence with
> 
> > To bypass attacks that affect only one server, DDR clients SHOULD first fall back to any other available Designated Resolver.  If none of the Designated Resolvers are reachable, DDR clients MAY fall back to unencrypted DNS (enabling a successful downgrade attack).  Any client that does not fall back to unencrypted DNS MUST tightly limit the SVCB TTL, which could have been chosen by an attacker (as discussed in Section 4.2).

I think this gets too far into the client policy area. We are describing the possible downgrade attack, but use of other encrypted or unencrypted resolvers and their preference order is not within the scope of this document, or group.

Note also that this is the resolution for Paul’s DISCUSS.

Thanks,
Tommy

> 
> On Wed, Aug 3, 2022 at 7:43 PM <internet-drafts@ietf.org <mailto:internet-drafts@ietf.org>> wrote:
>> 
>> A New Internet-Draft is available from the on-line Internet-Drafts directories.
>> This draft is a work item of the Adaptive DNS Discovery WG of the IETF.
>> 
>>         Title           : Discovery of Designated Resolvers
>>         Authors         : Tommy Pauly
>>                           Eric Kinnear
>>                           Christopher A. Wood
>>                           Patrick McManus
>>                           Tommy Jensen
>>   Filename        : draft-ietf-add-ddr-09.txt
>>   Pages           : 20
>>   Date            : 2022-08-03
>> 
>> Abstract:
>>    This document defines Discovery of Designated Resolvers (DDR), a
>>    mechanism for DNS clients to use DNS records to discover a resolver's
>>    encrypted DNS configuration.  An encrypted DNS resolver discovered in
>>    this manner is referred to as a "Designated Resolver".  This
>>    mechanism can be used to move from unencrypted DNS to encrypted DNS
>>    when only the IP address of a resolver is known.  This mechanism is
>>    designed to be limited to cases where unencrypted DNS resolvers and
>>    their designated resolvers are operated by the same entity or
>>    cooperating entities.  It can also be used to discover support for
>>    encrypted DNS protocols when the name of an encrypted DNS resolver is
>>    known.
>> 
>> 
>> The IETF datatracker status page for this draft is:
>> https://datatracker.ietf.org/doc/draft-ietf-add-ddr/
>> 
>> There is also an HTML version available at:
>> https://www.ietf.org/archive/id/draft-ietf-add-ddr-09.html
>> 
>> A diff from the previous version is available at:
>> https://www.ietf.org/rfcdiff?url2=draft-ietf-add-ddr-09
>> 
>> 
>> Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts
>> 
>> 
>> -- 
>> Add mailing list
>> Add@ietf.org <mailto:Add@ietf.org>
>> https://www.ietf.org/mailman/listinfo/add
> -- 
> Add mailing list
> Add@ietf.org
> https://www.ietf.org/mailman/listinfo/add

v2.23.0 | Report a Bug | By Email