IETF Logo Mail Archive

Re: [Add] I-D Action: draft-ietf-add-resolver-info-06.txt

Ben Schwartz <bemasc@meta.com> Mon, 16 October 2023 14:11 UTC

Return-Path: <prvs=36537abf2b=bemasc@meta.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ACE54C151991 for <add@ietfa.amsl.com>; Mon, 16 Oct 2023 07:11:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.993
X-Spam-Level:
X-Spam-Status: No, score=-6.993 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, TRACKER_ID=0.1, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=meta.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DgIZYgppajgI for <add@ietfa.amsl.com>; Mon, 16 Oct 2023 07:11:04 -0700 (PDT)
Received: from mx0b-00082601.pphosted.com (mx0b-00082601.pphosted.com [67.231.153.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F02CC151065 for <add@ietf.org>; Mon, 16 Oct 2023 07:11:04 -0700 (PDT)
Received: from pps.filterd (m0109331.ppops.net [127.0.0.1]) by mx0a-00082601.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 39FLbfBo004270; Mon, 16 Oct 2023 07:11:03 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=meta.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=s2048-2021-q4; bh=1A4kva9/9562NRXRIuB48SgKO1zbOLGmGWdx4jEiauw=; b=eJJZ3sGc342qjU3deHlAezU8yr//5H2S4XW3oyJdsJk1hcqBP7BcXtfXmBl3Z3zI5jK7 T1foNAqS64AEH9kEM4YQSkhAEOpqW8BdQMKLEvseJA6d4F2XZXXfDtckrpoosdZOzi/0 hUX+MokPkcEkK432GnkD8ocL/hM0LNtgIfOKEbodS/0JyaM84IQ4sHydPgiJNiWi1GE0 deB5IWqhrM1+tpBWsWNlD/0mNepXkvMAP9STyj7xDP3gfGJoyQMn1M4zZpVXr/nOHvi/ 5G6Unth+16rAn3GOhl6Yzuk3ROtBri4sCAsA4RFDxyxRJFKtmN6QCNLbsM8lVyJopRG4 cA==
Received: from nam11-co1-obe.outbound.protection.outlook.com (mail-co1nam11lp2168.outbound.protection.outlook.com [104.47.56.168]) by mx0a-00082601.pphosted.com (PPS) with ESMTPS id 3tqrtybyqd-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 16 Oct 2023 07:11:02 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=VElgKgJ8gYVyBpE/1kNmfOjWJLe+YmFx78QpPvAI7bmDvQg19EscKlOGALB5BMk9uM9sIGGCMYR4FecLDSrcCAjP/89TLHZXkph0/vYjhKzxvimp0jt/v1OjE3+9AR/IMLu5Cga+7SiHboLL5vtbw+20BDh3LhLhmOa9JXmHGIcOz/VB1lf+ODuticvodo5QHgaLr/sNNH6MohF6Q56NWDFTP5mNd6Tz2tVvQR68bmkhVc14u9xxYbTVwk+0lIeZTbxJwikTbqXYE5Ext6spqnbmp3UNSGeAG02OuS7iV/asnMuFsEAVn7lDMBQw4pD6hjvlDUGr+1PbAc4c2NXfTg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=+AbRSoYALW5r6QAsl04NxtxlEAAvdm1c1AQxwyL+v34=; b=HHNg4JymxzETa5oiNCf7uMz1OMc5oZgKdr7A6HiPgM/cdCsElpYL2fSoGL/y8887pFEovtLvVmqeF2Awu/8kPJUhN9hO0ziWYhuajtOzX4YFv1S2vxms294rmDL8UH3Rxj/pUu1qsKgQjb5o9zCytbXaFJaVOqJDQaS/JiaNT0EBYS0JDbdqC34k0uDLh+QQdfgDY9bxjatGZ2Qbxsbrv08AdZWft+bGXvUcqs/RySjwsnIRvKKjPfC2bSZR6FaD+6mu+/enFalqyQUC+svSixK1GsbirIb9oBPi9CeMLEK18HNd1oMBIlHWEp7OuQzU4Il41F0mQr3YqsDO310LKA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=meta.com; dmarc=pass action=none header.from=meta.com; dkim=pass header.d=meta.com; arc=none
Received: from BN8PR15MB3281.namprd15.prod.outlook.com (2603:10b6:408:aa::24) by CH3PR15MB5612.namprd15.prod.outlook.com (2603:10b6:610:150::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6886.35; Mon, 16 Oct 2023 14:10:59 +0000
Received: from BN8PR15MB3281.namprd15.prod.outlook.com ([fe80::d9e2:fc18:82fa:fd56]) by BN8PR15MB3281.namprd15.prod.outlook.com ([fe80::d9e2:fc18:82fa:fd56%5]) with mapi id 15.20.6863.043; Mon, 16 Oct 2023 14:10:59 +0000
From: Ben Schwartz <bemasc@meta.com>
To: tirumal reddy <kondtir@gmail.com>, Tommy Jensen <Jensen.Thomas@microsoft.com>
CC: "add@ietf.org" <add@ietf.org>
Thread-Topic: [Add] I-D Action: draft-ietf-add-resolver-info-06.txt
Thread-Index: AQHZ9pqG4HQEQrLVek+YnRmR0mZIQ7BEPGKAgAD2dF6AAn2vAIAAMGe8gAAdfACAAN8HgIADolCd
Date: Mon, 16 Oct 2023 14:10:59 +0000
Message-ID: <BN8PR15MB3281070618DBEDAD16296BAEB3D7A@BN8PR15MB3281.namprd15.prod.outlook.com>
References: <169640714475.30083.4833419078785956639@ietfa.amsl.com> <CAFpG3ge7G=0f+sWGqL8ANWG+nd=e3ngf7CdbUfhpjQvRYaatbg@mail.gmail.com> <BN8PR15MB32818870E42CB776F3A5F1DFB3CCA@BN8PR15MB3281.namprd15.prod.outlook.com> <CAFpG3gcnL1Fmx5hbQEBJUzTVsoBf7CMOOUuHiV-8DRQOLrbY4A@mail.gmail.com> <BN8PR15MB32816A104B16005165DA5C75B3D2A@BN8PR15MB3281.namprd15.prod.outlook.com> <DM6PR00MB07677636CDF58B2CD25F13C0FAD2A@DM6PR00MB0767.namprd00.prod.outlook.com> <CAFpG3gcRzVWTtJ7cL=yD9k_qi36FncCR5ibL59qun6_O16T1WA@mail.gmail.com>
In-Reply-To: <CAFpG3gcRzVWTtJ7cL=yD9k_qi36FncCR5ibL59qun6_O16T1WA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BN8PR15MB3281:EE_|CH3PR15MB5612:EE_
x-ms-office365-filtering-correlation-id: e90f8047-7eda-42d6-382f-08dbce51b8d5
x-fb-source: Internal
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: MoKbIv6T3L+yD4HvqpcW9oBHFqlXEe8AAE84p+/QlMM9MQJbsNrJnxSzSbKF4/pRVFNdpeX750of1b5eRH5v3kVz18aAWSnvl46JwNxgJwbNsFe02na9X8I164s/3rUFBODPNdbkZCBjT107XeTnmRb0AcGTqfjeWOIpKoNltqaHFSfg0a92Bhh58IIc62kBy/6/N2MjLoQP/1+QMkpS1xGGrVyY8eLRY2g7mzF5xLk56U3pg+q41Ajsozqh3nt3cm3m0DkGtB4WumZhGNuYn1ASiYrZmyQNfwDQLZpdB4hfetZwT18Z+fsqLgkDiLhOIGjZzOdiEzOLSSpQI/WhKj9gxyN0vKPqWgjdjLwUGQwwEBIYk7ykrW9bu6/DO+roxSiVd54Xa7ZMWHX+d8fUYPNTFQs3W2d+2k8wRJ75lbCjtbz3VnHd7yMGvv9Tgq7wQ91mtCrPjVaQo0Lx5aLCPpdf+pZpCjZeYNikkVcetiIH00rDRrsDOjOTJiqdakBsK98T046rfztPJ3VPO9HWoCotV7MVyA0bvtmcCo9dXp96d6ONVSAW1KEzuax9LCW8BDInBQiTOvFMVuB4A4FIxz0bb+4gyAMIfgsTKJuu4Ck=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN8PR15MB3281.namprd15.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(136003)(396003)(39860400002)(366004)(346002)(376002)(230922051799003)(1800799009)(451199024)(186009)(64100799003)(6506007)(7696005)(55016003)(53546011)(71200400001)(5660300002)(52536014)(2906002)(83380400001)(66574015)(30864003)(33656002)(166002)(38070700005)(38100700002)(122000001)(86362001)(9686003)(64756008)(478600001)(966005)(41300700001)(316002)(91956017)(66556008)(110136005)(66446008)(66946007)(66476007)(76116006)(45080400002)(19627405001)(4326008)(8936002)(8676002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 1TxQly2z8nvuktOpd4g2Birnb7CeMIFyyt+8iISZ0crs3R22clBjfUDzyfHPefCZ/YSNQ30th4KxtZ0dgrpjeG7Bc4sCuqY+qO0LIsvUDd3ztTOeBaz3YUwKyA5VKnaqmw0MtTghIsdnFC9XNhc30U8AZ1pY8DWsweX4fxlH9lS1TbW1V2B9+yDUokg5MbqIf1y4rmVdMXLZ7rxr3vNCVZrWu7nJ7jUh6OCQuG5IjmErt/VffwuXx9iuzrSRvvRohfd3wSxeFafGW9ZbWffdyDyNro7YDZf8j9E04AVcXqqytMQoXndeo4YPS9PYyD1jWcSUi4rRZmtCzIpbL9AIR2lzdK7jFVShbEf5G9MblWPJFB18f4xjgIusIvCMZU/WGcqAl9HHei4ylA3xIQmq3ppYOAdUxEheRqA028azIfHr8t4ZdiLrs64YlnwStZ26osX0oj6jJp6a+pl/Y0qYzh9he0/VCyDkOqzGDWAlHLLj/FfOsr2ISt8MRfTHMXXkFc293BvAWY+aKd6nZncW43hN6PRdAAlliX329kr4smTa2Kevx/OYy0kqgwcLVjqAW4lUl9CLQzq37XNSSWEET+FajdpuqpbC64GTqqN04rzZZbq47akZLiragCPWeoBxwg/Z2nmOXpNVUw0fdw8XS172De+DXY1gpiILiXlinh/ckUWqxwhYF1ZSsgszD6gJNlWHF/biULlUt2u8BWq10J882BOKvL6+RGnlkiGRt54Htrs/+V8QsuEbRF6TTWtQ78LBUas7pgKi6MAIeQTKYBFC8oZy+BUczAgrY13mpFvUxyeTojYFIyPaFy8YeunxtwUStMe8yAOlJ+q63WbYGaHhhK+MxIImZJdtAcA7PV3A3RTeuNoIHOSRrlpNZmlvHSMNbYcx2Hj0EhDKEvJXoj9VwOtQMxU+aiXaOc3XDtbKLhNDL6P2GaQtZ+rdd9XNz0A4gOlrGy87Wy7KUhsJoZVNYi7qadNwqADB07kDws5OSeGlU3CfyB3R/kfLC3kLimcCYGR2V14cwbN1zJx9a7IqNNT+LImxYeo7UX2yRXPGFF8uaZlz5YEFJFyqHBP3KXPvBYGDnKzTzwR7PILJF6mmiVj6y++0mnnOcs7yR11A0EWFKyn0/bhE7kvCbx1ymzDswCyjAV+gzJmkCe+NzeBCq2zJ39s5aGLWCOPTL1P8NHXBQCaaQNCeM+Iedz/DECFBHHhdivxEZQZVeXOE1OZ2XnijH3bs8myxPackc50eJaWG6yos594g0PvzVkjtZym/oDKOxyTVRHsCBjoLdw65XSNSqdMaBYz8f8v4ZHeDNy+hFPgFz34cDBVIwVJFas0XMJ3GTJ3pGNIhtgm1yPalxFC7wbC/cffddD3bM7m2BGiO+bx9C5Zl1oSfSIrX73r30VN7VgOaPVViMDFgkRdbERxtfv2sL/SfCSnvIx4Muko/MnVOLBDUPhk4RDHx9qUgAA0G8wzw/rMeb9hEVfYLfTzbw4aHegdWSOMAzH2GUWWX1RXC8jDScNZ3FmLqufIfgYHAWVzqmdkaPUnxjjff/hKDSkvbQoqj+Nrio4XvuRzA9lBaJI5XYNbCHp5A
Content-Type: multipart/alternative; boundary="_000_BN8PR15MB3281070618DBEDAD16296BAEB3D7ABN8PR15MB3281namp_"
X-OriginatorOrg: meta.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN8PR15MB3281.namprd15.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: e90f8047-7eda-42d6-382f-08dbce51b8d5
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Oct 2023 14:10:59.1365 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: r2BCAY2piCAwMlLrWyRgm3bmRkW9aZWc4McJkiyPEG9zO/xtDuGqi9DWWKBsquyn
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH3PR15MB5612
X-Proofpoint-GUID: 7Qu00AmGFCd9dBz7fJw6Oa0KzPrgnKwX
X-Proofpoint-ORIG-GUID: 7Qu00AmGFCd9dBz7fJw6Oa0KzPrgnKwX
X-Proofpoint-UnRewURL: 10 URL's were un-rewritten
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.980,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2023-10-16_07,2023-10-12_01,2023-05-22_02
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/iy79W5rJLX_6mJXI8O742S3sArM>
Subject: Re: [Add] I-D Action: draft-ietf-add-resolver-info-06.txt
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Oct 2023 14:11:08 -0000

The limiting factor with RESINFO and DDR/DNR is not technical compatibility, and cannot be solved by technical measures.  Proving that the RESINFO is bound to the TLS certificate (authenticity) does not provide any evidence that the resolver will act in accordance with its contents (trustworthiness).  Confirmation of trustworthiness, by nontechnical means, is sufficient to rule out any RESINFO implantation attack, and RESINFO is useless without such confirmation, so no technical defense is required.

If for some reason a technical authentication mechanism is desired, I don't think "sig=" is a good approach.  As I mentioned earlier, it is difficult to implement in architectures that separate TLS termination from DNS logic.  A simpler and cleaner solution would be to move the metadata into EDNS, where it cannot be influenced by external servers.  The record could also be defined in a different CLASS (perhaps CH, for tradition's sake), if we are confident that this will not result in recursive resolution by existing servers.

--Ben
________________________________
From: tirumal reddy <kondtir@gmail.com>
Sent: Saturday, October 14, 2023 2:11 AM
To: Tommy Jensen <Jensen.Thomas@microsoft.com>
Cc: Ben Schwartz <bemasc@meta.com>; add@ietf.org <add@ietf.org>
Subject: Re: [Add] I-D Action: draft-ietf-add-resolver-info-06.txt

On Fri, 13 Oct 2023 at 22: 23, Tommy Jensen <Jensen. Thomas@ microsoft. com> wrote: > Instead of asking "does this enable an attack", we have to ask "does this make the attacks worse in some scenario"? Agreed. I still
ZjQcmQRYFpfptBannerStart
This Message Is From an External Sender

ZjQcmQRYFpfptBannerEnd
On Fri, 13 Oct 2023 at 22:23, Tommy Jensen <Jensen.Thomas@microsoft.com<mailto:Jensen.Thomas@microsoft.com>> wrote:

> Instead of asking "does this enable an attack", we have to ask "does this make the attacks worse in some scenario"?



Agreed. I still argue that the ability to poison an arbitrary record is not as bad as the ability to lie about the current resolver’s properties, which include an arbitrary URL, especially knowing that a DNSSEC-validating client can raise trust in the answer in the non-DDR case versus in the DDR case.

The proposed mechanism will help identify the attack and warn the client that an upstream attacker is spoofing the DNS response.




> In general, RESINFO claims are not verifiable by the client.



True, the claims themselves are not verifiable, as in the client cannot verify the resolver is in fact using QNAME minimalization, without some kind of ridiculously expensive, out of band, TEE powered relationship, but…



> The client simply has to trust that the server is telling the truth, which means it needs a particular kind of pre-existing trust relationship with that server operator



In the non-DDR case, the record will be for a name the client used to connect to the resolver over encrypted DNS. In this case, the record’s authenticity can be confirmed using DNSSEC to be as trustworthy as the original resolver choice configuration (detect upstream forgery). The same cannot be said of the DDR case, since resolver.arpa cannot be validly signed (no detection of forgery).

Agreed. In the DNR case, if the client does not perform DNSSEC validation, it can initiate a RESINFO query after the DNS server is authenticated (I mean after the TLS handshake is complete). If the resolver does not support RESINFO RRtype, it will return "not implemented" response code and on-path attacker spoofing RESINFO is not possible.




> I think the simplest solution is to note in the draft that clients MUST NOT rely on RESINFO unless they have an out-of-band agreement with the server operator to abide by its published RESINFO policy



No argument that this is the simplest solution. However, I believe the authors and those interested in adopting the draft may take issue with that, as it will reduce its useful deployment scale, but there’s no doubt it would address this concern. I would be interested to hear from other interested adopters to see what their target scenario is and if this is problematic. For the record, my first suggestion during shepherd review was to declare that clients MUST NOT rely on RESINFO when the resolver was discovered using DDR, and the sig solution was proposed because excluding DDR discovered resolvers was undesirable.

Yes, the "sig" attribute is specifically introduced to support DDR. One possible way forward would be to relax the rule to validate the "sig" attribute from "MUST" and "SHOULD". In cases where the "sig" attribute is not provided, clients can process the response if and only if they have an out-of-band agreement with the server operator to abide by its published RESINFO policy.

-Tiru




Who else is actively planning to implement RESINFO? Please weigh in.



Thanks,

Tommy



From: Add <add-bounces@ietf.org<mailto:add-bounces@ietf.org>> On Behalf Of Ben Schwartz
Sent: Friday, October 13, 2023 8:59 AM
To: tirumal reddy <kondtir@gmail.com<mailto:kondtir@gmail.com>>
Cc: add@ietf.org<mailto:add@ietf.org>
Subject: [EXTERNAL] Re: [Add] I-D Action: draft-ietf-add-resolver-info-06.txt



Reasoning about the security properties of insecure systems is tricky.  Instead of asking "does this enable an attack", we have to ask "does this make the attacks worse in some scenario"?



In this thread, we are discussing attackers who are falsifying RESINFO records.  This is only possible if (1) the attacker is upstream of the server* (which could be a resolver or forwarder) AND (2) that server is not DNSSEC-validating AND (3) that server is not using authenticated encryption on this connection AND (4) that server is not RESINFO-aware.



Given these preconditions, we can then ask: does accepting RESINFO make anything worse for the client?  Under these conditions, the attacker can already observe all upstream queries and generate arbitrary responses.  They essentially have taken over the resolver.  For example, the attacker controls the effective QNAME minimization policy: the attacker could capture all queries until the full QNAME is revealed, then pass that name un-minimized to the root servers and other parent zones.



The same logic applies to Kaminsky attacks and off-path cache poisoning: this attacker could point the IP addresses of popular TLD nameservers (or maybe even the root) back to themselves, allowing them to capture virtually all queries and control the responses.



Adding special cryptographic protections to RESINFO is not helpful when the actual functions of the resolver remain unprotected.



In general, RESINFO claims are not verifiable by the client.  The client simply has to trust that the server is telling the truth, which means it needs a particular kind of pre-existing trust relationship with that server operator.  I think the simplest solution is to note in the draft that clients MUST NOT rely on RESINFO unless they have an out-of-band agreement with the server operator to abide by its published RESINFO policy ... which implicitly prevents this attack (via point 4 above).



If we really feel the need to provide authenticated-but-still-untrusted RESINFO, we can move it to EDNS, which is not vulnerable except in pathologically insecure deployments.



--Ben



*Excluding off-path cache poisoning attacks for the moment.

________________________________

From: tirumal reddy <kondtir@gmail.com<mailto:kondtir@gmail.com>>
Sent: Friday, October 13, 2023 8:14 AM
To: Ben Schwartz <bemasc@meta.com<mailto:bemasc@meta.com>>
Cc: add@ietf.org<mailto:add@ietf.org> <add@ietf.org<mailto:add@ietf.org>>
Subject: Re: [Add] I-D Action: draft-ietf-add-resolver-info-06.txt



On Thu, 12 Oct 2023 at 04: 03, Ben Schwartz <bemasc@ meta. com> wrote: I guess "sig" is based on a security concern I raised about draft-jt-add-dns-server-redirection? In that draft, an upstream injection attacker could poison

ZjQcmQRYFpfptBannerStart

This Message Is From an External Sender



ZjQcmQRYFpfptBannerEnd

On Thu, 12 Oct 2023 at 04:03, Ben Schwartz <bemasc@meta.com<mailto:bemasc@meta.com>> wrote:

I guess "sig" is based on a security concern I raised about draft-jt-add-dns-server-redirection?  In that draft, an upstream injection attacker could poison the resolver's own SVCB record, allowing the attacker to make the client bypass their chosen resolver entirely, and instead use the attacker's resolver ~forever.  This is a kind of "scope expansion": a transient, injection-only attacker on one path can upgrade themselves into a permanent, read-write attacker on all paths.



RESINFO doesn't have this problem.  Yes, an upstream attacker could inject a RESINFO response, but only to the same extent that they could poison any other query in the cache.  (If the resolver is DNSSEC-validating, injection on resolver.arpa is impossible.)  I don't see a scope expansion attack here.



Yes, scope expansion attack is not possible but DNSSEC protection is not possible with SUDN "resolver.arpa". In case of DDR, the client will not know whether RESINFO RR is originating from the discovered encrypted resolver or not.



-Tiru





Operationally, "sig" seems distinctly inconvenient.  Any DNS server that sits behind a TLS terminator or CDN will have extreme difficulty implementing it.



I recommend removing "sig".



If upstream attackers are a concern, I would solve that by moving RESINFO into EDNS, which is not controlled by the authoritative server.  (EDNS could still be manipulated by an attacker between a forwarder and its upstream resolver ... but that attacker can already control the content of all responses, so they effectively are the resolver.  Also, if the resolver and forwarder are so tightly integrated that the resolver can sign RESINFO with the forwarder's TLS private key, why aren't they using a secure transport?)



--Ben Schwartz

________________________________

From: Add <add-bounces@ietf.org<mailto:add-bounces@ietf.org>> on behalf of tirumal reddy <kondtir@gmail.com<mailto:kondtir@gmail.com>>
Sent: Wednesday, October 11, 2023 3:30 AM
To: add@ietf.org<mailto:add@ietf.org> <add@ietf.org<mailto:add@ietf.org>>
Subject: Re: [Add] I-D Action: draft-ietf-add-resolver-info-06.txt



This revision, https: //www. ietf. org/archive/id/draft-ietf-add-resolver-info-06. html, addresses comments from Martin on the "sig" attribute use. The authors consider it ready to advance the draft to the next stage.   -Tiru On Wed, 4

ZjQcmQRYFpfptBannerStart

This Message Is From an External Sender



ZjQcmQRYFpfptBannerEnd

This revision, https://www.ietf.org/archive/id/draft-ietf-add-resolver-info-06.html<https://www.ietf.org/archive/id/draft-ietf-add-resolver-info-06.html>, addresses comments from Martin on the "sig" attribute use. The authors consider it ready to advance the draft to the next stage.



-Tiru



On Wed, 4 Oct 2023 at 13:42, <internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>> wrote:

Internet-Draft draft-ietf-add-resolver-info-06.txt is now available. It is a
work item of the Adaptive DNS Discovery (ADD) WG of the IETF.

   Title:   DNS Resolver Information
   Authors: Tirumaleswar Reddy
            Mohamed Boucadair
   Name:    draft-ietf-add-resolver-info-06.txt
   Pages:   10
   Dates:   2023-10-04

Abstract:

   This document specifies a method for DNS resolvers to publish
   information about themselves.  DNS clients can use the resolver
   information to identify the capabilities of DNS resolvers.  How such
   an information is then used by DNS clients is out of the scope of the
   document.

The IETF datatracker status page for this Internet-Draft is:
https://datatracker.ietf.org/doc/draft-ietf-add-resolver-info/<https://datatracker.ietf.org/doc/draft-ietf-add-resolver-info/>

There is also an HTML version available at:
https://www.ietf.org/archive/id/draft-ietf-add-resolver-info-06.html<https://www.ietf.org/archive/id/draft-ietf-add-resolver-info-06.html>

A diff from the previous version is available at:
https://author-tools.ietf.org/iddiff?url2=draft-ietf-add-resolver-info-06<https://author-tools.ietf.org/iddiff?url2=draft-ietf-add-resolver-info-06>

Internet-Drafts are also available by rsync at:
rsync.ietf.org::internet-drafts


--
Add mailing list
Add@ietf.org<mailto:Add@ietf.org>
https://www.ietf.org/mailman/listinfo/add<https://www.ietf.org/mailman/listinfo/add>

v2.23.0 | Report a Bug | By Email