IETF Logo Mail Archive

Re: [Add] opportunistic discovery certificate question

Tommy Jensen <Jensen.Thomas@microsoft.com> Fri, 16 April 2021 19:50 UTC

Return-Path: <Jensen.Thomas@microsoft.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F3B603A330D for <add@ietfa.amsl.com>; Fri, 16 Apr 2021 12:50:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XhqpflGRctze for <add@ietfa.amsl.com>; Fri, 16 Apr 2021 12:50:16 -0700 (PDT)
Received: from NAM06-BL2-obe.outbound.protection.outlook.com (mail-eopbgr650100.outbound.protection.outlook.com [40.107.65.100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE28C3A3309 for <add@ietf.org>; Fri, 16 Apr 2021 12:50:15 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=IVUVYT6mGC9bajKaWBquVa6irT1vrpJ4vzMWhTCg33Gqjy1JwQKK3zqZEleGvPcRFrrfnRl4p6UPU87dUj9fkFXkNu/jsDjxPSlLUGci8qNsGeL0PG/FwNrvfeAE8NMhhepGasR2/GVcv2SjA1Tky7IQpmN6g+69sP3AZ48kyE1wws8agrEbIGQXswTKNeZiDmEjSLwVTR/1OREwWfxZ07K3a1HAWw2UR1PyBWgp2I7SZAldbW3KybV385fMo8l+fSzfOrBuj9jivTKDMh9K/3UtEZR90y7MSGR2RO3nK7RxIQjGPGIwq6G8wsvPC01DU+FS+4c2tjFat7wugPOxVA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=aIii8K5hdJcwo+Wdh3fO2syQMXdeqtZ4WkW/B7l1tBw=; b=MNVsgnRVq+dq45Rqtkk8TwUgHULK5LlGqtKC3cMpqCkEpwHgefpIxswguCsgPi+FOWU0S3GYNQWH+Ax3/pJAX+Uzw4k0Z+rwPhO57KdPNdzleRXLCVCiORR/yUYg7WV5uQsHE4nQ4MJOAl/wvUguo3M2m8VTVTzunZgSwFW1Z+qv8va48FsTCj7N+Qwc5PQ37jAzlu1FaN4TGdoLNhMmwS2PcAAvAwFjDC+H7rlFucc2sBLYzEDtrPfgAg/ci5RLy3fW0R04mfcXC1a/v50Pf2LkZQGMFRxjTYUmWq3OXM1ceMOH6POnBhMd6Hfz5qeidLwcyAL+zMJSdyh+L8wpOg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=aIii8K5hdJcwo+Wdh3fO2syQMXdeqtZ4WkW/B7l1tBw=; b=LXjESOtg+OgdS5d4GE8oqJFNKmLFv9XA0U98BL/LthqiXZdsNlkHSQMh6I1FEocOtPCQ302bAf6Udzc4gHtsPiuMd01f6ilrqwpiwGI3d0F6rDck9KklUDfI7jUrTFG5ikAJ+3QovLQuaEmvr67b5HOjAopFeX2RBk1nvwJfGDM=
Received: from DM5PR00MB0342.namprd00.prod.outlook.com (2603:10b6:4:9f::33) by DM6PR00MB0813.namprd00.prod.outlook.com (2603:10b6:5:1bc::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4084.0; Fri, 16 Apr 2021 19:50:09 +0000
Received: from DM5PR00MB0342.namprd00.prod.outlook.com ([fe80::a1f6:ad4e:9ae8:6bda]) by DM5PR00MB0342.namprd00.prod.outlook.com ([fe80::a1f6:ad4e:9ae8:6bda%3]) with mapi id 15.20.4091.000; Fri, 16 Apr 2021 19:50:09 +0000
From: Tommy Jensen <Jensen.Thomas@microsoft.com>
To: "bs7652@att.com" <bs7652@att.com>, "kondtir@gmail.com" <kondtir@gmail.com>
CC: "add@ietf.org" <add@ietf.org>
Thread-Topic: [Add] opportunistic discovery certificate question
Thread-Index: AQHXMvdM8k0ngk2GyEmIUT/2AGwEIKq3igSg
Date: Fri, 16 Apr 2021 19:50:08 +0000
Message-ID: <DM5PR00MB034265DC6677D4833B86BA00FA4C9@DM5PR00MB0342.namprd00.prod.outlook.com>
References: <BY5PR02MB6914DD9606AD412CF7C5AB82C34D9@BY5PR02MB6914.namprd02.prod.outlook.com> <CAFpG3gcdc0bNEv9UBtHdFZcOE-JeaiYezn=uKVsbPWdioVpk2A@mail.gmail.com> <DM6PR02MB692417C7E5A6DA457922D9A4C34C9@DM6PR02MB6924.namprd02.prod.outlook.com>
In-Reply-To: <DM6PR02MB692417C7E5A6DA457922D9A4C34C9@DM6PR02MB6924.namprd02.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2021-04-16T19:50:04Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=174c4181-43d3-4462-a03a-d93d96287582; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0
authentication-results: att.com; dkim=none (message not signed) header.d=none;att.com; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [50.35.70.101]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 5b7e1453-33f9-4aba-58b9-08d90110d731
x-ms-traffictypediagnostic: DM6PR00MB0813:
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: cMFTistsaROWNmzMdJsqhlolhm7DXo5qS2FGfCMn6Jj7xwtFRFON96rhAjMVuoqI5J6theDrFiKby6bIsDgR/z1e/oWGNw2A2cnqqCNS4Mc+B12TtoMlZzMGyGnTzHANrvqRV/ccTw17TZjVV6jt+gAaeI/6A+MFDGTra9TZbhNWJMQCCbMM+O2hxCKZGlQqc3YtTKL7wnZjmhSTrsk9czH5RNK3rj+Oi/sXOplNlxe4CjeACNJQ96FrNOV3Z3MILEmbqA7NimIJU886Rf3+zfbqiWUeXx/4zx5QQG9WSLBPjSFRLZ7G4dqtklLb/cebq0+m1D84FY9Os7WjtHjkCA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM5PR00MB0342.namprd00.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(66946007)(8676002)(8990500004)(66574015)(64756008)(66476007)(66446008)(66556008)(33656002)(7696005)(966005)(4326008)(166002)(122000001)(6506007)(186003)(5660300002)(110136005)(478600001)(82950400001)(82960400001)(76116006)(86362001)(10290500003)(83380400001)(316002)(38100700002)(9686003)(53546011)(8936002)(2906002)(52536014)(71200400001)(55016002)(26005); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: 8GKUd99Wg+soAdQyp538K4knj/lKpBj5ihe7Sy+ejOAYcStXoJJWjSNslWqVQjnzkITBEI5UEINNjmG91COCF90Wv+R3p4CU1wZ6pFByaxDl83Ku/K+sBFfs/Ii1I+3ikaGb9hIiBKui2fsJEOlxmqNsRRC1B1J2MR5CTuGUiybC0n0u7KieXsazNGG6CEpJ69zJvQxL9f+1C3lnyPbYlEVELg2UIFJJfCKpzHsAowLW6L6adUI1c3tSgzfaWsxD0OEDhqxCXk7bLznnZ1WLPxt0Voj/PbIxE/t8e2AX/a60qiDmtwlmVbA3LW4Aw1TgWs1i75WrOGLe/j9+mFMFQj1QcJbbffUePaTA6zSA8fddaq/nlKFOWg9ej9G4sXsmkYgcZQ+WEWeWacq2xR/VjckGfakBRKbyT6ufzJiPN1t4DVhuzAPgPyDaWfeEFMW+H9WNywMKHv9ASPi1yReuVdW+zI92r6IphJ3GkPI1kQluvvXhPu+6tU/qA3eL7W4T9XQyvY9p5stgafch9mfaa8KPnYEXrQO4p7GtXbSGI6RnFgMvI/1NRaVIOr3vkP4VRyLHaIzMwZSf6oJrFHjRW/++CkAdgRYjs3PWzI1FGMHFe0qvRhAVeEbrt2QWhKPaR1BalyFgYcBrtxFmTSBi26CkNJncyVlyKDb/BagNoywQtxiyBAyPLtK4oR0CyGPPFpLVasniSIqzWoiK47by4QpokIWga5Phefh65cKnStx0RQ/j99iXzUhQtzRvMgvwu/IfaPmihBSIW2ko+SB6ussZrgH68abUrZ7VLU8zox1WgEUVFK1NphEvSO38gTAr5Z3JPsrQY/fPYb/4ThGHz7TQzTJDiN0/wJViNJEvP9jzjZbMUWoIGTmoXfwM6249nAsrUHzEapBke4GpDD1ZJbyAjEx7M44q/PsaVxtXDhNVVEoAqCKY/a170gyutedVfNAnENHuI+7g+lbpfZlW774KiQM4sdSSQNqYeN8xRNE0tYIvAkTwixHqoiX48RRdBtPruUR0o5f7VSttTtSs56Z4X9wXVMUjEyig+XOG9+XbApcFoUCMmROVrQzLyk5kEVI6ZRTHqCMiOELSfHhCk5pgm27O8X+1oxLt+cprevvU5OYjQJV1ScnGiald0822/w7ckTTEXtMeKgScjfH2WrrjzrglMtymf79jAZIwIUeKXjdFnq89D+Z0Vg9BFteYnSPIEYVOiXVUAyMyusmxWBUUaeog2NGSsO+Jiv6T4i5KKxXgEZQUu2nbZBMfi+cd1KlJPemVfDWBQ7iuvuABTl1ZE16p7PPvnrzUwpS2v2tf1sXJzYsC00Yq9qT1tnQz
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_DM5PR00MB034265DC6677D4833B86BA00FA4C9DM5PR00MB0342namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM5PR00MB0342.namprd00.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 5b7e1453-33f9-4aba-58b9-08d90110d731
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Apr 2021 19:50:08.9786 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: n9p6chH+pLDWP8kZkxHx62mY7Ir9JE0F3wPSNRumRnXLVbHr4mYvbhj9x3oPcUS06acaJ9PVZXWow2JTdAf18Q==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR00MB0813
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/izYRjAK_jYh63413FAUYZt2esdY>
Subject: Re: [Add] opportunistic discovery certificate question
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Apr 2021 19:50:21 -0000

Hey Barbara,

> If the answer is "have the stub resolver make sure no reply comes from a dns://resolver.arpa query and supply Encrypted Resolver info via DNR" and then make sure DNR handles this use case well, I'd be fine with that.

This is exactly what I would recommend when a local-to-CPE forwarder is used for unencrypted DNS but the network operator wants to send clients to an upstream resolver for encrypted DNS. This is what the drafts should convey; I will review this when going over the DDR issues again this next week. I think DNR already makes clear that the ADN included in the DHCP/RA messages should be used to authenticate the DoH server just like any other HTTPS connection.

There has been some enthusiastic debate on the list and in IETF 110 about whether the authenticated mode of DDR should verify the cert chain or not for the name given it already validates an IP-based identity. I believe WG consensus was heading toward "only require IP so we avoid authenticating two identities". However, Tommy Pauly made a point on the other fork I think is worth noting: the decision to trust a cert for a name is separate (generalized to HTTPS behavior, not DDR) for clients from decided to trust a DDR referral as a designated resolver. Is your point that, instead of having DDR leave the topic of name ownership verification alone, it should specifically state that name verification will not occur?

One thing that will not work for sure is using a private IP address for DDR authentication in the TLS cert. For private IP addresses, the entire check is whether the designated server uses the same IP address. If it does not, clients should not use it.

Forgive me and let me know if I did not fully address your questions.

Thanks,
Tommy

From: Add <add-bounces@ietf.org> On Behalf Of STARK, BARBARA H
Sent: Friday, April 16, 2021 12:32 PM
To: 'tirumal reddy' <kondtir@gmail.com>
Cc: 'add@ietf.org' <add@ietf.org>
Subject: [EXTERNAL] Re: [Add] opportunistic discovery certificate question

Yes, but there's no indication in the DoT RFC or in the DDR draft that clients can/should/will trust these certificates and use them to establish a connection.
I'm really trying to get a sense of whether or not there will be some sort of consistent client behavior for clients that claim compliance to DDR. That should be a goal of the DDR specification (I hope). Otherwise, it makes it difficult for ISPs and retail vendors supplying CE routers with stub resolvers to figure out what sort of functionality has to exist in that CE router to get DDR to work.
Reading the DDR section on Authenticated Discovery more carefully, I'm also now wondering if it would be possible for an ISP's recursive resolver queried by that ISP's CE router stub resolvers to supply the SVCB record and include a self-signed certificate with the proper domain name and the default private IP address used by that ISP's CE router stub resolvers. Per the words currently in the 4.1 Authenticated Discovery section, it seems like that would work for the 90% of users who don't change the private IP address of the CE router. This doesn't sound highly desirable. I would expect validation of the provided certificate to also include validation of the chain of trust that requires the cert be signed by an entity whose cert is in the client trust store; but, admittedly, the DDR draft doesn't require that. And having the IP address of the Unencrypted Resolver that's included in the cert be just a best guess default value private IP address is also very kludgy.

Anyway, a huge chunk of the world is behind these stub resolvers. I need to understand whether it makes sense to try to push for some sort of new functionality in these stub resolvers and, if so, what that functionality is. But for me to push for anything, I need to be sure that it's not just throw-away development. This use case is clearly noted in the requirements draft.

If the answer is "have the stub resolver make sure no reply comes from a dns://resolver.arpa query and supply Encrypted Resolver info via DNR" and then make sure DNR handles this use case well, I'd be fine with that. I just need to make sure the use case is handled, I know what the stub resolver has to do, and clients that are compliant (with DNR? with DDR?) will behave consistently.
Thx,
Barbara

DoT allows both self-signed certificates and raw public keys, see https://tools.ietf.org/html/rfc8310<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2Ftools.ietf.org%2Fhtml%2Frfc8310__%3B!!BhdT!1Ig1yeHY-MeOs5Be0KAgpJ8VZiTD-qSGnGd7RzbS0U-TJrrkT5hU17vjag_dNg%24&data=04%7C01%7CJensen.Thomas%40microsoft.com%7Cfae02f02cae84023975008d9010e6c9d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637541983758031483%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=BJk5zparIE4do4r7yTEfxVDN0ERNAtKsYWI%2Bw9iWKng%3D&reserved=0> for more details. It says "Raw public keys [RFC7250<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2Ftools.ietf.org%2Fhtml%2Frfc7250__%3B!!BhdT!1Ig1yeHY-MeOs5Be0KAgpJ8VZiTD-qSGnGd7RzbS0U-TJrrkT5hU17v4KyzqKg%24&data=04%7C01%7CJensen.Thomas%40microsoft.com%7Cfae02f02cae84023975008d9010e6c9d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637541983758041479%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=NRcHqkQz47L%2BhtRtANchaaGO6fkw1TLhPbZyteDBebE%3D&reserved=0>], which reduce the size of the ServerHello and can be used by servers that cannot obtain certificates (e.g., DNS servers on private networks)."

-Tiru

On Thu, 15 Apr 2021 at 22:43, STARK, BARBARA H <bs7652@att.com<mailto:bs7652@att.com>> wrote:
I have a question about certificates used with the DDR opportunistic mechanism.
Since the certificate is not used for authentication ("...whose identity cannot be confirmed using TLS certificates"), does this mean that self-signed certificates could be used?
Would it be possible to even use something simpler (than X.509 certificates), like just Raw Public Keys (RFC7250)?
Thx,
Barbara

--
Add mailing list
Add@ietf.org<mailto:Add@ietf.org>
https://www.ietf.org/mailman/listinfo/add<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fadd__%3B!!BhdT!1Ig1yeHY-MeOs5Be0KAgpJ8VZiTD-qSGnGd7RzbS0U-TJrrkT5hU17sYX6CXrg%24&data=04%7C01%7CJensen.Thomas%40microsoft.com%7Cfae02f02cae84023975008d9010e6c9d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637541983758041479%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=rrH%2BbCOn3%2FtmHgP4sUkYdIIUn%2BHYfklDqSjIFTIDuro%3D&reserved=0>

v2.23.0 | Report a Bug | By Email