IETF Logo Mail Archive

Re: [Add] draft-ietf-add-resolver-info-09

Ben Schwartz <bemasc@meta.com> Tue, 05 March 2024 20:09 UTC

Return-Path: <prvs=879478b896=bemasc@meta.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 17496C14F5FB for <add@ietfa.amsl.com>; Tue, 5 Mar 2024 12:09:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.804
X-Spam-Level:
X-Spam-Status: No, score=-2.804 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=meta.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QriovCbIxPIl for <add@ietfa.amsl.com>; Tue, 5 Mar 2024 12:09:06 -0800 (PST)
Received: from mx0a-00082601.pphosted.com (mx0a-00082601.pphosted.com [67.231.145.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DD853C14F5ED for <add@ietf.org>; Tue, 5 Mar 2024 12:09:06 -0800 (PST)
Received: from pps.filterd (m0109333.ppops.net [127.0.0.1]) by mx0a-00082601.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 425JTDAu014720; Tue, 5 Mar 2024 12:09:05 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=meta.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=s2048-2021-q4; bh=9T0M4F22qDaH8S+Hd4Ed+l9qgXw8RbaiSegrQDNhEfM=; b=VmNlMH5FHbui1zWF/6B+/RFAtWr6g0Xm9PjpPJJe/UfutRhgin9pKqb/Q6mDMflXrlFH TBBtCWaSB+3/urolAXgPuW2H7CDIcW8dzU6EIzIxQBX/hlCrj1SyyCjLUp4cThnkB6BA c8ykVwXysJCPujwN0aYqzd1zZ5kp/ieXJ63irGOkyBX8w98o+qKPSa5qXKRTWhPRTtls j+O/DPdbV4Z5mbSZkTb9qS5T5vGHEA20pIrJTxqvO5BtH6KBqUHbLDk23y+eHWB/gdiD 7+rweJm4k1Hnjmeuq3H4OZdtj9zCeREtRYU0ixWgNMlMYUKI6r9g5eTDT3rIKh+8y+FV CQ==
Received: from nam10-mw2-obe.outbound.protection.outlook.com (mail-mw2nam10lp2100.outbound.protection.outlook.com [104.47.55.100]) by mx0a-00082601.pphosted.com (PPS) with ESMTPS id 3wp39qbc92-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 05 Mar 2024 12:09:04 -0800
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=OKgVpTTZcxV2vv5C5sZiu3ZB/nxrYc1OgR05BrvpBV5B3HrhGoZdrENzG0RTIGRn60WZB5g3MUxKgvx5ph5LD+ugInobaekqvU0AyAJvD8jCnFPDW1g76QqzFM3FBDzQgnVtzLqdKhtVMY8uGboQxzSJZVTXDT5FzGfhqnlwfSxMWddU7+boWVmW7bOfyWPbI4h74jfsM1JZ6/VWGL+efOuVn5ReTVJhV9+OXT9t+r+/1XOFGbu3aNJ5IBuDVjy6xT/pMbpz2x8IKgILBJQIL1qkTk7jTOvshCZ9NiMpMEV1XCeqRSheQjHglyyLNCBf2WK/R5Rnh5IpxY2w8NAgPg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=/YcPDld/2PUgVSiz8rzf/38uFKJNw7xUYzK/vlNrlnA=; b=LR/9hmHJDcwjkQ//rZqPpgx6yL7FBZs6Z3vnTxarodAqOqfIa0i2UoSH4kcLzQsgSVUnXg4ZAdAQBSIwugQIiI9nenP0VaBW+Q8NKqqxenNXrjYBYLHqRB1J+jIpJ9EKVMyjXr7Ve4y0J6ewhX3NjWnl7+Pl7jgxAbn9DygUXl43xRDNAO1PSluWLXgDzL7Mnmdo/GaSR2DarAZVkzQ8Atv6hwnGoQP6TO/JzxWfijY+Kb+mZgWrwzOGSNP9CQ/HTrwXqe4wqDOHI6ULurmDtIOMayPwdoKDSDKipRYT0U7AtoV/WuPnvaYVPZkIRyP87itqjm8ogFB2F6btXyTmnw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=meta.com; dmarc=pass action=none header.from=meta.com; dkim=pass header.d=meta.com; arc=none
Received: from SA1PR15MB4370.namprd15.prod.outlook.com (2603:10b6:806:191::8) by MW4PR15MB4473.namprd15.prod.outlook.com (2603:10b6:303:102::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7362.24; Tue, 5 Mar 2024 20:09:03 +0000
Received: from SA1PR15MB4370.namprd15.prod.outlook.com ([fe80::50:3dc9:3ace:9a3a]) by SA1PR15MB4370.namprd15.prod.outlook.com ([fe80::50:3dc9:3ace:9a3a%5]) with mapi id 15.20.7362.019; Tue, 5 Mar 2024 20:09:03 +0000
From: Ben Schwartz <bemasc@meta.com>
To: "mohamed.boucadair@orange.com" <mohamed.boucadair@orange.com>, Mark Andrews <marka@isc.org>
CC: tirumal reddy <kondtir@gmail.com>, "add@ietf.org" <add@ietf.org>
Thread-Topic: [Add] draft-ietf-add-resolver-info-09
Thread-Index: AQHaX6ZqtEjuUSvbvE2KC+5fRqzto7ETVWqAgABRx4CAAFlBAIAAccMAgBU/DAM=
Date: Tue, 05 Mar 2024 20:09:03 +0000
Message-ID: <SA1PR15MB4370C02BF2458CFD28D06265B3222@SA1PR15MB4370.namprd15.prod.outlook.com>
References: <20240220193023.t8iYjP8Z@steffen%sdaoden.eu> <1645FF35-C586-4580-8E71-7EFD5712241A@isc.org> <DU2PR02MB1016058A16B81E9F322E087E288572@DU2PR02MB10160.eurprd02.prod.outlook.com>
In-Reply-To: <DU2PR02MB1016058A16B81E9F322E087E288572@DU2PR02MB10160.eurprd02.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f47c794b-e3ab-43f0-9e0f-29fc3e503192_Enabled=true;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SA1PR15MB4370:EE_|MW4PR15MB4473:EE_
x-ms-office365-filtering-correlation-id: 4cdcb204-a4b9-4c85-eb28-08dc3d501a79
x-fb-source: Internal
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 72kWpuPzvcU8cyRQQsqJ+8IS3L8vuXB7lOpdKxEuQw8OYBjHYH6IknRXdi3bgfZhBBkchkwmPWw4wo5VQ98CUT+EvtDNW92qPIMucRCT+UGxSJwJbE7E82V7w+DHfd/u8OXu/XOFr7cmi2GSXTRX+jJLXt9g6eG4Zm0yhNfRKUjTCRbpCgSa4DPqBb5k7U2Rna5t0HMoPBUHzLudjriINWuKNIw4cPMz0Rb4pu6LQh+X5i5C27Lnlm/noY0EpznJFBqchNEu5c7obidGNu5+qNq/l73OWYxIqja2bNn9lTsHChEkbi5oZkjs+SAiAGTtlpbGc5wRQiOg1gnD46PJwuZEwLG4zNkUtoPZ0NN9svtFTXhkXGaQzl1z1f2SF5p9DOjTyCciFW8AiGVtJ76jGKE6UU/FIs2X5REc8kkJ6pmyfksnR/KDeDTWBNnJQzQILwFh6XSiU4QYvlWUWccYwnr8dwphfCGt7ZdhVEKefrt3zRKjz5VsK6FjOMpnAwSSxt0TTYrvtL8imYicOv2i9IVfcXwqfHU/HjHlbmWGZO+Kcn7pMQneHrt4ZwS1oYjXprwyxGzSIr+d9hZQjLJnNWD1DyKUPTBjTivGDh/kj+5KCsEpC3jpElUw25X7KI/XR5y1DUZXBuasTZzDY2VQwHxwLrpdm5xDRo1xAkNfYvs=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SA1PR15MB4370.namprd15.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(376005)(38070700009); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: bfK5l1g1yrYsgqsdkPDpGkYMAWPUNztJAP6LywZw0Hhw71wJxliEAH0hbD+Xb5gqTaFlsr1P64YkMIO+5bBnPvlcdWzVvChixPwoUwR0ifUfj1P8jIPtugcDG/2+jaMvRFN35CQnn0RvliBcpArxauCa5TRg0aNvTYW9z0fQa5pnfI7jjYwTROinp2+rHIUqFOcdsSENkSp7P4vxMZd2ykyiPdwOoS/P8HhkWshiCkMOIdnyt0ggTatklmLquTkO38SIsNkO8JbqW0PJJus5z6SibrBaxGFTdr1bwK0lgjOBzhINg4BY8xnJ+sYjbPZcadI1iPwEerokA8R8flR72nGD3IyXE6VDELIru50rlduI+bApOrj5cKgGPHq60htURYUo7t1SxWbNZMalDUga2lUYQaAWo6r7C7d4WFObcmJSRGzIyzs3ay2uHxfNJ2silsX6sU4E4BLW4Wd7jU4Z83H3QHJRzn/1q86H1SSMDgR72Qa0Xzn95aDA3OBnfjKZ976fi3CO5N5lCe9af494wuRLdOSONzKI/Xgt2LI3aAynEsC8cPcW0ebCadK7OqeThdj0fr0yNqb7IUGIy0gTUhbIpZbijZ8+99zYRXjCgEx3xXneSZxS00sULFJLFPNVARsuBRZj2CRXFdcC7XouLwKP5NWHJZ0wqkOBG+SfLmHj+P293beWK8+99UYQ2a0vK4NcLY8GFMkeW4D4FS42w7rOCrXrro/EHSEQM1gKLstmv3TOIsX/bJjf7PZiCyJHAXsEi40yVTlSu+0zow09oaIGKhK4VoAcN1pW5D5sGqUIOpmhphad1Tjl/oK9T+FfWd1kwoD3pU7rmC3C8acbSC4PkLve04mY+aDYfc5fmoLJ0VPzsBBxPbs0P+tUZPCmRF5VQbc30VPY5vjB0pv+b5CaPIIXEOrqinTqlD+0shgn9gpCl6OcljtPaIr7ZiTvY7VBkCE8zeoMt2ucK76A6JdsE+fh0PZK46RTt4AHUue2GzFpJ/im+Deh3okQ22uCATWX7EzIPcntUcPvt+RTEm772RS64VZa/XxGwMLB/mgZMoyn8XKg23LEbxsUB5lxLFe35gNeUJVjUG0OZLWsAD8mSzGv/FVrbF1fpoz/dcIG5zlNULT6e5+k4j9Zs2wSnJDnca+u9HuABpoF/JLEYnA7lzcgpipl86+3zDT3dSvsJT0af7syXnqwVSkEUw73CxILvNdvnjSGRGp9j7GFoi5rqcv2oxdFI+EY8O/A8NdKRAeJBGYKhJswA0jlPeTQJbNT99c9y+8G8e/gI91IykYt4bglI19PmNSeIjow1ldqy2e2uNNd6NQv0LTKEZE9vKcdfCxL9NAv2dX2K90mpzrqAtTxiczXzoJH0sqcVGDgwy7Q3x+M+zC3teskwEhX/UfddtruudAMdlHlQ3q7B+OcN3oloY5szV0CP+2sX7G2su37vzwgpw77mVPw8YmKonO4Ps/HEs2m0lNbMzZFZCExP16HWJ2YZidJYGtXh4Y6AaAIA+nvVBu6lpuGZz/txnrYlsi008kmHYlWkH++7xAgS5PDipTrCbyr8sse/QXTPdQk/wMvOSVdce2bCtZG
Content-Type: multipart/alternative; boundary="_000_SA1PR15MB4370C02BF2458CFD28D06265B3222SA1PR15MB4370namp_"
X-OriginatorOrg: meta.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SA1PR15MB4370.namprd15.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 4cdcb204-a4b9-4c85-eb28-08dc3d501a79
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Mar 2024 20:09:03.0258 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: s9g4AnL5ZyuVON/yMolj0TouceZz8isrgMBdXFkQhR48HLm67EjrExvHoe6hNMR5
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW4PR15MB4473
X-Proofpoint-GUID: Xr7Js2C7jJdAgT5A8cw-cw80eqOCpfSt
X-Proofpoint-ORIG-GUID: Xr7Js2C7jJdAgT5A8cw-cw80eqOCpfSt
X-Proofpoint-UnRewURL: 8 URL's were un-rewritten
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.1011,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2024-03-05_17,2024-03-05_01,2023-05-22_02
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/jZUYZrgqcmTXa6xZlYqNOZS-7wA>
Subject: Re: [Add] draft-ietf-add-resolver-info-09
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Mar 2024 20:09:11 -0000

Mark's suggestion is correct, but I don't think draft-11 captures it correctly.  The draft-11 text only says

   The DNS client MUST set the Recursion
   Desired (RD) bit of the query to 0 to ensure that the response is provided by the resolver.
   If the resolver does not support RESINFO, it will return an authoritative name error.

This is factually incorrect, as can be observed by sending an RD=0 query to an ordinary recursive resolver:

% dig +short +norecurse www.google.com @1.1.1.1
142.251.167.104
142.251.167.147
142.251.167.99
142.251.167.106
142.251.167.103
142.251.167.105

Mark's suggestion is that the client verify that the response has AA=1.  That check ensures that the result was not populated insecurely over the network, but the draft doesn't mention it.

--Ben
________________________________
From: Add <add-bounces@ietf.org> on behalf of mohamed.boucadair@orange.com <mohamed.boucadair@orange.com>
Sent: Wednesday, February 21, 2024 2:37 AM
To: Mark Andrews <marka@isc.org>
Cc: tirumal reddy <kondtir@gmail.com>; add@ietf.org <add@ietf.org>
Subject: Re: [Add] draft-ietf-add-resolver-info-09

!-------------------------------------------------------------------|
  This Message Is From an External Sender

|-------------------------------------------------------------------!

Hi Mark, all,

We think this is fair. Thanks.

We created a PR to fix this: https://github.com/boucadair/add-resolver-information/pull/19/files.

Cheers,
Tiru & Med

> -----Message d'origine-----
> De : Add <add-bounces@ietf.org> De la part de Mark Andrews
> Envoyé : mercredi 21 février 2024 01:50
> À : Steffen Nurpmeso <steffen@sdaoden.eu>
> Cc : tirumal reddy <kondtir@gmail.com>; add@ietf.org
> Objet : Re: [Add] draft-ietf-add-resolver-info-09
>
> If a recursive server passes through a response with AA=1 it is
> broken. If a recursive  server forwards a query with RD=0 it is
> broken.  If a “recursive server” is just forwarding queries and
> responses the attacker will just put the response in the authority
> section.  The change of section provides no security. It doesn’t
> prevent problems. It is just change for changes sake.
>
> --
> Mark Andrews
>
> > On 21 Feb 2024, at 06:30, Steffen Nurpmeso <steffen@sdaoden.eu>
> wrote:
> >
> > tirumal reddy wrote in
> > <CAFpG3gd5GwSAoOs3SX2xWZyKVR7F5y-
> y1VxxbTmfooC4AWo5Mw@mail.gmail.com>:
> > |On Thu, 15 Feb 2024 at 06:02, Mark Andrews <marka@isc.org> wrote:
> > |> Why is it necessary to change the standard processing of queries
> > |> for RESINFO when we already have a signal (AA=1) about whether
> the
> > |> answer is coming from elsewhere or not ?
> > |
> > |It is introduced to handle a scenario where SUDN is used to
> discover
> > |the encrypted resolver, and if the discovered resolver does not
> > |support RESINFO, it will forward the query upstream. An attacker
> > |might provide a RESINFO response with AA=1. The proposed mechanism
> > |aims to help the client identify whether the response is coming
> from
> > |the discovered encrypted resolver.
> >
> > By the way i am really not worth being noted for anything
> > acknowledgeable regarding the work of this WG.  At all.
> > If you have another iteration of the document, i would prefer if you
> > would simply scratch my name from your work.
> > It is solely your work, for sure.
> > And the above is possibly very smart: my DNS work was two decades
> ago,
> > and i could not even tell whether i have ever seen authority section
> > entries being passed through or not.
> >
> > My main topics are simplicity so small teams can still exist
> > competetively as was true over two decades ago (ie, with knowing the
> > entire picture, not by delegating to "trusted" external modules in
> > uncounted numbers), when there were <3000 RFCs.
> >
> > As such i very much appreciated RFC 8499, but i alone from my
> > superficial out-of-interest reading have 17 DNS-related RFCs added
> > locally since then, plus the draft of yours and whatever else from
> > this WG.
> >
> > And a different way to get the TLS trust (or, rather, use existing
> > ways of various kind eg rpki, ikev2, or simply public keys as is
> done
> > by DKIM (certificates are a bit larger, but with the TCP that is
> more
> > and more needed per se, or QUIC; or even the permanent HTTP proxying
> > of everything, that is "no problem")) away from CA pools, to DNS/TLS
> +
> > DNSSEC zone records.  Thank you for that, too!
> >
> > Ciao, and greetings from Germany,
> >
> > --steffen
> > |
> > |Der Kragenbaer,                The moon bear,
> > |der holt sich munter           he cheerfully and one by one
> > |einen nach dem anderen runter  wa.ks himself off (By Robert
> > |Gernhardt)
>
> --
> Add mailing list
> Add@ietf.org
> https://eur03.safelinks.protection.outlook.com/?url=https://www .
> ietf.org%2Fmailman%2Flistinfo%2Fadd&data=05%7C02%7Cmohamed.boucadair%4
> 0orange.com%7C3a00adf00f6c4a88f66d08dc32770e24%7C90c7a20af34b40bfbc48b
> 9253b6f5d20%7C0%7C0%7C638440734117558876%7CUnknown%7CTWFpbGZsb3d8eyJWI
> joiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7
> C%7C&sdata=GUI2%2FfrtBz%2FtYaA8ZmAGjR2jzb8mcp%2BmewuFjMiI3CE%3D&reserv
> ed=0
____________________________________________________________________________________________________________
Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.
--
Add mailing list
Add@ietf.org
https://www.ietf.org/mailman/listinfo/add

v2.23.0 | Report a Bug | By Email