Re: [Add] I-D Action: draft-ietf-add-ddr-09.txt
Ben Schwartz <bemasc@google.com> Mon, 08 August 2022 17:23 UTC
Return-Path: <bemasc@google.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 27BC4C14CF01 for <add@ietfa.amsl.com>; Mon, 8 Aug 2022 10:23:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.606
X-Spam-Level:
X-Spam-Status: No, score=-17.606 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AzC_6mwQCzMf for <add@ietfa.amsl.com>; Mon, 8 Aug 2022 10:23:24 -0700 (PDT)
Received: from mail-wm1-x331.google.com (mail-wm1-x331.google.com [IPv6:2a00:1450:4864:20::331]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C9509C14F74D for <add@ietf.org>; Mon, 8 Aug 2022 10:23:23 -0700 (PDT)
Received: by mail-wm1-x331.google.com with SMTP id v5so5150529wmj.0 for <add@ietf.org>; Mon, 08 Aug 2022 10:23:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc; bh=0Z349r/aE1avFGYRhBkscXeOCDAKeMtv5l237Xj/d7A=; b=RIKioiL/tk76MQX2Z5XNuq9/UdCcfKKbKUqla1xJ37pKakAr5a2qLaMhDGvgApXDZ2 3CmHPICmyhSZ+Hh2ZK65it9O1D/UsCeKSqaCV5qlSA/9S+/TBCz4L/88TbMw15p4l5bo visUuEmosYVFGmGoRr3AQRJ7TN36Ciy+nZO0xyZQ1shWweYlUTXQaC/3o1cQz6pmKWfv RWndl0hpEsvWMKHHUIrEe6T9OGa5njmc5DAaktyoKIrFMLZ67WfKwnFiM4FLD2NLRXCE TEp6viZvmktCFKA9rr6pDLtppho062gUR7KXYgTf1vfJB4FCvy5vx0iR/HodTMII8RE+ McGQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc; bh=0Z349r/aE1avFGYRhBkscXeOCDAKeMtv5l237Xj/d7A=; b=Z9OH5rzko34+7ay12tsMqAucxoV61VrKaSOsrGpvdXZDU1BOpXcRZIXBU21XJVFR84 YCoygFv8Lj23IXCmG6uJGJ1hNW6pgvJ+jo70QHcaJ3P4LE/U/nSO3bAmwGAGh8KWP/iD CsIRdQKWgWtpGvhCRqfVREopS8iUqknGiA+T5P2kUbiYsvN/F0yuZKFiBGqNNHhF7G2L 8tXCuAMeQ4F8SJyJB4s0yUAUVaildeRYxkUPePzSVY9o/xBiOxU/MBIiwsPLQvCBisGs wGyxm+5xkZk8KZ0+qtUL0NPR2hzBN/jU8t4yy71rdN7mopFgHpwYjCuFJZYqjJsuM+A8 Elbw==
X-Gm-Message-State: ACgBeo2qV47tJodYRByrZbWdcv5zip9vRcgcbG2OfxXdFUb9fJZowq7f 2dcKr1nqsQlAqhHx/ksdDp/M8rdHBYExkdbQZ1vJXKEygYE=
X-Google-Smtp-Source: AA6agR6uKnkVxakPZmDNKxiDUlQlPyvrdYDwjrsBahbGgaXipr0Jg1u3Ma/1n49OTzU2qE0BDkeviqMPQtwkSz+0epM=
X-Received: by 2002:a05:600c:3d88:b0:3a3:63ad:c592 with SMTP id bi8-20020a05600c3d8800b003a363adc592mr13521437wmb.71.1659979401369; Mon, 08 Aug 2022 10:23:21 -0700 (PDT)
MIME-Version: 1.0
References: <165957021701.56614.13895069148730646596@ietfa.amsl.com> <CAHbrMsDkGduk7+KZR7mjUfJdvaKAe93=Ri4qAhaab65kEpAt6g@mail.gmail.com> <7ECC02B7-DFC4-48EB-AA64-B1D775468BF6@apple.com> <CAHbrMsC_u0v6oGcAgqK6Kis3kpscteay7dfU7bQjewceJaNU5g@mail.gmail.com> <A43DAEEF-7519-4817-85D4-AB2442DB11CB@apple.com>
In-Reply-To: <A43DAEEF-7519-4817-85D4-AB2442DB11CB@apple.com>
From: Ben Schwartz <bemasc@google.com>
Date: Mon, 08 Aug 2022 13:23:08 -0400
Message-ID: <CAHbrMsD++8Yy0+2ue3DbifHN+3Gd_zneTuAfP5knZ9JMo=Y5sw@mail.gmail.com>
To: Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org>
Cc: Tommy Pauly <tpauly@apple.com>, ADD Mailing list <add@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="000000000000940e3e05e5be12f7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/jgV0vcAPTBnkYPXnTsKJGmmGpHE>
Subject: Re: [Add] I-D Action: draft-ietf-add-ddr-09.txt
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Aug 2022 17:23:29 -0000
On Fri, Aug 5, 2022 at 1:29 PM Tommy Pauly <tpauly= 40apple.com@dmarc.ietf.org> wrote: > > > On Aug 4, 2022, at 7:04 PM, Ben Schwartz < > bemasc=40google.com@dmarc.ietf.org> wrote: > > > > > On Thu, Aug 4, 2022, 6:27 PM Tommy Pauly <tpauly= > 40apple.com@dmarc.ietf.org> wrote: > >> Hi Ben, >> >> On Aug 4, 2022, at 2:17 PM, Ben Schwartz <bemasc= >> 40google.com@dmarc.ietf.org> wrote: >> >> Following up on my SECDIR review: >> >> Section 4 >> >> Because this query is for an SUDN, which no entity can claim >> ownership over, the ServiceMode SVCB response MUST NOT use the "." >> value for the TargetName. Instead, the domain name used for DoT/DoQ >> or used to construct the DoH template MUST be provided. This ensures >> that different designated resolver configurations can be correctly >> associated with IP addresses in A and AAAA records. As such, clients >> MUST NOT perform A and AAAA queries for "resolver.arpa". >> >> Thanks for updating this paragraph, but I think there are still several >> major issues here. >> >> The guidance not to use "." is weird because using "." here would be >> unnatural anyway. The natural thing would be to set TargetName to >> "resolver.arpa". This is also forbidden, but the text doesn't address it. >> >> >> We can clarify that this shouldn’t include “resolver.arpa”. >> >> >> The text about what to put in the TargetName is very strange. It >> conflicts directly with the guidance in Section 4.2 ("The client MUST >> verify that the certificate contains the IP address of the designating >> Unencrypted DNS Resolver") and Section 6.3 ("clients MUST use the original >> IP address of the Unencrypted DNS Resolver as the URI host for DoH >> requests”). >> >> >> Ah, I see what you mean. That sentence ("the domain name used for >> DoT/DoQ") is leftover. >> >> >> Also, as I noted in my review, the justification that "no entity can >> claim" this name is illogical, as the resolver is already serving a >> response for this name. Clearly, the resolver can indeed "claim" this >> name, and is already doing so. >> >> Possible replacement text (along the lines suggested in my review): >> >> > To enable reliable identification of the Designated Resolver for >> debugging and future extensions, the TargetName SHOULD NOT indicate a SUDN >> (either explicitly or via the special value "."). Clients SHOULD NOT issue >> speculative queries for A or AAAA records associated with this SVCB RRSet. >> Note that the TargetName itself does not influence the encrypted connection >> in any way. >> >> >> Talking with my other authors, I think we don’t think that this needs to >> limit to only speculative queries — the client should not be performing A >> or AAAA queries for resolver.arpa at all, regardless of if they are >> speculative. >> > > In general, forbidding a DNS client from making certain DNS queries is > pretty much unheard-of. All DNS clients are permitted by the DNS protocol > to issue whatever queries they like. If you don't want the client to issue > these queries, I think it makes more sense to focus on removing the reasons > why the client might want to issue the queries, rather than forbidding the > queries themselves. > > I also think these should remain MUST NOTs, since there is no good reason >> to allow them (which is the bar for a MUST NOT), >> > > I think there are in fact good reasons to allow them. For example, this > rule is the only thing that prevents opportunistic DDR from functioning on > nameless resolvers. Consider a home network gateway that wants to > implement local opportunistic DDR. If TargetName cannot be a SUDN, then > the gateway has to claim some actual domain name for the TargetName. If > the gateway doesn't have its own domain name (as the vast majority do not), > it can either abandon DDR or create an (unauthenticated) split horizon, > with all the complications that implies. > > Alternatively, if the resolver can simply set TargetName to > "resolver.arpa", it can put its own IP addresses (on the local network) in > A and AAAA records on "resolver.arpa". This has the very natural semantic > of "address records on resolver.arpa are what the resolver thinks its own > IPs are". > > There may be some way to use .local or something to give the resolver > another name, but it's not obvious to me, and seems to have much more room > for error. > > > Generally, the resolvers are going to need to get some valid certificate > to host. > I don't believe that is true (in the opportunistic case that we are discussing). > Ideally, that covers their IP addresses for the non-private address case, > but even in the private address case, they’ll need *some* certificate. > Yes, but there is no need for this certificate to chain to a trusted root if the resolver is only known to the clients by a private IP. > From the IESG review changes, we have clarified this text regarding > opportunistic use: > > "For this profile, Section 4.1 of [RFC7858] explains that clients might or > might not validate the resolver; however, even if clients choose to perform > some certificate validation checks, they will not be able to validate the > names presented in the SubjectAlternativeName field of the certificate for > private and local IP addresses.” > > Yes, that seems reasonable, but it does not require resolvers to provide a certificate with a chain to a root CA recognized by the client. > As an example, the client we run still requires having some valid > certificate. > What do you mean by "valid"? Do you mean "chains to a CA trusted by the client, but the SAN is not checked"? If so, I fail to see how this check helps the user at all. This behavior is permitted within RFC 7858 opportunistic, but it is not recommended. It seems reasonable that the TargetName can match whatever name the > resolver chooses for its certificate name (whether that is trusted or > self-signed). > As I noted earlier, if the resolver does not have a name (as most consumer CPE does not), it is not at all clear from the current draft how to choose the TargetName. The same goes for any self-signed CommonName, although I believe the choice of CommonName is entirely irrelevant, as it is ignored by the client. The choosing of a CommonName for a self-signed certificate is already a very dark corner of the standards territory, but in my experience the most common value is "localhost", which strikes me as a terrible value for a TargetName. > but otherwise clarifying that the restriction applies to both >> “resolver.arpa” and “.” sounds fine. >> >> I’ve written up this: >> https://github.com/ietf-wg-add/draft-ietf-add-ddr/pull/106 >> >> >> Section 7: >> >> Section 8.2 of [I-D.ietf-add-svcb-dns] describes a second downgrade >> attack where an attacker can block connections to the encrypted DNS >> server. For DDR, clients need to validate a Designated Resolver >> using a connection to the server before trusting it, so attackers >> that can block these connections can prevent clients from switching >> to use encrypted DNS. >> >> I would prefer to make this more explicit, e.g. replacing the second >> sentence with >> >> > To bypass attacks that affect only one server, DDR clients SHOULD first >> fall back to any other available Designated Resolver. If none of the >> Designated Resolvers are reachable, DDR clients MAY fall back to >> unencrypted DNS (enabling a successful downgrade attack). Any client that >> does not fall back to unencrypted DNS MUST tightly limit the SVCB TTL, >> which could have been chosen by an attacker (as discussed in Section 4.2). >> >> >> I think this gets too far into the client policy area. We are describing >> the possible downgrade attack, but use of other encrypted or unencrypted >> resolvers and their preference order is not within the scope of this >> document, or group. >> > > If you don't want to guide client policy here, then I would suggest > rewording "prevent clients from switching". As written, the text seems to > imply that clients will not switch to encrypted DNS, i.e. they will > continue to use unencrypted DNS. I'd like it to be clearer that this is > not the draft's intention. > > > The current text is trying to be merely descriptive of the risk to > consider — that if an attacker blocks connections to encrypted DNS > resolvers, it *can* prevent clients from switching to use encrypted DNS. It > doesn’t mean it will, but it is possible depending on client behavior. > I don't think the current text captures that intent. Instead, it strongly implies that all DDR clients are vulnerable ("can prevent" without further qualification). Here's a possible replacement that I think is more neutral, accurate, and informative. > For DDR, this attack can result in a downgrade to unencrypted DNS or a denial of service, depending on the client's behavior.
- [Add] I-D Action: draft-ietf-add-ddr-09.txt internet-drafts
- Re: [Add] I-D Action: draft-ietf-add-ddr-09.txt Ben Schwartz
- Re: [Add] I-D Action: draft-ietf-add-ddr-09.txt Tommy Pauly
- Re: [Add] I-D Action: draft-ietf-add-ddr-09.txt Ben Schwartz
- Re: [Add] I-D Action: draft-ietf-add-ddr-09.txt Tommy Pauly
- Re: [Add] I-D Action: draft-ietf-add-ddr-09.txt Ben Schwartz