IETF Logo Mail Archive

Re: [Add] I-D Action: draft-ietf-add-resolver-info-06.txt

tirumal reddy <kondtir@gmail.com> Fri, 13 October 2023 12:15 UTC

Return-Path: <kondtir@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B8C6C14F747 for <add@ietfa.amsl.com>; Fri, 13 Oct 2023 05:15:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.102
X-Spam-Level:
X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YY4r9F3TlRn7 for <add@ietfa.amsl.com>; Fri, 13 Oct 2023 05:15:04 -0700 (PDT)
Received: from mail-lj1-x22a.google.com (mail-lj1-x22a.google.com [IPv6:2a00:1450:4864:20::22a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A25A3C14F5E0 for <add@ietf.org>; Fri, 13 Oct 2023 05:15:04 -0700 (PDT)
Received: by mail-lj1-x22a.google.com with SMTP id 38308e7fff4ca-2c504a51a18so1665871fa.1 for <add@ietf.org>; Fri, 13 Oct 2023 05:15:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1697199302; x=1697804102; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=KsN17OZN6NeyOKazF7zC6omDsW06Qe/2Zwi3Xt03TsQ=; b=FPM77uUMJkO9LHX6Y8DjzAAUWBr9DadAjf+FhlXWp8Faih/SUQdFQ7S8GBAJ+5AdH7 8/Gvz9a6WWfhrXi5JE8OfEeM8DxdyZd/sWDXy3OmHTO/b++rTvF9azvMK05GweCzBemB MUeSXM4+u3aB1l7iCcbsFt0gDyF1y7RhQ/AL+RwwVuwd/VZX9UH4+TNF+marEVrLJEP2 yo4DbabRhi4RIsfUhHqA24fDE1zdWAijclss/A6rCldbfkfRTMCS7WPcqe063vfmGNOy i72/fbCmsasiQIJYlOMgsPHMYf6ZD9PMumdR7krq1fio1iLaiUNhknpZP46tlKM006+U FYXg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697199302; x=1697804102; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=KsN17OZN6NeyOKazF7zC6omDsW06Qe/2Zwi3Xt03TsQ=; b=A/aF0juUrAtxffJOQ94apNyvo95M7db3lG0cqxt/npUO3+xH8c2jZa1nQh1J2zLHtG q0hwwKTVxvas+CQQnoXUuE06WKqRnanWnizcvMLbjEONlmGAj3ENgdwoHUe3SPRC7IWU dhsqcbXuS0w3VSlkGpSUD43WmLbLbVXG9rg33Vru1Xv2vCn5iUJPRw8ZBBzmwdcTde2q JNtfQ7guLrm5YlXTjhsNflHnLV+uKvO/JmAVFOcwU6kv5x0qi/3ZE1c/owN6A7nghROP N/jo///1/tXJAUkbYmaLRnJW+lFxVjkOQUFsDgFNzjBSkj+UFWrT2sFFSEAODwzZ/WD2 rI6w==
X-Gm-Message-State: AOJu0YzYrwXUdOZvH6OofJRxvMNcLGR5H7tJyJegdTyGvQ1EsJ4uYXI4 aTfhMvdBBTgKGiHrVQ8ON0bSOXirNghXfh+0ZDzFEAJIIZc=
X-Google-Smtp-Source: AGHT+IGnCwKdyKu5wh2yhcREVpQ4zwGltR5Def7Jrp70aGn1GePOykmnFQU2XzlpNuYqKW3/LXA6ShfvoNPMOK5y+UM=
X-Received: by 2002:a05:651c:154d:b0:2b9:7034:9bbe with SMTP id y13-20020a05651c154d00b002b970349bbemr26041544ljp.4.1697199302095; Fri, 13 Oct 2023 05:15:02 -0700 (PDT)
MIME-Version: 1.0
References: <169640714475.30083.4833419078785956639@ietfa.amsl.com> <CAFpG3ge7G=0f+sWGqL8ANWG+nd=e3ngf7CdbUfhpjQvRYaatbg@mail.gmail.com> <BN8PR15MB32818870E42CB776F3A5F1DFB3CCA@BN8PR15MB3281.namprd15.prod.outlook.com>
In-Reply-To: <BN8PR15MB32818870E42CB776F3A5F1DFB3CCA@BN8PR15MB3281.namprd15.prod.outlook.com>
From: tirumal reddy <kondtir@gmail.com>
Date: Fri, 13 Oct 2023 17:44:50 +0530
Message-ID: <CAFpG3gcnL1Fmx5hbQEBJUzTVsoBf7CMOOUuHiV-8DRQOLrbY4A@mail.gmail.com>
To: Ben Schwartz <bemasc@meta.com>
Cc: "add@ietf.org" <add@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000083b96f06079801a7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/lQbr6BkrwltE8XEvystTNDtCtI4>
Subject: Re: [Add] I-D Action: draft-ietf-add-resolver-info-06.txt
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Oct 2023 12:15:09 -0000

On Thu, 12 Oct 2023 at 04:03, Ben Schwartz <bemasc@meta.com> wrote:

> I guess "sig" is based on a security concern I raised
> about draft-jt-add-dns-server-redirection?  In that draft, an upstream
> injection attacker could poison the resolver's own SVCB record, allowing
> the attacker to make the client bypass their chosen resolver entirely, and
> instead use the attacker's resolver ~forever.  This is a kind of "scope
> expansion": a transient, injection-only attacker on one path can upgrade
> themselves into a permanent, read-write attacker on all paths.
>
> RESINFO doesn't have this problem.  Yes, an upstream attacker could inject
> a RESINFO response, but only to the same extent that they could poison any
> other query in the cache.  (If the resolver is DNSSEC-validating, injection
> on resolver.arpa is impossible.)  I don't see a scope expansion attack here.
>

Yes, scope expansion attack is not possible but DNSSEC protection is not
possible with SUDN "resolver.arpa". In case of DDR, the client will not
know whether RESINFO RR is originating from the discovered encrypted
resolver or not.

-Tiru


>
> Operationally, "sig" seems distinctly inconvenient.  Any DNS server that
> sits behind a TLS terminator or CDN will have extreme difficulty
> implementing it.
>
> I recommend removing "sig".
>

> If upstream attackers are a concern, I would solve that by moving RESINFO
> into EDNS, which is not controlled by the authoritative server.  (EDNS
> could still be manipulated by an attacker between a forwarder and its
> upstream resolver ... but that attacker can already control the content of
> all responses, so they effectively *are* the resolver.  Also, if the
> resolver and forwarder are so tightly integrated that the resolver can sign
> RESINFO with the forwarder's TLS private key, why aren't they using a
> secure transport?)
>
> --Ben Schwartz
> ------------------------------
> *From:* Add <add-bounces@ietf.org> on behalf of tirumal reddy <
> kondtir@gmail.com>
> *Sent:* Wednesday, October 11, 2023 3:30 AM
> *To:* add@ietf.org <add@ietf.org>
> *Subject:* Re: [Add] I-D Action: draft-ietf-add-resolver-info-06.txt
>
> This revision, https: //www. ietf.
> org/archive/id/draft-ietf-add-resolver-info-06. html, addresses comments
> from Martin on the "sig" attribute use. The authors consider it ready to
> advance the draft to the next stage.   -Tiru On Wed, 4
> ZjQcmQRYFpfptBannerStart
> This Message Is From an External Sender
>
> ZjQcmQRYFpfptBannerEnd
> This revision,
> https://www.ietf.org/archive/id/draft-ietf-add-resolver-info-06.html, addresses
> comments from Martin on the "sig" attribute use. The authors consider it
> ready to advance the draft to the next stage.
>
> -Tiru
>
> On Wed, 4 Oct 2023 at 13:42, <internet-drafts@ietf.org> wrote:
>
> Internet-Draft draft-ietf-add-resolver-info-06.txt is now available. It is
> a
> work item of the Adaptive DNS Discovery (ADD) WG of the IETF.
>
>    Title:   DNS Resolver Information
>    Authors: Tirumaleswar Reddy
>             Mohamed Boucadair
>    Name:    draft-ietf-add-resolver-info-06.txt
>    Pages:   10
>    Dates:   2023-10-04
>
> Abstract:
>
>    This document specifies a method for DNS resolvers to publish
>    information about themselves.  DNS clients can use the resolver
>    information to identify the capabilities of DNS resolvers.  How such
>    an information is then used by DNS clients is out of the scope of the
>    document.
>
> The IETF datatracker status page for this Internet-Draft is:
> https://datatracker.ietf.org/doc/draft-ietf-add-resolver-info/
>
> There is also an HTML version available at:
> https://www.ietf.org/archive/id/draft-ietf-add-resolver-info-06.html
>
> A diff from the previous version is available at:
> https://author-tools.ietf.org/iddiff?url2=draft-ietf-add-resolver-info-06
>
> Internet-Drafts are also available by rsync at:
> rsync.ietf.org::internet-drafts
>
>
> --
> Add mailing list
> Add@ietf.org
> https://www.ietf.org/mailman/listinfo/add
>
>

v2.23.0 | Report a Bug | By Email