IETF Logo Mail Archive

Re: [Add] draft-ietf-add-resolver-info-09

Mark Andrews <marka@isc.org> Wed, 21 February 2024 00:49 UTC

Return-Path: <marka@isc.org>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 83084C17C884 for <add@ietfa.amsl.com>; Tue, 20 Feb 2024 16:49:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isc.org header.b="AZ+gEIZ+"; dkim=pass (1024-bit key) header.d=isc.org header.b="GAOIrwWd"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y7ZKf-NP4p3l for <add@ietfa.amsl.com>; Tue, 20 Feb 2024 16:49:55 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.2.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A2016C15107F for <add@ietf.org>; Tue, 20 Feb 2024 16:49:55 -0800 (PST)
Received: from zimbrang.isc.org (zimbrang.isc.org [149.20.2.31]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id 4DD273AB122; Wed, 21 Feb 2024 00:49:55 +0000 (UTC)
ARC-Filter: OpenARC Filter v1.0.0 mx.pao1.isc.org 4DD273AB122
Authentication-Results: mx.pao1.isc.org; arc=none smtp.remote-ip=149.20.2.31
ARC-Seal: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1708476595; cv=none; b=OECJz1sz1ebwBsV1kuISv0iUXqbU7C07N2L59A/CGWfCZpFrseYdkh3zHsqEB8+pav/J8UrN4WhzRD6VibBWfaJKL/sUKu7JuINhbsDB1dnOUxnNzzKhLVgyXF6FG7TlYC/Y344PlEZPZDnvBR+SUzrwEw8Ppv2cmBPgtKJGj+k=
ARC-Message-Signature: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1708476595; c=relaxed/relaxed; bh=d7N51/Xswaqm0D31mjvcH4Swe5Gg/VAtP1kP6PUGR4k=; h=DKIM-Signature:DKIM-Signature:From:Mime-Version:Subject:Date: Message-Id:To; b=Vcm+QXx9s575nhdt2P7NUCRmwzaIWMSJaN9Z4lVFbhqgWP4ZbpGH7JBMChAWJzz7jS/6wCH49W7FLNh2CMbtRFUQ79XClIwGWV0b42kVpEx4oriWKW+lW1JrgGoDhUn4xh16380ZS62yqIUhxSJOotXnrxvnAr8TlhzylT6VfD8=
ARC-Authentication-Results: i=1; mx.pao1.isc.org
DKIM-Filter: OpenDKIM Filter v2.10.3 mx.pao1.isc.org 4DD273AB122
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=isc.org; s=ostpay; t=1708476595; bh=9MOhLpB/eXCHaS45bqcx/2Dhsyg8VLx8wiGenhVd8JA=; h=From:Subject:Date:References:Cc:In-Reply-To:To; b=AZ+gEIZ+xYkLN30TuUpKPhiBjMV4xYUWgQ8CTqkINp9XtDW8HpptyW9rW2WEs7Oo4 qwC/68Pqx+73q8h6xW6V4a1ZCk9G2Sd2Hb9E42ZPzBC8Uim0LLUVQwKahElHFfyA2s tlccG++pMwq6Bo2PG7FFswaKS4dJ2Qshx2b5o1L0=
Received: from zimbrang.isc.org (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTPS id 499B41148EEE; Wed, 21 Feb 2024 00:49:55 +0000 (UTC)
Received: from localhost (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTP id 214781148FF2; Wed, 21 Feb 2024 00:49:55 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.10.3 zimbrang.isc.org 214781148FF2
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=05DFB016-56A2-11EB-AEC0-15368D323330; t=1708476595; bh=d7N51/Xswaqm0D31mjvcH4Swe5Gg/VAtP1kP6PUGR4k=; h=From:Mime-Version:Date:Message-Id:To; b=GAOIrwWd2MvKmdFaUZcqFk/ZZiKXk/Op9iovFr+u55Tpf4bHaFiWF4ugrjmsXDkdt zc4Sd35McdSSrr+hwsX+pPu8LSnbD5IEpj0kJiilXmC0+kEhx5nmV2vkZZ0eS8u6jF q9u3YRNh3IqFHb59k5ofJyVvY9XcPiaqqfzyPpwc=
Received: from zimbrang.isc.org ([127.0.0.1]) by localhost (zimbrang.isc.org [127.0.0.1]) (amavis, port 10026) with ESMTP id XzNQrC0M2_f2; Wed, 21 Feb 2024 00:49:55 +0000 (UTC)
Received: from smtpclient.apple (unknown [1.41.52.75]) by zimbrang.isc.org (Postfix) with ESMTPSA id D90441148EEE; Wed, 21 Feb 2024 00:49:54 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
From: Mark Andrews <marka@isc.org>
Mime-Version: 1.0 (1.0)
Date: Wed, 21 Feb 2024 11:49:50 +1100
Message-Id: <1645FF35-C586-4580-8E71-7EFD5712241A@isc.org>
References: <20240220193023.t8iYjP8Z@steffen%sdaoden.eu>
Cc: tirumal reddy <kondtir@gmail.com>, add@ietf.org
In-Reply-To: <20240220193023.t8iYjP8Z@steffen%sdaoden.eu>
To: Steffen Nurpmeso <steffen@sdaoden.eu>
X-Mailer: iPhone Mail (19H380)
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/o3jsSK30uqunwDai57wRlBL-Occ>
Subject: Re: [Add] draft-ietf-add-resolver-info-09
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Feb 2024 00:49:59 -0000

If a recursive server passes through a response with AA=1 it is broken. If a recursive  server forwards a query with RD=0 it is broken.  If a “recursive server” is just forwarding queries and responses the attacker will just put the response in the authority section.  The change of section provides no security. It doesn’t prevent problems. It is just change for changes sake. 

-- 
Mark Andrews

> On 21 Feb 2024, at 06:30, Steffen Nurpmeso <steffen@sdaoden.eu> wrote:
> 
> tirumal reddy wrote in
> <CAFpG3gd5GwSAoOs3SX2xWZyKVR7F5y-y1VxxbTmfooC4AWo5Mw@mail.gmail.com>:
> |On Thu, 15 Feb 2024 at 06:02, Mark Andrews <marka@isc.org> wrote:
> |> Why is it necessary to change the standard processing of queries for
> |> RESINFO when we already have a signal (AA=1) about whether the answer
> |> is coming from elsewhere or not ?
> |
> |It is introduced to handle a scenario where SUDN is used to discover the
> |encrypted resolver, and if the discovered resolver does not support
> |RESINFO, it will forward the query upstream. An attacker might provide a
> |RESINFO response with AA=1. The proposed mechanism aims to help the client
> |identify whether the response is coming from the discovered encrypted
> |resolver.
> 
> By the way i am really not worth being noted for anything
> acknowledgeable regarding the work of this WG.  At all.
> If you have another iteration of the document, i would prefer if
> you would simply scratch my name from your work.
> It is solely your work, for sure.
> And the above is possibly very smart: my DNS work was two decades
> ago, and i could not even tell whether i have ever seen authority
> section entries being passed through or not.
> 
> My main topics are simplicity so small teams can still exist
> competetively as was true over two decades ago (ie, with knowing
> the entire picture, not by delegating to "trusted" external
> modules in uncounted numbers), when there were <3000 RFCs.
> 
> As such i very much appreciated RFC 8499, but i alone from my
> superficial out-of-interest reading have 17 DNS-related RFCs
> added locally since then, plus the draft of yours and whatever
> else from this WG.
> 
> And a different way to get the TLS trust (or, rather, use existing
> ways of various kind eg rpki, ikev2, or simply public keys as is
> done by DKIM (certificates are a bit larger, but with the TCP that
> is more and more needed per se, or QUIC; or even the permanent
> HTTP proxying of everything, that is "no problem")) away from CA
> pools, to DNS/TLS + DNSSEC zone records.  Thank you for that, too!
> 
> Ciao, and greetings from Germany,
> 
> --steffen
> |
> |Der Kragenbaer,                The moon bear,
> |der holt sich munter           he cheerfully and one by one
> |einen nach dem anderen runter  wa.ks himself off
> |(By Robert Gernhardt)

v2.23.0 | Report a Bug | By Email