IETF Logo Mail Archive

Re: [Add] data integrity and DNSSEC or DoH/DoT

Jim Reid <jim@rfc1035.com> Thu, 22 August 2019 12:41 UTC

Return-Path: <jim@rfc1035.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4945912083C for <add@ietfa.amsl.com>; Thu, 22 Aug 2019 05:41:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DrIyXqhiUn0l for <add@ietfa.amsl.com>; Thu, 22 Aug 2019 05:41:11 -0700 (PDT)
Received: from shaun.rfc1035.com (shaun.rfc1035.com [93.186.33.42]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8E10C12001B for <add@ietf.org>; Thu, 22 Aug 2019 05:41:11 -0700 (PDT)
Received: from gromit.rfc1035.com (gromit.rfc1035.com [195.54.233.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by shaun.rfc1035.com (Postfix) with ESMTPSA id F4002242109D; Thu, 22 Aug 2019 12:41:08 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: Jim Reid <jim@rfc1035.com>
In-Reply-To: <CABcZeBPmWYBKcKhjTUBLw62xJT=OXbp3v6MZ+8Gtr=gFmQ-g6A@mail.gmail.com>
Date: Thu, 22 Aug 2019 13:41:07 +0100
Cc: ADD Mailing list <add@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <E40CC478-BBA1-4DA9-8F6A-FE1782E0F27E@rfc1035.com>
References: <A1128702-1E19-4657-9740-E84AE09992F2@piuha.net> <CABcZeBMfOTjq-8hDDoKMtJvfHUA5nC8o60zuk-2Xe-ZhfwriJQ@mail.gmail.com> <766112E1-F532-4C6B-8CA8-A096671E02EE@piuha.net> <CA+9kkMAfuOwJu8_qJTuhAY4mUwR+tVUxr+k3QFHBk3byV672Ow@mail.gmail.com> <A7EA862E-8E80-40E3-834D-E628988C0A24@virtualized.org> <CAFWeb9KT=2JL0oHUgJ2WMcduR3na+hP2QncvRR4YurmqsAWxTA@mail.gmail.com> <59E0EC53-0E30-431C-8376-52C7BFC121A8@virtualized.org> <CAFWeb9+Z7RmXEr46qx5PaUcxh2R3+HXhrZeW-8QEMX4HLt7a-w@mail.gmail.com> <589DAFCB-1BDC-4156-A2CA-179C4559A6B2@virtualized.org> <cf2152d7-8618-7ad2-b8f9-7a259ab5df19@cs.tcd.ie> <683A176C-3CE6-4866-A736-F2A7465FA5B5@rfc1035.com> <CABcZeBPmWYBKcKhjTUBLw62xJT=OXbp3v6MZ+8Gtr=gFmQ-g6A@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/sONURBCiU0ZWhggqEG4jDcuhSNc>
Subject: Re: [Add] data integrity and DNSSEC or DoH/DoT
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Aug 2019 12:41:13 -0000


> On 22 Aug 2019, at 08:00, Eric Rescorla <ekr@rtfm.com> wrote:
> 
> Suppose that I receive a bogus response to my A record query, how am I to usefully distinguish "this is malware blocking" from "this resolver is malicious"?

I'm surprised that distinction matters to you. I thought any form of DNS blocking or filtering was malicious from your PoV. :-)

To be slightly less glib, the dnsop WG has an I-D on extended error codes. [And FWIW lack of a discrete error code(s) for validation failure is one of the things I think DNSSEC got wrong.] draft-ietf-dnsop-extended-error already goes some way to answering your question:

4.16.  Extended DNS Error Code 15 - Blocked

   The resolver attempted to perfom a DNS query but the domain is
   blacklisted due to a security policy implemented on the server being
   directly talked to.

4.17.  Extended DNS Error Code 16 - Censored

   The resolver attempted to perfom a DNS query but the domain was
   blacklisted by a security policy imposed upon the server being talked
   to.  Note that how the imposed policy is applied is irrelevant (in-
   band DNS somehow, court order, etc).

4.18.  Extended DNS Error Code 17 - Prohibited

   An authoritative or recursive resolver that receives a query from an
   "unauthorized" client can annotate its REFUSED message with this
   code.  Examples of "unauthorized" clients are recursive queries from
   IP addresses outside the network, blacklisted IP addresses, local
   policy, etc.

I suppose draft-ietf-dnsop-extended-error could add another error code for the specific case of a malicious resolver. Whatever that might mean. Though I doubt the operators of such servers will choose to set that evil bit on their responses.

PS A potential problem with this I-D is these extended error codes won’t be signed. So they can be spoofed by bad actors.

v2.23.0 | Report a Bug | By Email