Re: [Add] I-D Action: draft-ietf-add-resolver-info-08.txt
Ben Schwartz <bemasc@meta.com> Fri, 08 December 2023 21:52 UTC
Return-Path: <prvs=570675f6d1=bemasc@meta.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 57DC8C48EDDA for <add@ietfa.amsl.com>; Fri, 8 Dec 2023 13:52:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.792
X-Spam-Level:
X-Spam-Status: No, score=-2.792 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=meta.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j86wf6c5Ypkv for <add@ietfa.amsl.com>; Fri, 8 Dec 2023 13:52:25 -0800 (PST)
Received: from mx0a-00082601.pphosted.com (mx0a-00082601.pphosted.com [67.231.145.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ED28DC48EDD7 for <add@ietf.org>; Fri, 8 Dec 2023 13:52:25 -0800 (PST)
Received: from pps.filterd (m0109333.ppops.net [127.0.0.1]) by mx0a-00082601.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 3B8JhlcI004286; Fri, 8 Dec 2023 13:52:24 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=meta.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=s2048-2021-q4; bh=/XpFfMdNwPXV+merN/Cn3425cmg/JStN9YoFF8lAVyM=; b=e/6FXomJYUR3++BSLOoHhulPkaakD0SuOVqfWeW/RFC2ihT9IHEBsSxdx95ZB9DUHWV3 n/2naQjYbGwzp05oa0QDq2Y2MCL+fQfYevCrOw4wtkYh1VtI92V8h7ia7A7AvSWH8Gs6 f5grz9tHjwq6Y7r1j+Ju9neJOlMokwsRkleyPDO2wjWXmspZfqbVMTC/WQWhxEsB2NrT NmWxmuul91983hYdt+q6VAoGis4E0y9LGnPAASDJjkxFFepsxUynxZk4ROi2C+HFAieV LusM6eGHOo2hfGCSaoDUldMfwGtirxyJA/VSRe4Pfh48zmmy0tZhPzbSGLttC1wZ58o3 sQ==
Received: from nam10-mw2-obe.outbound.protection.outlook.com (mail-mw2nam10lp2101.outbound.protection.outlook.com [104.47.55.101]) by mx0a-00082601.pphosted.com (PPS) with ESMTPS id 3uudj64x2c-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 08 Dec 2023 13:52:24 -0800
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=N482AicszCUeK4kul4Mvl2FyZw3aJkGEtUU7s6IfJ3gOQ/R1TTcOfGG/iY/BZPtCt9BbKnIDyVPnjEcjS2tqwRbdccVKcbXx2a3Wv6f/NFsfSDpypg+CDkKG/j3OCfMoQ0c8ehFH70lZaZmEQ24HV1jDENQ6Ll8AoWPj/q5ksFCvCKMks9a5Rpin4iy+vnoEoeDa7hKfXnHL0tjCpIiSiZFkya7d45ITdb7RaSITXmgmuAYzHWAtJ9yz6cIqyFAxCluEFdbub3/1R/PGayDlqzsFp3a0FCxDGgm/LxjTQnZtxSa2OEp3mLEfXftB++vuhxzzWpsGBZqH7cLA3P4WdQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=CILM8sxcCYDYDp+7CUggi08yR6mnqsT5+F/2gX7bR8Q=; b=Xh7966QFGnTKzAtcxwQZNtltMffzGRV+q2lkGEaAPVNALu5f5Sw9/qHqz94iQsPlAKhDhTw6BNn+NmeQhhnsxzc+ELZFZsLDjSv+hfGX3zHEOOmU9stR+6j956RRyaU9CO3tbuRkT5qg6lpv/NowuzoRR88Pb1trZmxVSd+cXeXtcyHJgfvrE5jadv8LjY2acHfBiT9VWRTtoe65f5N5b408nL0cjX+ZsRAS3TKQOgNQFZyZBlE1N2sY81pIMF0pXlX1g5P3KI9cahwFx432UFZwnPoBEOaHvWbUlPQRR/GTkayqH7SH6FcLz0x+RaJojTTVQODm0DfZj4lVhOLYEw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=meta.com; dmarc=pass action=none header.from=meta.com; dkim=pass header.d=meta.com; arc=none
Received: from BN8PR15MB3281.namprd15.prod.outlook.com (2603:10b6:408:aa::24) by IA1PR15MB5852.namprd15.prod.outlook.com (2603:10b6:208:3f5::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7068.27; Fri, 8 Dec 2023 21:52:22 +0000
Received: from BN8PR15MB3281.namprd15.prod.outlook.com ([fe80::d54d:eea6:c930:d1e6]) by BN8PR15MB3281.namprd15.prod.outlook.com ([fe80::d54d:eea6:c930:d1e6%2]) with mapi id 15.20.7068.028; Fri, 8 Dec 2023 21:52:21 +0000
From: Ben Schwartz <bemasc@meta.com>
To: tirumal reddy <kondtir@gmail.com>, "add@ietf.org" <add@ietf.org>
Thread-Topic: [Add] I-D Action: draft-ietf-add-resolver-info-08.txt
Thread-Index: AQHaHq6eKhzxPwgDkEe16ytqMY6MzrCUanEAgAuU5SQ=
Date: Fri, 08 Dec 2023 21:52:21 +0000
Message-ID: <BN8PR15MB32817DF02BCA15535651F07BB38AA@BN8PR15MB3281.namprd15.prod.outlook.com>
References: <170081382418.6627.11212053139133230296@ietfa.amsl.com> <CAFpG3geefWGUZOx_4OkL=g_Oj0Lw+vDehdimkX8ckH5OfMpOgg@mail.gmail.com>
In-Reply-To: <CAFpG3geefWGUZOx_4OkL=g_Oj0Lw+vDehdimkX8ckH5OfMpOgg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BN8PR15MB3281:EE_|IA1PR15MB5852:EE_
x-ms-office365-filtering-correlation-id: 5723900f-cfa1-47d7-10fd-08dbf837f4e0
x-fb-source: Internal
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: fL42gzML7tlYKxHJE2CeoHpU+A449VaZsnGSpYoB88cW/pE4XQ47S14vnWQtBzlPyW0d5PlYjmJDt92v0g3c84IqXdgL2TpoESo3pQwLxJbyOIJ8nyZpCof2JUyaxrFnjMu3uSBWxZDbI+euUL0vQ4YTdc6sH7DpW+8HTno22FJHrFcOdr+0yyP+5VyhPWuSzdtVLB90gkBuo5gh60AG4OLripfZ1gPIEv0EmnF77z2t1Mdx/S2n+2z/75DcI3YhE+7Tb2RJ73VW04MuKueOOUYX8gNGpP7QMLOseDB5jAB7/8FExCbfjKwAHntZfON2O7EC+o1XLkR9669lDFNEhqrXhfNgcWxiFKT7u2+HnLsZd/rAcurHVv7iVlSKRqNJtzci4kwngu/HZEWaCjVKpzg7yPGHURw+1aokraCvWnnUIvT8foxy+I6rdOXTEtHkiiwQ6JeGGPfmaiK+5LFYexU3RDDhS46hDdV5daL7uaZOJikhlx1SQA0vX10HKXKha11RUabpKvtmMhdfljV6x2u5I9p1tya3jLP0h2vVUExTBNmEYvCbLa0deeXQnUR0nc1Gn9Rll57oEPcUV+Z1txp8vKiVIT+amYbZA45mUPLeLgsrn4G+HtBANEoPpceR7sNAd2xHt3aj0gbc47AWfPrqHl6rMbtTtZKLLN+lXsQ=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN8PR15MB3281.namprd15.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(346002)(376002)(136003)(366004)(39860400002)(396003)(230922051799003)(230273577357003)(230173577357003)(64100799003)(1800799012)(451199024)(186009)(2906002)(55016003)(4001150100001)(19627405001)(5660300002)(9686003)(41300700001)(52536014)(53546011)(38070700009)(38100700002)(33656002)(8676002)(71200400001)(166002)(966005)(91956017)(122000001)(66574015)(83380400001)(6506007)(7696005)(8936002)(76116006)(478600001)(316002)(66446008)(110136005)(86362001)(66946007)(64756008)(66476007)(66556008)(835385004); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 0tFdIGqZSccU2h5S5YVVAupFWhy9JE4xOS1G03z2YH1au1ayjZpXjWhZXu0SqQxIjbXUzWvJSIud+RdhNtu2fzpM9fpd5KKgcuWLWamUXjBJRVNobfmQxK21KeYsmyzQtMudMrf/9CRF6XMAohwYttRFO8TnDJWQnoDjFAIh8mHjDB5cT6F+eUn6h1l++VHyCgokWZ9tFvf7a9YZychAjBHqD9bckkboIJkEByMKStWdvMz2wZ7lNALXpshPXWY/lIvi5uTNedHnSrNJhqgFLidq8H8S46dqLGzDJmE3VOYrs2STMPloKlzX1fTuS+spUCi6o0gTvIoqevJZqWEZgd+EwBpnNAIspBBtZhlrVAUiIx4UI4Dvux1RnsHOhL9VE9jVhvBsuUOfl3K9ohaYFAv71xAqThv7QDvZEKd7UZ96ZytoX6HLb2oCPbb0CzPSXhrUnsMhOnqjZJpqsHBq9v7b063DIF8mChq7GIAv5aKa6DPmS2Fsghxigvdr+/aMAt7e66b76smuSlaFLCKGfq3JHd2bqHCsAjDbDKk37Ka2kys34+Igfj9i6v/TLuvrNwg6vRWhiPkJmJo8tf3Z8FgxhDMih5kjp34VtGosKrJkFa/JCWQYHX7iiAD/uCDdSqyWaAIqgI9DzIof+aM3W/GKR+3Xe/BM2RYr9af52dSMBpUdbev+iPunHCKrm68du9RB7tWnXuxNYEVyXvloMdUlp77Fh94/kCJI9wXxFtuXOLNVt7dnhSP2sl5D/lAoFmYPeitoo4PSwCHWFrwqM0TSgxVmX5kZlzSadEq7r9YX7qJS76cPi3eLgX7Zkjg6IZ5gILSbRXRytZNZ4Gg31I+7B5BurZMfmCKGn53JUrV0CJsEh7hIFwh5lgSMjZojQzMgiOvxiEaQhdcEZDqz+00clRpWjXZ4HydQVmR0Y2ybpr9uzplgcrIRwW5TgE8ghuYT24vyC5gytJDMwDSyl8Hxmmw7fgTm08hEL8OvfWeaLsWk9DwIXPWz27H4PkQsZO1BM3QX2ly6SGCXq7O0lWJYxpt8LBvoOCkvt5xJyy8oNzx74IlPi1nA1JPiuYBOS9oWY2JN5jVXf/ccv6JtVS8HyNlAAwtbP+0SJWOWXUCuQs/QssixMCaXjwX5Fdlgf0cD99DfliTkFHiMPsmKzqd/rDtV/ibPKr9WsL+wMc7Mp+Yv8tu/MRF8o0y/gtyqYmFRC/GwP98UNJOziD2lEeK+NiUO5XIT0undbKYu4Uhs9tCzdN4tBKPmVf6Cfyqg2AZzMWmMdOpzU1ziOP7IIBvan/NmBBq2V2JFf568SpxDvw4TniQbcHKX/D8HfqLh+MY4IsE6pOD3X8EUlJ/mVZx2zO+0z8ezvy0H6jQ4aQaUeggfaZtJBv1WJHfpmj0hyAoJ0oOQQJz8S6ESkPK5qykUfKsOdgd34rqKdYxZLU7mntmmGPJTYwBFELjv8WRs+SkIb05tnRCc/Vd98FH8V/mSz+2olLI3c5rAxHa+xIBEK7prF1eZ6RSvNPIIEZQjft6jzK3EoSam1XWkFdDbHTJWaw4A7YfTCPgO0q/eJkWDDDszerAJrUBjOCyg7V7stHmYSxXrAxTCAbvYWVHvwL4/jh5O/2Kj38toSqccGJo=
Content-Type: multipart/alternative; boundary="_000_BN8PR15MB32817DF02BCA15535651F07BB38AABN8PR15MB3281namp_"
X-OriginatorOrg: meta.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN8PR15MB3281.namprd15.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 5723900f-cfa1-47d7-10fd-08dbf837f4e0
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Dec 2023 21:52:21.8088 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ZXKN6wOje43pZsOfXn6vg4ZOfBhpyMlZacsJ5A16R/PpfuraqgH99BbzQL26K6AD
X-MS-Exchange-Transport-CrossTenantHeadersStamped: IA1PR15MB5852
X-Proofpoint-GUID: iwa55O_-gwFwfmaqEgAyv-8yGef7rKW9
X-Proofpoint-ORIG-GUID: iwa55O_-gwFwfmaqEgAyv-8yGef7rKW9
X-Proofpoint-UnRewURL: 10 URL's were un-rewritten
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.997,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2023-12-08_14,2023-12-07_01,2023-05-22_02
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/sRfo0lZ__xWCC6Pc2RG0p07oSt8>
Subject: Re: [Add] I-D Action: draft-ietf-add-resolver-info-08.txt
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Dec 2023 21:52:30 -0000
In my view, this revision continues to make incorrect security recommendations, resulting in unnecessary obstacles to deployment by servers and notable vulnerabilities for clients. I also think it has some other issues of clarity and correctness. As I've noted previously, I think there are various straightforward solutions that would render the draft both simpler and more secure. Perhaps the simplest would be to move RESINFO to the name "resolver.arpa" and require it to be returned in the Authority section, reflecting the fact that it is a property of the resolver (not the resolver's name) and is not subject to recursive resolution. Detailed notes: Section 3: "By using the DNS server's domain name from the DDR SVCB response to issue the RESINFO query, a client accepts the risk that a resolver supports DDR but does not support RESINFO." -> The "server's domain name for the DDR SVCB response" is not a defined value. Maybe you mean "The SVCB TargetName"? Regardless, this is contradictory to the previous paragraph, which says that the RESINFO QNAME is the ADN. "clients wishing to retrieve resolver information from resolvers discovered when performing DDR discovery using resolver IP address (Section 4 of [RFC9462]) MUST ensure during the TLS handshake that the TLS certificate presented by the resolver contains in its SubjectAltName (SAN) the domain name in the TargetName of the DDR SVCB response" -> This rules out the use of RESINFO in Opportunistic DDR scenarios, which seems like a serious loss for debugging small networks. It also interferes with the usual interpretation of SVCB TargetName and renders RESINFO incompatible with DANE. It also fails to accomplish the desired authentication: if the name is unsigned or the resolver is non-validating, an upstream attacker could still have injected an arbitrary RESINFO response despite this attempted protection. Section 6: "If the client cannot validate the attributes received from the resolver, which will be used for resolver selection or display to the end-user, the client should process those attributes only if the encrypted resolver has sufficient reputation according to local policy" -> As above, this does not accomplish the desired authentication unless the reputation assessment specifically requires that the resolver is "RESINFO-aware" (which would be false of all resolvers today, regardless of reputation). ________________________________ From: Add <add-bounces@ietf.org> on behalf of tirumal reddy <kondtir@gmail.com> Sent: Friday, December 1, 2023 7:42 AM To: add@ietf.org <add@ietf.org> Subject: Re: [Add] I-D Action: draft-ietf-add-resolver-info-08.txt This revision of the draft https: //www. ietf. org/archive/id/draft-ietf-add-resolver-info-08. html has been updated based on discussions during the presentation at IETF-118. Special thanks to Tommy Jensen for contributing text to this revision. ZjQcmQRYFpfptBannerStart This Message Is From an External Sender ZjQcmQRYFpfptBannerEnd This revision of the draft https://www.ietf.org/archive/id/draft-ietf-add-resolver-info-08.html<https://www.ietf.org/archive/id/draft-ietf-add-resolver-info-08.html> has been updated based on discussions during the presentation at IETF-118. Special thanks to Tommy Jensen for contributing text to this revision. The draft is now ready for progression to the next stage. Cheers, -Tiru On Fri, 24 Nov 2023 at 13:47, <internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>> wrote: Internet-Draft draft-ietf-add-resolver-info-08.txt is now available. It is a work item of the Adaptive DNS Discovery (ADD) WG of the IETF. Title: DNS Resolver Information Authors: Tirumaleswar Reddy Mohamed Boucadair Name: draft-ietf-add-resolver-info-08.txt Pages: 9 Dates: 2023-11-24 Abstract: This document specifies a method for DNS resolvers to publish information about themselves. DNS clients can use the resolver information to identify the capabilities of DNS resolvers. How such an information is then used by DNS clients is out of the scope of the document. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-add-resolver-info/<https://datatracker.ietf.org/doc/draft-ietf-add-resolver-info/> There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-add-resolver-info-08.html<https://www.ietf.org/archive/id/draft-ietf-add-resolver-info-08.html> A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-add-resolver-info-08<https://author-tools.ietf.org/iddiff?url2=draft-ietf-add-resolver-info-08> Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts -- Add mailing list Add@ietf.org<mailto:Add@ietf.org> https://www.ietf.org/mailman/listinfo/add<https://www.ietf.org/mailman/listinfo/add>
- [Add] I-D Action: draft-ietf-add-resolver-info-08… internet-drafts
- Re: [Add] I-D Action: draft-ietf-add-resolver-inf… tirumal reddy
- Re: [Add] I-D Action: draft-ietf-add-resolver-inf… Ben Schwartz
- Re: [Add] I-D Action: draft-ietf-add-resolver-inf… tirumal reddy
- Re: [Add] I-D Action: draft-ietf-add-resolver-inf… Ben Schwartz
- Re: [Add] I-D Action: draft-ietf-add-resolver-inf… tirumal reddy