IETF Logo Mail Archive

Re: [Add] I-D Action: draft-ietf-add-ddr-09.txt

Tommy Pauly <tpauly@apple.com> Fri, 05 August 2022 17:29 UTC

Return-Path: <tpauly@apple.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C2A5C15A732; Fri, 5 Aug 2022 10:29:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.687
X-Spam-Level:
X-Spam-Status: No, score=-2.687 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.582, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D_XGjVJkEg-d; Fri, 5 Aug 2022 10:29:15 -0700 (PDT)
Received: from ma1-aaemail-dr-lapp02.apple.com (ma1-aaemail-dr-lapp02.apple.com [17.171.2.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C6CDBC14CF0F; Fri, 5 Aug 2022 10:29:14 -0700 (PDT)
Received: from pps.filterd (ma1-aaemail-dr-lapp02.apple.com [127.0.0.1]) by ma1-aaemail-dr-lapp02.apple.com (8.16.0.42/8.16.0.42) with SMTP id 275H9TN7064982; Fri, 5 Aug 2022 10:29:12 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=from : message-id : content-type : mime-version : subject : date : in-reply-to : cc : to : references; s=20180706; bh=eAQ8xmymifaQoZdBFGZtWWWavVeorZ3Nc6GVcxqFubY=; b=MFGAZCRXWnN7uSW+qVkmsEZkbCmRAxr3pOYu42dfGDHmVavJnRiJdKI75vN6A+IPOauw a+xjv4cbMXcKhDHh5RbwY4ob8XZuSOiOZaSb/S5GNmlruS/PJBsVpxn7qPnVedjw36fG 4f+WDZnZCbFViBon9D4JLh094NePC9dOGuleRncxf69EUSlhD0UXmRtsSxojsEvDEm/Z FKXge6kpkG8lofkVMDjYrFPTlqd//m6mqNW5YqI2RyWIn7oT4fXSaAnYhWI32pAroSwz IIbzRtEkbZDYf2Jtko/pcFGjOZasIUuHg4B9imRng1oEFAx45Kp8InA40W+SRyO3gR/x DQ==
Received: from rn-mailsvcp-mta-lapp03.rno.apple.com (rn-mailsvcp-mta-lapp03.rno.apple.com [10.225.203.151]) by ma1-aaemail-dr-lapp02.apple.com with ESMTP id 3hpm5k6r7c-12 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Fri, 05 Aug 2022 10:29:12 -0700
Received: from rn-mailsvcp-mmp-lapp01.rno.apple.com (rn-mailsvcp-mmp-lapp01.rno.apple.com [17.179.253.14]) by rn-mailsvcp-mta-lapp03.rno.apple.com (Oracle Communications Messaging Server 8.1.0.18.20220407 64bit (built Apr 7 2022)) with ESMTPS id <0RG5008H9KKOYR00@rn-mailsvcp-mta-lapp03.rno.apple.com>; Fri, 05 Aug 2022 10:29:12 -0700 (PDT)
Received: from process_milters-daemon.rn-mailsvcp-mmp-lapp01.rno.apple.com by rn-mailsvcp-mmp-lapp01.rno.apple.com (Oracle Communications Messaging Server 8.1.0.18.20220407 64bit (built Apr 7 2022)) id <0RG500O00KKD0I00@rn-mailsvcp-mmp-lapp01.rno.apple.com>; Fri, 05 Aug 2022 10:29:12 -0700 (PDT)
X-Va-A:
X-Va-T-CD: e72da815dcb01dab2f988f94f1719970
X-Va-E-CD: de694d6c59107a27da47f9e5ddd42970
X-Va-R-CD: 28d126396b0eeeac9d4986e6af2c028a
X-Va-CD: 0
X-Va-ID: 2fdacd13-e5e1-4543-b171-1f538ecf5e23
X-V-A:
X-V-T-CD: e72da815dcb01dab2f988f94f1719970
X-V-E-CD: de694d6c59107a27da47f9e5ddd42970
X-V-R-CD: 28d126396b0eeeac9d4986e6af2c028a
X-V-CD: 0
X-V-ID: 1fe10cd0-32fb-4a2e-9146-bfbdae0da723
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.517, 18.0.883 definitions=2022-08-05_09:2022-08-04, 2022-08-05 signatures=0
Received: from smtpclient.apple (unknown [17.234.70.82]) by rn-mailsvcp-mmp-lapp01.rno.apple.com (Oracle Communications Messaging Server 8.1.0.18.20220407 64bit (built Apr 7 2022)) with ESMTPSA id <0RG500A6KKKMHY00@rn-mailsvcp-mmp-lapp01.rno.apple.com>; Fri, 05 Aug 2022 10:29:12 -0700 (PDT)
From: Tommy Pauly <tpauly@apple.com>
Message-id: <A43DAEEF-7519-4817-85D4-AB2442DB11CB@apple.com>
Content-type: multipart/alternative; boundary="Apple-Mail=_1C4AA5EA-A276-41EE-9633-4F02D9490495"
MIME-version: 1.0 (Mac OS X Mail 16.0 \(3696.120.31\))
Date: Fri, 05 Aug 2022 10:29:10 -0700
In-reply-to: <CAHbrMsC_u0v6oGcAgqK6Kis3kpscteay7dfU7bQjewceJaNU5g@mail.gmail.com>
Cc: Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org>, ADD Mailing list <add@ietf.org>, i-d-announce@ietf.org
To: Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>
References: <165957021701.56614.13895069148730646596@ietfa.amsl.com> <CAHbrMsDkGduk7+KZR7mjUfJdvaKAe93=Ri4qAhaab65kEpAt6g@mail.gmail.com> <7ECC02B7-DFC4-48EB-AA64-B1D775468BF6@apple.com> <CAHbrMsC_u0v6oGcAgqK6Kis3kpscteay7dfU7bQjewceJaNU5g@mail.gmail.com>
X-Mailer: Apple Mail (2.3696.120.31)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.517, 18.0.883 definitions=2022-08-05_09:2022-08-04, 2022-08-05 signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/ttOlmRZ4Gwh7wbVQ-qCdpuyrpPw>
Subject: Re: [Add] I-D Action: draft-ietf-add-ddr-09.txt
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Aug 2022 17:29:19 -0000


> On Aug 4, 2022, at 7:04 PM, Ben Schwartz <bemasc=40google.com@dmarc.ietf.org> wrote:
> 
> 
> 
> 
> On Thu, Aug 4, 2022, 6:27 PM Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org <mailto:40apple.com@dmarc.ietf.org>> wrote:
> Hi Ben, 
> 
>> On Aug 4, 2022, at 2:17 PM, Ben Schwartz <bemasc=40google.com@dmarc.ietf.org <mailto:40google.com@dmarc.ietf.org>> wrote:
>> 
>> Following up on my SECDIR review:
>> 
>> Section 4
>> 
>>    Because this query is for an SUDN, which no entity can claim
>>    ownership over, the ServiceMode SVCB response MUST NOT use the "."
>>    value for the TargetName.  Instead, the domain name used for DoT/DoQ
>>    or used to construct the DoH template MUST be provided.  This ensures
>>    that different designated resolver configurations can be correctly
>>    associated with IP addresses in A and AAAA records.  As such, clients
>>    MUST NOT perform A and AAAA queries for "resolver.arpa".
>> 
>> Thanks for updating this paragraph, but I think there are still several major issues here.
>> 
>> The guidance not to use "." is weird because using "." here would be unnatural anyway.  The natural thing would be to set TargetName to "resolver.arpa".  This is also forbidden, but the text doesn't address it.
> 
> We can clarify that this shouldn’t include “resolver.arpa”.
>> 
>> The text about what to put in the TargetName is very strange.  It conflicts directly with the guidance in Section 4.2 ("The client MUST verify that the certificate contains the IP address of the designating Unencrypted DNS Resolver") and Section 6.3 ("clients MUST use the original IP address of the Unencrypted DNS Resolver as the URI host for DoH requests”).
> 
> 
> Ah, I see what you mean. That sentence ("the domain name used for DoT/DoQ") is leftover.
> 
>> 
>> Also, as I noted in my review, the justification that "no entity can claim" this name is illogical, as the resolver is already serving a response for this name.  Clearly, the resolver can indeed "claim" this name, and is already doing so.
>> 
>> Possible replacement text (along the lines suggested in my review):
>> 
>> > To enable reliable identification of the Designated Resolver for debugging and future extensions, the TargetName SHOULD NOT indicate a SUDN (either explicitly or via the special value ".").  Clients SHOULD NOT issue speculative queries for A or AAAA records associated with this SVCB RRSet.  Note that the TargetName itself does not influence the encrypted connection in any way.
> 
> Talking with my other authors, I think we don’t think that this needs to limit to only speculative queries — the client should not be performing A or AAAA queries for resolver.arpa at all, regardless of if they are speculative.
> 
> In general, forbidding a DNS client from making certain DNS queries is pretty much unheard-of.  All DNS clients are permitted by the DNS protocol to issue whatever queries they like.  If you don't want the client to issue these queries, I think it makes more sense to focus on removing the reasons why the client might want to issue the queries, rather than forbidding the queries themselves.
> 
> I also think these should remain MUST NOTs, since there is no good reason to allow them (which is the bar for a MUST NOT),
> 
> I think there are in fact good reasons to allow them.  For example, this rule is the only thing that prevents opportunistic DDR from functioning on nameless resolvers.  Consider a home network gateway that wants to implement local opportunistic DDR.  If TargetName cannot be a SUDN, then the gateway has to claim some actual domain name for the TargetName.  If the gateway doesn't have its own domain name (as the vast majority do not), it can either abandon DDR or create an (unauthenticated) split horizon, with all the complications that implies.
> 
> Alternatively, if the resolver can simply set TargetName to "resolver.arpa", it can put its own IP addresses (on the local network) in A and AAAA records on "resolver.arpa".  This has the very natural semantic of "address records on resolver.arpa are what the resolver thinks its own IPs are".
> 
> There may be some way to use .local or something to give the resolver another name, but it's not obvious to me, and seems to have much more room for error.

Generally, the resolvers are going to need to get some valid certificate to host. Ideally, that covers their IP addresses for the non-private address case, but even in the private address case, they’ll need *some* certificate. 

From the IESG review changes, we have clarified this text regarding opportunistic use:

"For this profile, Section 4.1 of [RFC7858] explains that clients might or might not validate the resolver; however, even if clients choose to perform some certificate validation checks, they will not be able to validate the names presented in the SubjectAlternativeName field of the certificate for private and local IP addresses.”

As an example, the client we run still requires having some valid certificate.

It seems reasonable that the TargetName can match whatever name the resolver chooses for its certificate name (whether that is trusted or self-signed).

>  
> but otherwise clarifying that the restriction applies to both “resolver.arpa” and “.” sounds fine.
> 
> I’ve written up this: https://github.com/ietf-wg-add/draft-ietf-add-ddr/pull/106 <https://github.com/ietf-wg-add/draft-ietf-add-ddr/pull/106>
>> 
>> Section 7:
>> 
>>    Section 8.2 of [I-D.ietf-add-svcb-dns] describes a second downgrade
>>    attack where an attacker can block connections to the encrypted DNS
>>    server.  For DDR, clients need to validate a Designated Resolver
>>    using a connection to the server before trusting it, so attackers
>>    that can block these connections can prevent clients from switching
>>    to use encrypted DNS.
>> 
>> I would prefer to make this more explicit, e.g. replacing the second sentence with
>> 
>> > To bypass attacks that affect only one server, DDR clients SHOULD first fall back to any other available Designated Resolver.  If none of the Designated Resolvers are reachable, DDR clients MAY fall back to unencrypted DNS (enabling a successful downgrade attack).  Any client that does not fall back to unencrypted DNS MUST tightly limit the SVCB TTL, which could have been chosen by an attacker (as discussed in Section 4.2).
> 
> I think this gets too far into the client policy area. We are describing the possible downgrade attack, but use of other encrypted or unencrypted resolvers and their preference order is not within the scope of this document, or group.
> 
> If you don't want to guide client policy here, then I would suggest rewording "prevent clients from switching".  As written, the text seems to imply that clients will not switch to encrypted DNS, i.e. they will continue to use unencrypted DNS.  I'd like it to be clearer that this is not the draft's intention.

The current text is trying to be merely descriptive of the risk to consider — that if an attacker blocks connections to encrypted DNS resolvers, it *can* prevent clients from switching to use encrypted DNS. It doesn’t mean it will, but it is possible depending on client behavior.

> 
> I also think that the two mitigations I described here may be helpful and non-obvious, so it seems like a shame not to remind the reader of them, normatively or not.
> 
> Note also that this is the resolution for Paul’s DISCUSS.
> 
> Thanks,
> Tommy
> 
>> 
>> On Wed, Aug 3, 2022 at 7:43 PM <internet-drafts@ietf.org <mailto:internet-drafts@ietf.org>> wrote:
>> 
>> A New Internet-Draft is available from the on-line Internet-Drafts directories.
>> This draft is a work item of the Adaptive DNS Discovery WG of the IETF.
>> 
>>         Title           : Discovery of Designated Resolvers
>>         Authors         : Tommy Pauly
>>                           Eric Kinnear
>>                           Christopher A. Wood
>>                           Patrick McManus
>>                           Tommy Jensen
>>   Filename        : draft-ietf-add-ddr-09.txt
>>   Pages           : 20
>>   Date            : 2022-08-03
>> 
>> Abstract:
>>    This document defines Discovery of Designated Resolvers (DDR), a
>>    mechanism for DNS clients to use DNS records to discover a resolver's
>>    encrypted DNS configuration.  An encrypted DNS resolver discovered in
>>    this manner is referred to as a "Designated Resolver".  This
>>    mechanism can be used to move from unencrypted DNS to encrypted DNS
>>    when only the IP address of a resolver is known.  This mechanism is
>>    designed to be limited to cases where unencrypted DNS resolvers and
>>    their designated resolvers are operated by the same entity or
>>    cooperating entities.  It can also be used to discover support for
>>    encrypted DNS protocols when the name of an encrypted DNS resolver is
>>    known.
>> 
>> 
>> The IETF datatracker status page for this draft is:
>> https://datatracker.ietf.org/doc/draft-ietf-add-ddr/ <https://datatracker.ietf.org/doc/draft-ietf-add-ddr/>
>> 
>> There is also an HTML version available at:
>> https://www.ietf.org/archive/id/draft-ietf-add-ddr-09.html <https://www.ietf.org/archive/id/draft-ietf-add-ddr-09.html>
>> 
>> A diff from the previous version is available at:
>> https://www.ietf.org/rfcdiff?url2=draft-ietf-add-ddr-09 <https://www.ietf.org/rfcdiff?url2=draft-ietf-add-ddr-09>
>> 
>> 
>> Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts
>> 
>> 
>> -- 
>> Add mailing list
>> Add@ietf.org <mailto:Add@ietf.org>
>> https://www.ietf.org/mailman/listinfo/add <https://www.ietf.org/mailman/listinfo/add>
>> -- 
>> Add mailing list
>> Add@ietf.org <mailto:Add@ietf.org>
>> https://www.ietf.org/mailman/listinfo/add <https://www.ietf.org/mailman/listinfo/add>
> 
> -- 
> Add mailing list
> Add@ietf.org
> https://www.ietf.org/mailman/listinfo/add

v2.23.0 | Report a Bug | By Email