Re: [Add] I-D Action: draft-reddy-add-enterprise-split-dns-08.txt

Paul Wouters <paul.wouters@aiven.io> Mon, 24 January 2022 16:21 UTC

Return-Path: <paul.wouters@aiven.io>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 280803A127C for <add@ietfa.amsl.com>; Mon, 24 Jan 2022 08:21:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=aiven.io
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vvZgwHMZtcMr for <add@ietfa.amsl.com>; Mon, 24 Jan 2022 08:21:48 -0800 (PST)
Received: from mail-ej1-x633.google.com (mail-ej1-x633.google.com [IPv6:2a00:1450:4864:20::633]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9AE913A1279 for <add@ietf.org>; Mon, 24 Jan 2022 08:21:48 -0800 (PST)
Received: by mail-ej1-x633.google.com with SMTP id o12so22823256eju.13 for <add@ietf.org>; Mon, 24 Jan 2022 08:21:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aiven.io; s=google; h=date:from:to:cc:subject:in-reply-to:message-id:references :mime-version; bh=oowLM+C69OUIkmDUF2bavvq13pzr/wCY50hyJxgzDE0=; b=mx565HYUstPYvAKreFBqMKjJkSh5SZAx8j7towJrWTMI6RMFs4cxfyvJT92ud3bRcg ibMWZqWz/MZEb70wL/XRXReHNru5yF7JQQE/jiR0DHindM4yg8rDP04sKsmTUPMoIv20 bcO/NE/m5vjPYhVPDmW2ptUknkx4Ck0vOy2Jg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:in-reply-to:message-id :references:mime-version; bh=oowLM+C69OUIkmDUF2bavvq13pzr/wCY50hyJxgzDE0=; b=cG+Ddh20kVTW7RL6Tw3nQcYjAbxBtu5o2F23ZyM47o9Mv2gvTlXsQMqev2NDU1yV3U VEhw0VDo9c5ODOzuc74scH9boyWzMWy00FjDCnPij5gHfm7TNQyzCksuId2L5iQ3cRyb H0fthsip8PorrzsALjMr9pXCLDh8bRnwYqDsaYCPX6KV7H+FP1ifUqnAjUq2CY3d0p7T IVFbpGPVKQ/Wb3XNnwApnfkO8qi0UGvCw6kIY+JEwcnTFjnJNAIYe4x7Uni6lBWNEAIW GXKmaHF2BCWJIKZJn4T8UDuxlW6imetnylvHuxjyEM0sYI9y32vdBj/uSurUNJvZmsoK yxng==
X-Gm-Message-State: AOAM532CeuA/GKtikF5QoV+qFu02LTO1FOYkIuRcXk7/0LBSIIRzKXAq 10OHhepx/XkEAdeMrCVrihHldw==
X-Google-Smtp-Source: ABdhPJzZuTtgWLmfFJ5pM4isY70bT2Sf59ZzO44/dfQkJB8haGgD1jsF+8wRcRiTn779vHdsOd9UEw==
X-Received: by 2002:a17:906:dc90:: with SMTP id cs16mr7437490ejc.598.1643041306146; Mon, 24 Jan 2022 08:21:46 -0800 (PST)
Received: from bofh.nohats.ca (bofh.nohats.ca. [193.110.157.194]) by smtp.gmail.com with ESMTPSA id k7sm5058007eje.162.2022.01.24.08.21.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 24 Jan 2022 08:21:45 -0800 (PST)
Date: Mon, 24 Jan 2022 11:21:43 -0500 (EST)
From: Paul Wouters <paul.wouters@aiven.io>
To: Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>
cc: Paul Wouters <paul.wouters=40aiven.io@dmarc.ietf.org>, ADD Mailing list <add@ietf.org>, tirumal reddy <kondtir@gmail.com>
In-Reply-To: <CAHbrMsAKAQjCZQrwTKp3_NiFh194ST54n1dOOM7WQ4ydi=yOFA@mail.gmail.com>
Message-ID: <532c969a-8793-81a1-17c0-55ae5b21fad3@nohats.ca>
References: <164273967921.28045.13105308218406662743@ietfa.amsl.com> <CAFpG3geerJH+jWEZpZnHJpEFcOr+81WyOFvWoAaHmR6N4jBZyg@mail.gmail.com> <4182fe-1e8-ef1-d3e5-75b17da23b9e@nohats.ca> <CAHbrMsBvy6F05y+rXzS+KtpOCn4+RCcJnjLdduHfdz8ENCOQzw@mail.gmail.com> <54f568df-79ba-cc41-6337-a0f45c44344e@nohats.ca> <CAHbrMsAKAQjCZQrwTKp3_NiFh194ST54n1dOOM7WQ4ydi=yOFA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="1858192029-1121807561-1643041305=:937948"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/wJHXDYXTK_WuE94t_QBUuYnivWA>
Subject: Re: [Add] I-D Action: draft-reddy-add-enterprise-split-dns-08.txt
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Jan 2022 16:21:53 -0000

On Mon, 24 Jan 2022, Ben Schwartz wrote:

>       That is not clear from the text at all. In that case, yes you cover all
>       the cases of split-dns but then I wonder how the external server will
>       somehow "confirm authorization" of "corp.example.com" on the internal
>       server if the externl server returns NXDOMAIN or REFUSED because the
>       domain is internal only ? Especially because the connecting client is
>       supposedly sending this query over its own trusted (encrypted) resolver
>       to the public nameserver, reachin the public nameserver's external
>       "view".
> 
> In this case, "corp.example.com" would be publicly visible

You have now redefined split-dns again to be only the cases where the
zone exists in both internal and external views. The problem we were
addressing was internal zones that do not exist in any kind of form
externally.

> , presumably as an "empty" zone (containing only its own
> NS records, NS IPs if in-bailiwick, DNSSEC records, etc.).  The client would fetch the NS records for this zone,
> and check the NS names against the DNR ADNs.  A query for "asdf.corp.example.com" would then flow to the local DNR
> resolver, which serves a non-NXDOMAIN response.

Now you have created an additional binding between the administrators
of the internal and external versions of the internal-only
"corp.example.com". Now internal DNSSEC adminstrators need to sync
up with the external ones. These might be different departments and
different providers.

> Alternatively, the local resolver can claim the "example.com" zone, and corp.example.com can be NXDOMAIN publicly.

Yes, it could claim example.com, but again then there needs to be two
different example.com zones that are in need of a sync for DS records,
and two different views - one for the internal and one for the external
one, since they differ in corp.example.com. So the internal one claiming
"example.com" cannot just forward to the public one. But for data
outside of corp.example.com it should not really be authoritative, so
again a human/third-party sync is needed between internal and external
DNS. So these workarounds are prone to failure due to their administrative
overhead that requires continuous cooperation between two different
systems/groups.

An ideal situation would make the internal DNS fully independent of the
external DNS. Again, if you look at RFC 8598 IKEv2 Split DNS, it conveys
all the information through provisioning which has its own trust anchor.
It leaves the operation of internal and external DNS independent of each
other.

Additionally, if I want to steal gmail.com, couldn't I just claim ".com" ?
I replay some externally valid DNSSEC records and then when they are
trying to visit gmail.com, I route the IPs of ns*.google.com to my
own servers (eg via NAT or by squatting the public IP space). I might
not be able to run HTTPS for gmail.com, but at least I've prevented
the user on the network from accessing the real gmail.com.

>       > What's newly excluded in this draft are domains like "example.faketld", i.e. names whose parent (in
>       this case the root) did not
>       > give permission for this use.
>
>       Please do clarify that in the draft.
> 
> 
> Sorry, I meant "newly excluded in this draft revision", compared to -07.  I believe this is quite explicit from
> the "NXDOMAIN camping" text in -08.

Re-reading it, I agree. I think the confusion could be reduced by using
common terms like domain hijacking and nxdomain hijacking instead of the
word camping.

>       If you ask the public view for internal.example.com you get no NS
>       records and no DS records.
> 
> This draft effectively requires that any "claimed zone" has publicly visible NS records.

Yes, and I have commented from the start that this is not a realistic
operational requirement. People want to hide their internal zones. If
they didn't they would have put a public placeholder domain there
already. They don't want to reveal their internal domains in a public
downloadable list via DNS records.

> No, because each "claimed zone" is presumed to be a publicly visible zone enclosing the internal-only names.  This
> may be the zone itself, or a parent.

I commented on this already earlier in this response.

> I think this shows that the internal and external DNSSEC views may be incompatible, so they cannot share a cache.

RFC 8598 has text on how to deal with multiple caches:

    When an IKE Security Association (SA) is terminated, the DNS
    forwarding MUST be unconfigured.  This includes deleting the DNS
    forwarding rules; flushing all cached data for DNS domains provided
    by the INTERNAL_DNS_DOMAIN attribute, including negative cache
    entries; removing any obtained DNSSEC trust anchors from the list of
    trust anchors; and clearing the outstanding DNS request queue.

At least on the system / OS level, there are existing hooks to deal with
this already for the main operating systems. I am not very familiar with
how browsers deal with their DNS cache when a "network disconnect/connect"
event happens. I assume they must do something similar.

> However, I see no reason that we need a separate trust anchor.  The internal resolver can provide a valid chain
> for internal names that goes all the way to the root, while external resolution receives an NSEC instead.

You need a seperate trust anchor because the internal and external DNS
is run by different humans in different departments using different
third parties with different software.

>       My comment
>       was that this document provides no method or normative reference to
>       a method to obtain this. In IKEv2 split-DNS, we added both a domain list
>       and their DS/DNSKEY records as provisioning information the IKE layer
>       conveys. This document only provides the names of domains, not their
>       trust anchors.
>
>       Paul

And now I understand that additionally, one must publish their internal
only domains in public DNS. I do not think that is a practical solution
from an operational point of view. Instead, operators will just want to
take all DNS queries from connecting clients, and will inform the users
to disable their third party DNS solutions.

Paul