Re: [Add] Warren Kumari's Discuss on draft-ietf-add-resolver-info-12: (with DISCUSS and COMMENT)

[mohamed.boucadair@orange.com]

Hi Warren,

Thank you for the review. Much appreciated!

A diff to track the changes can be found at: https://author-tools.ietf.org/api/iddiff?url_1=https://boucadair.github.io/add-resolver-information/draft-ietf-add-resolver-info.txt&url_2=https://boucadair.github.io/add-resolver-information/boucadair-patch-2/draft-ietf-add-resolver-info.txt.

Please see inline for more context.

Cheers,
Med

> -----Message d'origine-----
> De : Warren Kumari via Datatracker <noreply@ietf.org>
> Envoyé : mercredi 3 avril 2024 22:10
> À : The IESG <iesg@ietf.org>
> Cc : draft-ietf-add-resolver-info@ietf.org; add-chairs@ietf.org;
> add@ietf.org; tojens@microsoft.com; tojens@microsoft.com
> Objet : Warren Kumari's Discuss on draft-ietf-add-resolver-info-12:
> (with DISCUSS and COMMENT)
> 
> Warren Kumari has entered the following ballot position for
> draft-ietf-add-resolver-info-12: Discuss
> 
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut
> this introductory paragraph, however.)
> 
> 
> ----------------------------------------------------------------------
> DISCUSS:
> ----------------------------------------------------------------------
> 
> 
> I'd like to start off by apologizing for the tone of this DISCUSS - I
> know that
> you've put a lot of work into this document, and getting a review like
> this is
> frustrating. I suspect that a fair bit of my concern can be addressed
> by having
> the document be much clearer about the intended use case / what the
> actual
> problem is that it is solving.

[Med] As a background, this specification covers the following item in the ADD WG Charter: 

"Define a mechanism that allows communication of DNS resolver
information to clients for use in selection decisions. This could be
part of the mechanism used for discovery, above."

The draft sets the base for a mechanism for resolvers to explicitly reveal key properties that will be useful for server selection. An initial set of properties is defined here, but more can be registered in the future.

> 
> My DISCUSS is quite similar to Paul Wouters' -- there is much in this
> document
> which seems unclear and/or underspecified and/or incomplete.
> 
> As an initial example, the Introduction starts off with:
> "Historically, DNS clients communicated with recursive resolvers
> without
> needing to know anything about the features supported by these
> resolvers.
> However, recent developments (e.g., Extended Error Reporting [RFC8914]
> or
> encrypted DNS) imply that earlier assumption no longer generally
> applies."
> 
> I don't really see how "that earlier assumption no longer generally
> applies" --
> my laptop is configured to use Google Public DNS

[Med] ... which I guess you configured manually, because you trust it at the first place. I don't know if you will maintain that same resolver, if for example, you have been told that resolver filters/blocks some specific queries, does not limit the amount of information it leaks upstream, etc.

, which happens to
> support RFC
> 8914 (Extended DNS Errors) and QNAME Minimization.

[Med] One would glean this info here and there, but there is no formal claim from the resolver itself that it supports those.

 My laptop happily
> communicates with 8.8.8. without knowing **anything about the
> "features
> supported by these resolvers"**. I *could* see an argument being made
> that my
> laptop should know if the resolver supports various flavors of
> encrypted DNS so
> that it knows to connect over an encrypted transport, but that's what
> RFC9462,
> RFC9463 are for, no?

[Med] That part is already covered by DNR/DDR and covered by this part of the charter:

"This could be part of the mechanism used for discovery, above."

> 
> "Instead of depending on opportunistic approaches, DNS clients need a
> more
> reliable mechanism to discover the features that are supported by
> resolvers."
> Similar to the prior -- why do clients *need* this?

[Med] because you care about privacy, filtering, etc. 

 My laptop is
> currently
> working just fine without it. The document seems to have this base
> assumption
> throughout, but it doesn't really seem to justify it -- I'm hoping /
> assuming
> that this is sufficiently obvious within the WG that it was just
> omitted
> because "everyone knows".

[Med] Tweaked the intro to make this clearer: https://github.com/boucadair/add-resolver-information/pull/30/commits/9ab541c54c1b6a4ade7583953cdc075823dab157

> 
> "Retrieved information can be used to feed the server selection
> procedure.
> However, that selection procedure is out of the scope of this
> document." -- is
> this the justification for all of the above assertions? If so, I think
> that A:
> the document needs to be much more explicit about this (don't "bury
> the lede")
> and B: some sort of advice about *how* is would be used seems needed -
> - I get
> that you don't want to specify the whole selection procedure, but
> something
> like "the server selection procedure could use this to prioritize
> privacy-preserving resolvers over those that don't do QNAME
> minimization" or
> similar...

[Med] Thanks. 

NEW:

"For example, the resolver selection procedure may use the retrieved information to prioritize privacy-preserving resolvers over those that don't enable QNAME minimization. However, that selection procedure is out of the scope of this document."

> 
> Section 3:
> "If the Special-Use Domain Name "resolver.arpa", defined in [RFC9462],
> is used
> to discover an encrypted DNS resolver, the client can retrieve the
> resolver
> information using the RESINFO RR type and QNAME of "resolver.arpa". In
> this
> case, a client has to contend with the risk that a resolver does not
> support
> RESINFO. The resolver might pass the query upstream, and then the
> client can
> receive a positive RESINFO response either from a legitimate DNS
> resolver or an
> attacker. The DNS client MUST set the Recursion Desired (RD) bit of
> the query
> to 0. The DNS client MUST discard the response if the AA flag in the
> response
> is set to 0, indicating that the encrypted DNS resolver is not
> authoritative
> for the response." This says "In this case, a client has to contend
> with the
> risk that a resolver does not support RESINFO." -- but surely that is
> true for
> the other cases too? Many clients live behind DNS forwarders / middle-
> boxes,
> which will happily pass unknown RR types upstream, but won't
> necessarily pass
> e.g EDNS responses back. If one of these clients sees that the
> "resolver"
> supports EDE, but the forwarder drops these, the client is being lied
> to.
> Perhaps the techniques in this document are only allowed to be used
> over
> encrypted DNS transports?

[Med] This excerpt is specific to DDR as called out it explicitly in the text:

   If the Special-Use Domain Name "resolver.arpa", defined in [RFC9462],
   is used to discover an encrypted DNS resolver,

 This might be implied by the fact that you
> are
> supposed to use "resolver.arpa" or "the QNAME of the domain name that
> is used
> to authenticate the DNS resolver", but if so, this is really not clear
> in the
> document. If that is indeed the case, the document needs to be much
> much more
> explicit about this, and also discuss what happens if you query for
> this over a
> non-encrypted protocol (which many resolvers won't actually know).

[Med] We wanted to avoid redundant statements in the document, but the security section states the following:

   DNS clients communicating with discovered DNS resolvers MUST use one
   of the following measures to prevent DNS response forgery attacks:

   1.  Establish an authenticated secure connection to the DNS resolver.

   2.  Implement local DNSSEC validation (Section 10 of [RFC8499]) to
       verify the authenticity of the resolver information.

> 
> In addition, this says: "The DNS client MUST set the Recursion Desired
> (RD) bit
> of the query to 0. The DNS client MUST discard the response if the AA
> flag in
> the response is set to 0, indicating that the encrypted DNS resolver
> is not
> authoritative for the response." - is the "indicating that the
> *encrypted* DNS
> resolver" (and this section) implying that the RD bit must only be set
> to 0
> when using the RFC9462 resolver.arpa mechanism, or whenever looking up
> RESINFO?
> I'd assume the latter, but that conflicts with the "*encrypted* DNS
> resolver"
> bit.

[Med] Good catch. Fixed at: https://github.com/boucadair/add-resolver-information/pull/30/commits/fcc293e88b9b75887923d3207740afd9a7f628db

> 
> Why is it useful / important for a client to know that a resolver
> supports
> specific EDE errors? E.g If RESINFO says that Resolver X supports
> "exterr=15,16,17", and the resolver suddenly sends back Extended DNS
> Error Code
> 5 - DNSSEC Indeterminate, what should the client *do*? Is it a
> violation to
> send back an EDE Code not covered by the capability list?

[Med] Added this NEW:

"Once a resolver is selected, this document does not interfere with DNS operations with that resolver." 

 What if I
> run a
> resolver, and advertise "exterr=42", and then add additional support
> for codes
> 1, 2 and 3? I guess I have to wait for the TTL to expire before
> advertising
> these? Seeing as the document doesn't really explain what the
> information is
> used for, it's not clear when (other than at initial connection) a
> client would
> re-query for it. Many resolvers are also anycast at this point -- what
> capabilities should be advertised if the set is not uniform across all
> members?
> The minimum enclosing set? The maximal set?

[Med] We already added this text per Erik's review: 

"If a group of resolvers is sharing the same ADN and/or anycast address, then these instances SHOULD expose a consistent RESINFO."

> 
> The document also lists qnamemin and exterr as the supported
> capabilities -
> it's not at all clear why those ones were selected as important
> capabilities
> and not e.g 0x20, port randomization, jurisdiction, logging level and
> retention, favorite flavor of ice-cream, etc. If it is just that these
> happened
> to be two capabilities that you happened to choose, I think that it
> would be
> worth clarifying this

[Med] Already added this text to address other reviews:

NEW:
That information is scoped to cover properties that are used to infer privacy and transparency policies of a resolver. Other information can be registered in the future per the guidance in {{key-reg}}.


 -- the document does say "New keys can be
> defined as per
> the procedure defined in Section 8.2.", but the focus on qname and EDE
> in the
> text makes it sound like these are the primary uses.
> 
> infourl:
> "It is not intended for end user consumption as the URL can possibly
> provide
> misleading information. A DNS client MAY choose to display the URL to
> the end
> user, if and only if the encrypted resolver has sufficient reputation,
> according to some local policy" -- so, which is it?

[Med] This provided in the sec cons:

"local policy (e.g., user configuration, administrative configuration, or a built-in list of reputable resolvers)"

 If a DNS client
> does
> display this to the end user, they will consume it (and possibly be
> misled).
> This also seems like it is ripe for phishing / advertising -- "Welcome
> to
> BestHotels, thank you for using our wonderful Encrypted DNS server.
> For only
> $19.95 per day, you can get the DNSSEC validating version of this
> service,
> enter your Credit Card Below!!!"
> 
> Security Considerations:
> "An encrypted resolver may return incorrect information in RESINFO. If
> the
> client cannot validate the attributes received from the resolver, that
> will be
> used for resolver selection or displayed to the end-user, the client
> should
> process those attributes only if the encrypted resolver has sufficient
> reputation according to local policy (e.g., user configuration,
> administrative
> configuration, or a built-in list of reputable resolvers). " This
> feels very
> hand-wavey / underspecified - "If the client cannot validate the
> attributes
> received from the resolver, [...] the client should process those
> attributes
> only if the encrypted resolver has sufficient reputation according to
> local
> policy." I don't really understand this -- how could a client validate
> the
> attributes?
 Surely not because they are DNSSEC signed / delivered over
> encrypted DNS? (That doesn't prove that the data is correct, only that
> it is
> what the resolver operator sent) So, how would a client validate that
> Resolver
> X supports e.g EDE Codes 9, 10, 11? Does this just boil down to "Don't
> trust
> any of this unless local policy says to?"
> 
> 

[Med] Will double check that part.

____________________________________________________________________________________________________________
Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.