IETF Logo Mail Archive

Re: [dbound] DBOUND - updated use cases?

Ian Williams <iwillamz@amazon.com> Wed, 28 September 2022 19:36 UTC

Return-Path: <prvs=26302f2b8=iwillamz@amazon.com>
X-Original-To: dbound@ietfa.amsl.com
Delivered-To: dbound@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE410C15DD41 for <dbound@ietfa.amsl.com>; Wed, 28 Sep 2022 12:36:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.18
X-Spam-Level:
X-Spam-Status: No, score=-15.18 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.571, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazon.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Us-F-ZaMQqxk for <dbound@ietfa.amsl.com>; Wed, 28 Sep 2022 12:36:16 -0700 (PDT)
Received: from smtp-fw-6002.amazon.com (smtp-fw-6002.amazon.com [52.95.49.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 975B0C15C53D for <dbound@ietf.org>; Wed, 28 Sep 2022 12:36:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1664393777; x=1695929777; h=message-id:date:mime-version:subject:to:references:from: in-reply-to:content-transfer-encoding; bh=6f3g1sSXo8+3mcxZMAqNVHjS50+b+lCr2alrSPyeBO4=; b=Hyqhu+bxVkCoVJuSn1VCgHVHI6dxbSqeKlw3s02L8Wy5HxhkfB6icoPg BDBqNOOc7RlmkpII4/PMcrNUUCR4OzuMPs/Oj7fwc8BnQV/LwS9jHNaH5 sSo2tTFcVdLEOziXBpw1ebHfxy4d4Tc553Ezcu4m3e8RAAmkkiDpVPvMG g=;
X-IronPort-AV: E=Sophos;i="5.93,352,1654560000"; d="scan'208";a="249765839"
Received: from iad12-co-svc-p1-lb1-vlan3.amazon.com (HELO email-inbound-relay-iad-1a-87b71607.us-east-1.amazon.com) ([10.43.8.6]) by smtp-border-fw-6002.iad6.amazon.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 28 Sep 2022 19:36:16 +0000
Received: from EX13MTAUEA001.ant.amazon.com (iad12-ws-svc-p26-lb9-vlan3.iad.amazon.com [10.40.163.38]) by email-inbound-relay-iad-1a-87b71607.us-east-1.amazon.com (Postfix) with ESMTPS id 60B0C14107F for <dbound@ietf.org>; Wed, 28 Sep 2022 19:36:14 +0000 (UTC)
Received: from EX13D30UEA003.ant.amazon.com (10.43.61.28) by EX13MTAUEA001.ant.amazon.com (10.43.61.82) with Microsoft SMTP Server (TLS) id 15.0.1497.38; Wed, 28 Sep 2022 19:36:13 +0000
Received: from EX13MTAUEA001.ant.amazon.com (10.43.61.82) by EX13D30UEA003.ant.amazon.com (10.43.61.28) with Microsoft SMTP Server (TLS) id 15.0.1497.38; Wed, 28 Sep 2022 19:36:13 +0000
Received: from [192.168.2.32] (10.106.179.45) by mail-relay.amazon.com (10.43.61.243) with Microsoft SMTP Server (TLS) id 15.0.1497.38 via Frontend Transport; Wed, 28 Sep 2022 19:36:13 +0000
Message-ID: <99bc93ec-9be6-7abb-90c0-01f0d59c4aeb@amazon.com>
Date: Wed, 28 Sep 2022 12:36:12 -0700
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.3.0
Content-Language: en-US
To: dbound@ietf.org
References: <bd3a32cb-dd41-b195-e46d-419611000ceb@amazon.com>
From: Ian Williams <iwillamz@amazon.com>
Organization: AWS Security
In-Reply-To: <bd3a32cb-dd41-b195-e46d-419611000ceb@amazon.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dbound/KQNlJ-8ANqMY-UTDxAZGC4qrKxw>
Subject: Re: [dbound] DBOUND - updated use cases?
X-BeenThere: dbound@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: DNS tree bounds <dbound.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dbound>, <mailto:dbound-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dbound/>
List-Post: <mailto:dbound@ietf.org>
List-Help: <mailto:dbound-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dbound>, <mailto:dbound-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Sep 2022 19:36:20 -0000

In the interest of spawning some discussion, I'll start with my own
reply.

Full disclosure, I work for AWS. We operate a large Internet-connected
service network, for both our direct customers and our customer's
customers. A few of the below use-cases consider the latter of the two,
for AWS customers that may themselves be a SaaS vendor or similar.

-----

1) We have a large number of boundaries we'd need to publish. Taking an
example resource within an example service, that resource might have a
domain name that follows the below pattern (2LD may vary):

   "resource-id.cluster-id.servicename.region-name.amazonaws.com"

With the current PSL, we'd need to publish 1+ records per region per
service. We currently have over 200 services across 27 regions, and
those numbers grow on a regular basis. This puts an immense strain on
the PSL - both on the size of the list itself, and the humans that help
maintain the list for the internet community (Ryan + Jothan + others:
thank you for your continued voluntarism here).

Putting this information into DNS allows us to publish our own records,
without straining a team of volunteers with our bolus of updates.

-----

2) We have suffixes that are public, but not routable or resolvable
outside of our network (public-like-PSL, not public-like-pool). A good
example I have is the internal zone within all AWS virtual private
clouds (VPCs). VPCs are resources customers can create, which reserves
them a logically-isolated portion of AWS's network. Within each VPC,
there is a VPC-internal DNS zone which contains DNS records for
resources within the VPC (suffix zone of "compute.internal" or
equivalent), which is separated per-VPC. Every network interface in a
VPC will have an associated per-interface record in this zone (for VPCs
using a default configuration). More details available here:
https://aws.amazon.com/vpc/

For customers that have chosen to peer their VPC with another customer,
this VPC-internal zone would now have multiple different customers
operating within it. We'd like to prevent any inferred-level of trust
(when it comes to things like cookies/CORS policies) between DNS names
in this zone.

There are other examples where this might apply for us, but they all
fall into this pattern. The current PSL verification process requires
that we attest we own the zone at merge/build time, rather than at
runtime. We do not own "internal" outside of the VPC itself, so this
would fail.

-----

3) We operate a DNS management service used by our customers (Amazon
Route 53). In the auspices of the PSL, this would be considered as
just-another-DNS-service - there are plenty of other DNS management
services in existence, and we're likely all in the same pool here.

-----

4) Registry operators and/or DNS application developers may have a
desire to handle eTLDs/suffixes differently at runtime. This may be to
prevent human error in their service, and/or mitigate abuse or misuse
of their service. AWS is one such entity; we have applications which
currently check the PSL at runtime to prevent inappropriate ownership
claims about high value public suffixes or eTLDs.

-----

5) In Sullivan's 2016 draft [1], the specific use-case regarding HTTP
cookies is one that we care about. We think this is relevant to hosting
providers of customer-content with shared domain suffixes. This is one
of the key things we're currently interested in the PSL for.

---

[1]: draft-sullivan-dbound-problem-statement-02, s.4, ss. 1,
      "HTTP state management cookies"
https://datatracker.ietf.org/doc/html/draft-sullivan-dbound-problem-statement-02#section-4

Regards,

Ian Williams
Sr. Security Engineer
AWS Security

v2.23.0 | Report a Bug | By Email