IETF Logo Mail Archive

Re: [dns-privacy] [Ext] DS Hacks

Paul Hoffman <paul.hoffman@icann.org> Fri, 30 July 2021 20:49 UTC

Return-Path: <paul.hoffman@icann.org>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 378833A0FE2 for <dns-privacy@ietfa.amsl.com>; Fri, 30 Jul 2021 13:49:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.899
X-Spam-Level:
X-Spam-Status: No, score=-6.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dUmltUgROaYr for <dns-privacy@ietfa.amsl.com>; Fri, 30 Jul 2021 13:49:32 -0700 (PDT)
Received: from ppa5.dc.icann.org (ppa5.dc.icann.org [192.0.46.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 96A603A109A for <dns-privacy@ietf.org>; Fri, 30 Jul 2021 13:49:26 -0700 (PDT)
Received: from MBX112-W2-CO-1.pexch112.icann.org (out.mail.icann.org [64.78.33.5]) by ppa5.dc.icann.org (8.16.0.43/8.16.0.43) with ESMTPS id 16UKnNOg026571 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 30 Jul 2021 20:49:23 GMT
Received: from MBX112-W2-CO-1.pexch112.icann.org (10.226.41.128) by MBX112-W2-CO-1.pexch112.icann.org (10.226.41.128) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.858.12; Fri, 30 Jul 2021 13:49:22 -0700
Received: from MBX112-W2-CO-1.pexch112.icann.org ([10.226.41.128]) by MBX112-W2-CO-1.pexch112.icann.org ([10.226.41.128]) with mapi id 15.02.0858.012; Fri, 30 Jul 2021 13:49:22 -0700
From: Paul Hoffman <paul.hoffman@icann.org>
To: Robert Evans <evansr@google.com>
CC: Ben Schwartz <bemasc@google.com>, DNS Privacy Working Group <dns-privacy@ietf.org>
Thread-Topic: [dns-privacy] [Ext] DS Hacks
Thread-Index: AQHXhXk5PawZYx3i9Uyx6HsVukIy/qtccySA
Date: Fri, 30 Jul 2021 20:49:22 +0000
Message-ID: <4AE29BBE-9B29-4E89-93CF-14153B25FD5C@icann.org>
References: <CAHbrMsAXFiPT_P_hdWXborXnbw3YagjW6aXXvGJnxWbtRofB2g@mail.gmail.com> <5f649d68-94be-579a-31c6-6ad02466cd15@time-travellers.org> <CAHbrMsCj8LzJff7BXwnY4TOcOU2POuZfP4h+fyA6VUKeGpksCQ@mail.gmail.com> <E0430A84-D844-4B79-B71F-A92A21942329@icann.org> <CAHbrMsCPPq-o8U4mhFPZ1U+GE+57yneEGo7AD5uDQ_QDDUO0rw@mail.gmail.com> <03FDA925-2BC3-4830-B27B-5F6E19676678@icann.org> <CAPp9mxJM1b4+OFHX0x6QwhoJpE+8Sz82K_e=DJ9EJFaK691_3Q@mail.gmail.com>
In-Reply-To: <CAPp9mxJM1b4+OFHX0x6QwhoJpE+8Sz82K_e=DJ9EJFaK691_3Q@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [192.0.32.234]
x-source-routing-agent: Processed
Content-Type: multipart/signed; boundary="Apple-Mail=_A12EAEB9-5231-41AA-A012-3061E59488B4"; protocol="application/pkcs7-signature"; micalg="sha-256"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391, 18.0.790 definitions=2021-07-30_11:2021-07-30, 2021-07-30 signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/UmWq4Eemxb0kO7VlQjZtCjHy0Lo>
Subject: Re: [dns-privacy] [Ext] DS Hacks
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Addition of privacy to the DNS protocol <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Jul 2021 20:49:37 -0000

Thanks! If this is indeed what Ben meant, that works for me. (Apologies for being That Kind Of Person who mostly thinks in examples...)

Given the discussion yesterday, we would also want a signal for "authenticate me or die" versus "I'm fine if you can't authenticate me", but that's an easy detail to add to the format.

--Paul Hoffman

On Jul 30, 2021, at 12:29 PM, Robert Evans <evansr@google.com> wrote:
> 
> If I understand correctly, the encoding could cover any below-the-cut records in the referral response.
> 
> For in-bailiwick response, this would be the child NS rrset, glue A/AAAA records, and SVCB records:
> 
> ;; Authority
> example.com [example.com] NS ns1.example.com
> example.com [example.com] NS ns2.example.com=
> 
> ;; Additional
> ns1.example.com [ns1.example.com] A 192.0.2.1
> ns1.example.com [ns1.example.com] AAAA 2001:db8::1
> ns2.example.com [ns2.example.com] A 192.0.2.2
> ns2.example.com [ns2.example.com] AAAA 2001:db8::2
> 
> There could be a DS record that contains encoded RDATA:
> rr_type=NS prefix=<empty> rdata="ns1.example.com"
> rr_type=NS prefix=<empty> rdata="ns2.example.com"
> rr_type=A prefix=ns1 rdata="192.0.2.1"
> rr_type=A prefix=ns2 rdata="192.0.2.2"
> rr_type=AAAA prefix=ns1 rdata="2001:db8::1"
> rr_type=AAAA prefix=ns2 rdata="2001:db8::2"
> rr_type=SVCB prefix=_dns.ns1 rdata="ns1.example.com 1 alpn=dot adox=tlsa"
> rr_type=SVCB prefix=_dns.ns2 rdata="ns2.example.com] 1 alpn=dot adox=pki"
> 
> (Or maybe leave out the A and AAAA records, but that makes it easier for attackers to trick resolvers into talking to malicious endpoints.)
> 
> For out-of-bailiwick response, this would be only child NS records.
> 
> ;; Authority
> example.com [example.com] NS ns1.other-example.com
> example.com [example.com] NS ns2.other-example.com
> 
> ;; Additional
> <empty>
> 
> There would be a DS record that contains encoded RDATA: 
> rr_type=NS prefix=<empty> rdata="ns1.other-example.com"
> rr_type=NS prefix=<empty> rdata="ns2.other-example.com"
> 
> This referral conveys no authenticated SVCB (only authenticated NS names), so encryption-aware recursive resolvers would query for SVCB in parallel with A and AAAA queries for the name servers.

v2.23.0 | Report a Bug | By Email