IETF Logo Mail Archive

Re: [dns-privacy] DS Hacks

Shane Kerr <shane@time-travellers.org> Fri, 30 July 2021 16:10 UTC

Return-Path: <shane@time-travellers.org>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D96653A3015 for <dns-privacy@ietfa.amsl.com>; Fri, 30 Jul 2021 09:10:57 -0700 (PDT)
X-Quarantine-ID: <1eniACCgbMkK>
X-Virus-Scanned: amavisd-new at amsl.com
X-Amavis-Alert: BAD HEADER SECTION, Improper folded header field made up entirely of whitespace (char 20 hex): X-Spam-Report: ...that system for details. Content previ[...]
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1eniACCgbMkK for <dns-privacy@ietfa.amsl.com>; Fri, 30 Jul 2021 09:10:51 -0700 (PDT)
Received: from saturn.zonnestelsel.tk (saturn.zonnestelsel.tk [80.100.157.192]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3EE4F3A3011 for <dns-privacy@ietf.org>; Fri, 30 Jul 2021 09:10:50 -0700 (PDT)
Received: from earth.fritz.box ([2001:984:2b8c:1:93da:82c7:2e0a:d959]) by saturn.zonnestelsel.tk with esmtpsa (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from <shane@time-travellers.org>) id 1m9V5u-0003zM-JX for dns-privacy@ietf.org; Fri, 30 Jul 2021 16:10:45 +0000
To: dns-privacy@ietf.org
References: <CAHbrMsAXFiPT_P_hdWXborXnbw3YagjW6aXXvGJnxWbtRofB2g@mail.gmail.com>
From: Shane Kerr <shane@time-travellers.org>
Autocrypt: addr=shane@time-travellers.org; keydata= xsFNBFgDj8oBEACUm+ujzTIUk8+EdWGSymrZ0xJdINhXX2mMTxeSdND4Z0C/LjhUB5qcqlPS V5UnRjVRTFVaKFYc7uRCHbVrgglsSuAaAtfXh6OMCLX6+jJ+uIm8YBLWZkfPh7yqlGckqM7B /VU9Km0D9zYncIcp9u65bH4Yi6pm32hVKNwMVOvqUHcAPZwjvYpw7exthc8bDeW4jdqHZgFf CzFobD+FwzHCMLh7Tw6nPFMC473oj9G3+ufTW9uce8jb9SN+lDbOwA0PnYjvpe6CDeBO4OYx MVJo8YUA2YMIlf4kBnG2ETodnpWLI8ofi2KiXgnWi2p4nrNa+vchbuNtT8RwOf1AhPC3ejgP WMgdAevFp6R+XGS7oXzdFcaYuJAjzhyrwk5XnX7Un9+xZpR1FG6UNSM0FHXdih3tcaIqZmNC milRl2fQhFcPxZ9b2FBUGZqW0u74e5HaG5zt69x0edp3FT1904h7aC+AxzJHo4/pRFvyBL9g 4AfntkHZ1HpIj40ntf2t/WitBMHM9WpoZf1VW+y+2zv6OScZYd8DWSMe+8rOMMdFrS0atI63 LkjQWAm4hhGvMaO+uHdqQUqpAata2GjBChPo9GZxRuGZ26aUiVEECSR9MHcwJBaTkRoqkkza 4z3EzXb3h3JOK2+ixM8ew0NVbCSwEl8f+fVswpcERORgkBfG5QARAQABzSZTaGFuZSBLZXJy IDxzaGFuZUB0aW1lLXRyYXZlbGxlcnMub3JnPsLBfQQTAQgAJwIbAwULCQgHAgYVCAkKCwIE FgIDAQIeAQIXgAUCWAOZQgUJEswMeAAKCRA3Mpec+WezBpysD/929BehaVaxh2pZN5YR4e9n VmCtXqENDfJD7wYYoFmp8ovmW9TB9RoZhwcMVgImIYZBnr/W9v7bIzY3yLF75TTI235Pvwi+ QFeouU2G7/SB4pDFN0EkCC7EmnLpqMxavKhOJ/TMS5+/hXFAEE1dzqahaId377QliAoR6fGa a3YPKfW3h0zfCLRMg58yJfT/FAbWg7/G0x88Lw3JN2bN23lL++i4qOS4W99uEMet4yIcmA7j h+v0N8MPaZRP6IYt7YhZY+ll52yUWa8HR7ywNVrA5yca23YRzz+Znk8qiA/L7FWZ1+rsm056 HRV5XVvc86T9t1YW2tHT2YwUG/9ZITc9RnmbjnmxeOu2ce6i1V4abaBYZjCUJ46Ujh/Tqsy9 diUM59vcoN5zfG80MsjB+KzBC+uT2x28pKaDU9stIBu0ILT4T/dEkZ1iT4l44a657rY3a44S 6/s3raOm8BypKFlE1rMtZVybAsaSdZ/jL3Dnl2V20hHqhg4oimnBcvUmMp34P/tq+UCE9yO1 8nVTPtQG4SGZpRObGq0e0LjbCt7dC81YCZR7OdZTXPW9MDQ6RMxsArFYdCwZX6uW3YvWVZLI AzCdobqiKakFgojsGLqxgjxlXQ0zqWTVmMc07f1uT3wLoxAPKNgTic5sVzSvins+hDS16Fg9 F2+ZcPGHwgbetc7BTQRYA5d6ARAArj8za6APGlD9gCskzjZ+RsEK+e8Y7UL62yeZFn+QAFtD 7ByMRWBjdchvyMc1pqXh/44hYQ91gor63qTymK/qDHPmXpSOCsgfnqzjSqk5AUW85VVvX8bv fywfNvo1j1xUSu9YylTe8BC9Dla541KFCVi97HcCzPNqjMLTDUfFfOVF2ysUXDixRUNisjC6 zv1yjhgn415+t9HX0NE6DvAFu7MF9Z1SNWGLo+AOKdGIiXbMA1V301mxssJwXTvZ6Q4KGmGS achJEF29t1S8LPtJWgkTd2r8cJtZ3MI4E8/MixHY/plXU/4V4Tt8dUnPjcpQW5iqyx1EHahM 49/rl8EcRHSVLs10kIYK3HGtVJ/sOJq3BFn1D4GFCPmcDtgEkpGcESaK4EUWpKztMrGjYOjH 5t998xq4HedYzNwFNTJX4LwlFY0PoBW69elox6LqjEY6Z+vCb/HvToDWBSYnKkqp/tLH8eKu qNoicspCF9NQQEqYMt0im2PNbIorSnxPKJH/kqS8Bbva78i9kk8cwq6EUP/YmCl70sonlbjV 3l7troNMMLSRXU4690zLDoUV/m68GGzq9SrZCDH3bC6AqxrED/HWJLmbD+ldjpzsYNAFasVz Yo/qV4AQIucEmZJfZSErB/4gSCV1SEMWFCbZxAp9phhNVdiV+Ijcj7BPIoyX76cAEQEAAcLB ZQQYAQgADwUCWAOXegIbDAUJEswDAAAKCRA3Mpec+WezBnqVD/0XqTpMYnCGwBJwjq5q98sh ug+qfoW+zrwih9CfSzX9TRbS3GSuvm7Cydrt34oJOIdlrmGEXAHcm4xGHgSl8Cf1qkTfsjvb AL1xI2RnYAK3uomdyUbbe5SC4M5zY45RZRTxXzEeDTjOkGZaa77dYXQJPqGNlsKZ66Hy6zg6 XFwgkfwALN+xYRZaJPBquuSTbUnK7ikGZES+FNZeSVgJzf6A9HOCwouWFuIj/BOLDm1yagWs uJo3ZHVWXSKLeMpYLD2Vtz1UVHiHhL6DsHUX6hcFVthqKuZDYHxcWQER4Fevkf62KYcl2DCj TyfV+jLk/kBudDk6sWRGFv0QBPQJ/3j/xtIJIjTqbrtq/3Wdm/EhlLNm0/D1WGDOexlazc2N NA5DgoYKyQU1pOBrZGurJZWZFnwJH7Zzw6QuqM9GxDBPhQyJ31o2SX/Z6o7Hwj1uCrovtZp5 GnTX130ShUbmTwT9V50T4DuNuJQuTdRe401A/49yxCaTxFuIbbEX4Mwe01yP1Fii5CUSzAV8 HDsxmaSigT/9UuzF73lRzKy9GKXhFoxvdGILaXlQU/QBQ9U/KOD0Pov4U/AbWwCSlI2YTPet px9LJxBw14phZufEmORKcYprsh2zL0Wh5J5NUaxXlnTOm2liGJgjbG/QOE+JzwzhhA76U/DF bwpJ36QB2uM2Hw==
Message-ID: <5f649d68-94be-579a-31c6-6ad02466cd15@time-travellers.org>
Date: Fri, 30 Jul 2021 18:10:41 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0
MIME-Version: 1.0
In-Reply-To: <CAHbrMsAXFiPT_P_hdWXborXnbw3YagjW6aXXvGJnxWbtRofB2g@mail.gmail.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="xgLSoAYoCNQ3zAKnQgkqgjinXSYb9sTLD"
X-Spam-Score-Int: -28
X-Spam-Bar: --
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/ZKgIXaQ0qrRqG8VLtUjO54h-dIs>
Subject: Re: [dns-privacy] DS Hacks
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Addition of privacy to the DNS protocol <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Jul 2021 16:10:58 -0000

On 30/07/2021 17.30, Ben Schwartz wrote:
> It seems like there's still interest in DS hacks.  Here's how I would do 
> a DS hack.
> 
> 1. Use the VERBATIM hash from 
> https://datatracker.ietf.org/doc/html/draft-vandijk-dnsop-ds-digest-verbatim 
> <https://datatracker.ietf.org/doc/html/draft-vandijk-dnsop-ds-digest-verbatim>
> 
> 2. Use a new Algorithm Number like 
> https://datatracker.ietf.org/doc/html/draft-fujiwara-dnsop-delegation-information-signer-00 
> <https://datatracker.ietf.org/doc/html/draft-fujiwara-dnsop-delegation-information-signer-00>.  
> This number is named "DS Glue", and MUST only be used with the VERBATIM 
> hash.
> 
> 3. In the digest field, encode one "DS glue" record as follows:
> 
> struct DSGlueFakeDigest {
>    uint16 rr_type;
>    DNSName prefix;  // Labels prepended to the DS owner name.
>    uint8[] rdata;
> }
> 
> DS-glue-aware resolvers ignore any unsigned glue with this RR type and 
> owner name.

So this is generic, and can store any record. We don't need TTL since 
this is just for glue and really shouldn't be cached, and we don't need 
class because we don't ever need class. 😉

This can't store out-of-bailiwick data, which means we can't secure an 
arbitrary NS RRset this way. Converting DNSName from "prefix" to just 
"name" would allow that. This seems useful as it would eliminate a 
potential means for an attacker to get you to connect to their servers 
(which is, spoofing a reply with a bogus NS RRset, since delegation NS 
are not signed in DNSSEC because DNS is stupid).

> 4. For ADoX, place NS records (with a prefix like "ns3.") and SVCB 
> records (with a prefix like "_dns.ns3.") in the DS glue.


--
Shane

v2.23.0 | Report a Bug | By Email