Re: [dns-privacy] [Ext] DS Hacks
Robert Evans <evansr@google.com> Fri, 30 July 2021 19:29 UTC
Return-Path: <evansr@google.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 36A593A0C33 for <dns-privacy@ietfa.amsl.com>; Fri, 30 Jul 2021 12:29:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -18.097
X-Spam-Level:
X-Spam-Status: No, score=-18.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.499, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iEtPlXJxWmtP for <dns-privacy@ietfa.amsl.com>; Fri, 30 Jul 2021 12:29:30 -0700 (PDT)
Received: from mail-io1-xd33.google.com (mail-io1-xd33.google.com [IPv6:2607:f8b0:4864:20::d33]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 14C823A0C2F for <dns-privacy@ietf.org>; Fri, 30 Jul 2021 12:29:29 -0700 (PDT)
Received: by mail-io1-xd33.google.com with SMTP id a13so12762344iol.5 for <dns-privacy@ietf.org>; Fri, 30 Jul 2021 12:29:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=3sulMcm+SvSK0rPiN5iE2tQqgZrSI+X/2w+vWQDZQ0U=; b=gMUTXgYgD4ThzBUP0SmUVvgli2lziuCTv4jIJOrUWpNZ8gw8Tatx72ZISakeeZxgsC OYUldfh+k1M/UR3t3sLoSQz0dMwZB5mAvy2w7OB/ob14r0mUm83bccfF6NwvJZ/IcDey vrg1C3ueCnefOOu0md727mGb5rM+h4JhAnt00EhSjee1pEcILVOVis+iIPlQv8MAZ5D2 gs79RO7/kvIoDKI3/ttk/XqKcj01riiNy1dxdm3HhYC2bqYNLXHkr58zNJdExvqVTBEt KLMDi6NNqExn9vyuoCYTVgZ/uLeCVuHcCnrrM+1czj3ka+5iH/CHrSoZkNgpH3jvrHiO rhrg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=3sulMcm+SvSK0rPiN5iE2tQqgZrSI+X/2w+vWQDZQ0U=; b=uPpBDA4uyyEtbKZuNjCR7jbUPb+wf/YVsBy5PpP5W/Zgz/PuZ7d6RG+a1Be9ERaw3M uWsReBpRBAL295+YpvFzX5G8mjIeogCS07yNV+rcoMCB3bH6CMYKcx1VSy/padSadmeq GgxNaxqGVRdSXdDHYlY/iaK66uNGaW4n46GkxO0Hs4e64hvJbBc2Xk8ZXIbMD8eZMw5k A2qv1bCnmrVljgnCOjg6tMidyLojJlJO6ohLnhFZhGoy3VzV/lFRO7oH1ooTCjQuvL0i aCLXAv9Ye18AlJZtVoP3ILc9wFnO6zlnI18f3JoI5Px2ZoVhKNxpMydhbuQo13vTicI2 KfLw==
X-Gm-Message-State: AOAM533AuKzmhICuWTd4JPzcMSCvku26gdRVOlJCixQxHswCidT/nGXp 2/mjRl33fzdIQ654ymsQn+QQ8RVRBk506o47MmYWsA==
X-Google-Smtp-Source: ABdhPJy+KPFasROket49wco/a/tTgKSApofeQvEqOb0ZDpxHzl740CYz6aDT077NAAIQ2YqkTr2txQsR9P654R2PQWk=
X-Received: by 2002:a05:6602:1647:: with SMTP id y7mr2289716iow.30.1627673368429; Fri, 30 Jul 2021 12:29:28 -0700 (PDT)
MIME-Version: 1.0
References: <CAHbrMsAXFiPT_P_hdWXborXnbw3YagjW6aXXvGJnxWbtRofB2g@mail.gmail.com> <5f649d68-94be-579a-31c6-6ad02466cd15@time-travellers.org> <CAHbrMsCj8LzJff7BXwnY4TOcOU2POuZfP4h+fyA6VUKeGpksCQ@mail.gmail.com> <E0430A84-D844-4B79-B71F-A92A21942329@icann.org> <CAHbrMsCPPq-o8U4mhFPZ1U+GE+57yneEGo7AD5uDQ_QDDUO0rw@mail.gmail.com> <03FDA925-2BC3-4830-B27B-5F6E19676678@icann.org>
In-Reply-To: <03FDA925-2BC3-4830-B27B-5F6E19676678@icann.org>
From: Robert Evans <evansr@google.com>
Date: Fri, 30 Jul 2021 15:29:17 -0400
Message-ID: <CAPp9mxJM1b4+OFHX0x6QwhoJpE+8Sz82K_e=DJ9EJFaK691_3Q@mail.gmail.com>
To: Paul Hoffman <paul.hoffman@icann.org>
Cc: Ben Schwartz <bemasc@google.com>, DNS Privacy Working Group <dns-privacy@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000efdac205c85c3ca7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/cuxlDzLUSMqGAnNRc-BE-CUkU-I>
Subject: Re: [dns-privacy] [Ext] DS Hacks
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Addition of privacy to the DNS protocol <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Jul 2021 19:29:35 -0000
If I understand correctly, the encoding could cover any below-the-cut records in the referral response. For in-bailiwick response, this would be the child NS rrset, glue A/AAAA records, and SVCB records: ;; Authority example.com NS ns1.example.com example.com NS ns2.example.com ;; Additional ns1.example.com A 192.0.2.1 ns1.example.com AAAA 2001:db8::1 ns2.example.com A 192.0.2.2 ns2.example.com AAAA 2001:db8::2 There could be a DS record that contains encoded RDATA: rr_type=NS prefix=<empty> rdata="ns1.example.com" rr_type=NS prefix=<empty> rdata="ns2.example.com" rr_type=A prefix=ns1 rdata="192.0.2.1" rr_type=A prefix=ns2 rdata="192.0.2.2" rr_type=AAAA prefix=ns1 rdata="2001:db8::1" rr_type=AAAA prefix=ns2 rdata="2001:db8::2" rr_type=SVCB prefix=_dns.ns1 rdata="ns1.example.com 1 alpn=dot adox=tlsa" rr_type=SVCB prefix=_dns.ns2 rdata="ns2.example.com 1 alpn=dot adox=pki" (Or maybe leave out the A and AAAA records, but that makes it easier for attackers to trick resolvers into talking to malicious endpoints.) For out-of-bailiwick response, this would be only child NS records. ;; Authority example.com NS ns1.other-example.com example.com NS ns2.other-example.com ;; Additional <empty> There would be a DS record that contains encoded RDATA: rr_type=NS prefix=<empty> rdata="ns1.other-example.com" rr_type=NS prefix=<empty> rdata="ns2.other-example.com" This referral conveys no authenticated SVCB (only authenticated NS names), so encryption-aware recursive resolvers would query for SVCB in parallel with A and AAAA queries for the name servers. On Fri, Jul 30, 2021 at 2:10 PM Paul Hoffman <paul.hoffman@icann.org> wrote: > On Jul 30, 2021, at 10:37 AM, Ben Schwartz <bemasc@google.com> wrote: > > > > > > > > On Fri, Jul 30, 2021 at 1:34 PM Paul Hoffman <paul.hoffman@icann.org> > wrote: > > I'm confused here. Are you saying that the DS owner name for an > out-of-bailiwick NS would still be the name of that NS? > > > > No, it would be the owner name of that NS record, which is the child > apex. This is also the owner name of the DS record. The name of the NS is > in the RDATA. > > Sorry that I'm being dense. Having some examples with both in-bailiwick > and out-of-bailiwick NSs would be useful (at least to me). > > --Paul Hoffman > > _______________________________________________ > dns-privacy mailing list > dns-privacy@ietf.org > https://www.ietf.org/mailman/listinfo/dns-privacy >
- [dns-privacy] DS Hacks Ben Schwartz
- Re: [dns-privacy] DS Hacks Shane Kerr
- Re: [dns-privacy] DS Hacks Ben Schwartz
- Re: [dns-privacy] [Ext] DS Hacks Paul Hoffman
- Re: [dns-privacy] [Ext] DS Hacks Ben Schwartz
- Re: [dns-privacy] [Ext] DS Hacks Paul Hoffman
- Re: [dns-privacy] [Ext] DS Hacks Robert Evans
- Re: [dns-privacy] [Ext] DS Hacks Paul Hoffman
- Re: [dns-privacy] [Ext] DS Hacks Ben Schwartz
- [dns-privacy] DS glue Paul Hoffman
- Re: [dns-privacy] [Ext] DS Hacks Ilari Liusvaara
- Re: [dns-privacy] [Ext] DS Hacks Ben Schwartz
- Re: [dns-privacy] [Ext] DS glue Paul Hoffman
- Re: [dns-privacy] [Ext] DS glue Ben Schwartz
- Re: [dns-privacy] [Ext] DS glue Alexander Mayrhofer
- Re: [dns-privacy] [Ext] DS glue Ben Schwartz
- Re: [dns-privacy] [Ext] DS glue Alexander Mayrhofer
- Re: [dns-privacy] [Ext] DS glue Ben Schwartz