Re: [dns-privacy] Registry framework for draft-ietf-dprive-early-data
alessandro@ghedini.me Thu, 23 July 2020 11:57 UTC
Return-Path: <alessandro@ghedini.me>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F4B83A09A9 for <dns-privacy@ietfa.amsl.com>; Thu, 23 Jul 2020 04:57:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ghedini.me
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y7cBgWw0M6LL for <dns-privacy@ietfa.amsl.com>; Thu, 23 Jul 2020 04:57:14 -0700 (PDT)
Received: from blastoise.ghedini.me (blastoise.ghedini.me [45.32.158.21]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0D9ED3A0991 for <dns-privacy@ietf.org>; Thu, 23 Jul 2020 04:57:13 -0700 (PDT)
Received: from localhost (unknown [IPv6:2a02:8010:6241:1:25ff:44c:b55a:4389]) by blastoise.ghedini.me (Postfix) with ESMTPSA id B0F53DF29C; Thu, 23 Jul 2020 11:57:07 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ghedini.me; s=mail; t=1595505427; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=KyQsLjtKvgn1Lj6eLtIEQzMlXtLvB3Uc8EV4f2Vdie0=; b=cyFZ3p6wn232OGQF1E9PAAzhJHfj6bc7gV8+BCGTj3ZXej5fHwUEf9/c8XvpM4Gv9Ekv3x DQeMjmruMv4RtlDTdLAZR769k2eNd1Azt/j6JMWzE2lFaoMOLrS1XE38U0CD7r3D8w6UtA bnpLLkmy9+dvUcgZV/8GIrhGhe2mP5k=
Date: Thu, 23 Jul 2020 12:57:02 +0100
From: alessandro@ghedini.me
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: Brian Haberman <brian@innovationslab.net>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Message-ID: <20200723115702.GA5505@wakko.flat11.house>
References: <d812edb8-b3b3-d1db-13e8-8da9a945516d@innovationslab.net> <20200722192652.GA486629@LK-Perkele-VII>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20200722192652.GA486629@LK-Perkele-VII>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/n9c-KIRDRq0f46TyZKl2cvUweW4>
Subject: Re: [dns-privacy] Registry framework for draft-ietf-dprive-early-data
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jul 2020 11:57:16 -0000
On Wed, Jul 22, 2020 at 10:26:52PM +0300, Ilari Liusvaara wrote: > On Wed, Jul 22, 2020 at 12:00:43PM -0400, Brian Haberman wrote: > > Hi all, > > I have a proposal for the working group that I would like some > > feedback on. https://tools.ietf.org/html/draft-ietf-dprive-early-data-00 > > calls out the need for an IANA registry to track which RR Types are > > allowed to be carried as early data during the TLS session establishment > > process. Rather than creating yet another IANA registry, I propose that > > we add a column to the current RR Type registry that indicates whether > > the RR Type is allowed as early data. For reference... > > > > https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-4 > > > > Thoughts on this? > > I think this is a Bad Idea. > > The fact that RRTYPE is data RRtype (1-127, 256-61439) already > establishes it is safe to send as QTYPE in QUERY. Having any unsafe > things there would already cause major security issues, as DNS > specifications are very clear that servers MUST NOT refuse > requests by data QTYPE. Yes, some data TYPEs are special (especially > NS, CNAME and some DNSSEC stuff), but it is still requirement to not > have any harmful effects. > > However, this does not make any of them safe, only that none is > specially unsafe. With recursives, bad things happen if network > attacker can replay 0-RTT data after cache expiry. At worst, this can > completely compromise the query contents. It looks that one could > check the ticket age with fairly tight tolerances (failing is only > one (likely fast) extra RTT) to prevent this from happening. Are you saying we shouldn't have a list of allowed RR types at all and just limiting to QUERY messages is enough? I asked this question at the last meeting and the responses were mixed. I'm not against removing the list btw, though I guess it would be helpful to hear from people who disagree on why they disagree. > Types that are not data RRtypes might be more mixed bag. Those may > have side effects, and also contains the infamous TYPE *. The reason > that TYPE is infamous is that its semantics are not quite sensible, > and especially that it tends to cause large answers. > > Then there are CLASSes. The data CLASSes (1-127 and 32768-57343) need > to be safe. The other defined classes are NONE and *, which have no > sensible semantics in QUERY. Also unlike unknown TYPEs, unkown CLASSes > can be refused (REFUSED is sensible for authoritative, and NXDOMAIN for > recursive). > > However, there is a potential source of unsafety even in QUERY > with data QTYPE: EDNS extensions. The base EDNS is safe and essential. > However, EDNS extensions can do who knows what, and some of them might > be very much not safe. However, there are some that seem useful. > > On useful end, there are various DNSSEC advertisment extensions (e.g., > ??U and edns-key-tag). As well as Extended DNS Error. On dubious end > there are things like LLQ and UL (and potentially other stuff as well). I guess we can add some text on EDNS to the draft as well. Cheers
- [dns-privacy] Registry framework for draft-ietf-d… Brian Haberman
- Re: [dns-privacy] Registry framework for draft-ie… Ilari Liusvaara
- Re: [dns-privacy] Registry framework for draft-ie… Ben Schwartz
- Re: [dns-privacy] Registry framework for draft-ie… alessandro
- Re: [dns-privacy] Registry framework for draft-ie… Ilari Liusvaara
- Re: [dns-privacy] Registry framework for draft-ie… Tony Finch
- Re: [dns-privacy] Registry framework for draft-ie… Ben Schwartz
- Re: [dns-privacy] Registry framework for draft-ie… Peter van Dijk
- Re: [dns-privacy] Registry framework for draft-ie… Peter van Dijk
- Re: [dns-privacy] Registry framework for draft-ie… Benjamin Kaduk