[DNSOP] Re: Potentially interesting DNSSEC library CVE
Philip Homburg <pch-dnsop-5@u-1.phicoh.com> Thu, 25 July 2024 13:09 UTC
Return-Path: <pch-b538D2F77@u-1.phicoh.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB5E1C1519AA for <dnsop@ietfa.amsl.com>; Thu, 25 Jul 2024 06:09:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.907
X-Spam-Level:
X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J1QN7Q6YBQvv for <dnsop@ietfa.amsl.com>; Thu, 25 Jul 2024 06:09:54 -0700 (PDT)
Received: from stereo.hq.phicoh.net (stereo.hq.phicoh.net [IPv6:2a10:3781:2413:1:2a0:c9ff:fe9f:17a9]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2CE27C1CAF34 for <dnsop@ietf.org>; Thu, 25 Jul 2024 06:09:48 -0700 (PDT)
Received: from stereo.hq.phicoh.net (localhost [::ffff:127.0.0.1]) by stereo.hq.phicoh.net with esmtp (TLS version=TLSv1.2 cipher=ECDHE-RSA-CHACHA20-POLY1305) (Smail #158) id m1sWyDs-0000SdC; Thu, 25 Jul 2024 15:09:32 +0200
Message-Id: <m1sWyDs-0000SdC@stereo.hq.phicoh.net>
To: dnsop@ietf.org
From: Philip Homburg <pch-dnsop-5@u-1.phicoh.com>
Sender: pch-b538D2F77@u-1.phicoh.com
References: <m1sWF8d-0000LsC@stereo.hq.phicoh.net> <1070949df20a6ac1f9c2c2dd401d5953bb362bf2.camel@aisec.fraunhofer.de> <m1sWe2O-0000OKC@stereo.hq.phicoh.net> <fc306ade9816e06e19a1e2c9828c1c9ef2f0e2bb.camel@gnu.org> <m1sWxJi-0000MEC@stereo.hq.phicoh.net> <6c70aa6b316f7650d84a52135a6aa24aab147788.camel@gnu.org> <m1sWxlI-0000MGC@stereo.hq.phicoh.net> <7373aae035616f1689a576117579ca054759c84d.camel@gnu.org>
In-reply-to: Your message of "Thu, 25 Jul 2024 12:49:31 +0000 ." <7373aae035616f1689a576117579ca054759c84d.camel@gnu.org>
Date: Thu, 25 Jul 2024 15:09:31 +0200
Message-ID-Hash: 2TDWK6BPA6DD23IZVWHHFUSUOHN5ZJVE
X-Message-ID-Hash: 2TDWK6BPA6DD23IZVWHHFUSUOHN5ZJVE
X-MailFrom: pch-b538D2F77@u-1.phicoh.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Martin Schanzenbach <schanzen@gnu.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: Potentially interesting DNSSEC library CVE
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/64sftXQSzSGAiOOwSbhIih9vExI>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>
>Are you trying to say that the behaviour of a validating stub resolver >is not in scope of the work on DNS(SEC)? >Because I was pretty sure it is. >See Thomas' post before on how separating validation from result >filtering (following the CNAME-chain) would be tricky to do outside of >the validating stub resolver (or only with significant overhead and re- >validation) for any implementation. The function of a stub resolver is to send a DNS query to a recursive resolver and receive a reply. How the request is sent and how reply is validated is within the scope of the IETF. What happens later with the reply is not part of the stub resolver requirements. A DNSSEC validator is basically a function that can assign a status to a reply message: secure, insecure, indeterminate or bogus. Based on these, the a validating resolver can set the rcode to SERVFAIL, set or clear the AD bit. Filtering of DNSSEC secure replies is not tricky. It is just following CNAMEs until either a suitable RRset is found (or collection of RRsets) or nothing. In any case, if you don't like the protocol between the stub resolver and recursive resolver, the come with a concrete proposal to fix it. The IETF does not create standards for APIs. So a validating stub resolver is not really something that can be defined, because it is not a protocol.
- [DNSOP] Potentially interesting DNSSEC library CVE Bellebaum, Thomas
- [DNSOP] Re: Potentially interesting DNSSEC librar… Philip Homburg
- [DNSOP] Re: Potentially interesting DNSSEC librar… Bellebaum, Thomas
- [DNSOP] Re: Potentially interesting DNSSEC librar… Ted Lemon
- [DNSOP] Re: Potentially interesting DNSSEC librar… Philip Homburg
- [DNSOP] Re: Potentially interesting DNSSEC librar… Martin Schanzenbach
- [DNSOP] Re: Potentially interesting DNSSEC librar… Philip Homburg
- [DNSOP] Re: Potentially interesting DNSSEC librar… Martin Schanzenbach
- [DNSOP] Re: Potentially interesting DNSSEC librar… Philip Homburg
- [DNSOP] Re: Potentially interesting DNSSEC librar… Martin Schanzenbach
- [DNSOP] Re: Potentially interesting DNSSEC librar… Philip Homburg
- [DNSOP] Re: Potentially interesting DNSSEC librar… Bellebaum, Thomas
- [DNSOP] Re: Potentially interesting DNSSEC librar… Mark Andrews
- [DNSOP] Re: Potentially interesting DNSSEC librar… Mark Andrews