IETF Logo Mail Archive

Re: [DNSOP] New Version Notification for draft-jabley-dnsop-refuse-any-00.txt

Evan Hunt <each@isc.org> Fri, 02 October 2015 03:41 UTC

Return-Path: <each@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 952D11ACCE9 for <dnsop@ietfa.amsl.com>; Thu, 1 Oct 2015 20:41:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.611
X-Spam-Level:
X-Spam-Status: No, score=-6.611 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vqwAuwSzrNeR for <dnsop@ietfa.amsl.com>; Thu, 1 Oct 2015 20:41:05 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3FCBE1ACCEF for <dnsop@ietf.org>; Thu, 1 Oct 2015 20:41:05 -0700 (PDT)
Received: from bikeshed.isc.org (bikeshed.isc.org [149.20.48.19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "mail.isc.org", Issuer "RapidSSL CA" (not verified)) by mx.pao1.isc.org (Postfix) with ESMTPS id BF1243493CD; Fri, 2 Oct 2015 03:41:01 +0000 (UTC)
Received: by bikeshed.isc.org (Postfix, from userid 10292) id B1169216C59; Fri, 2 Oct 2015 03:41:01 +0000 (UTC)
Date: Fri, 02 Oct 2015 03:41:01 +0000
From: Evan Hunt <each@isc.org>
To: Ólafur Guðmundsson <olafur@cloudflare.com>
Message-ID: <20151002034101.GA60555@isc.org>
References: <20150930190405.17300.40441.idtracker@ietfa.amsl.com> <20151001025833.GA51655@isc.org> <0F438B6C-4797-4250-ABCA-4C5AE1D5F232@hopcount.ca> <20151001050850.GA51763@isc.org> <CAN6NTqyskX6AhnHzchAaOBEjWcehnhj2P7rot39Pi4VY==Ongg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CAN6NTqyskX6AhnHzchAaOBEjWcehnhj2P7rot39Pi4VY==Ongg@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/7-glUEQlMcdCvH8zngtxItP6KqU>
Cc: dnsop <dnsop@ietf.org>, Joe Abley <jabley@hopcount.ca>, Ólafur Guðmundsson <olafuratcloudflare.com@isc.org>
Subject: Re: [DNSOP] New Version Notification for draft-jabley-dnsop-refuse-any-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Oct 2015 03:41:06 -0000

On Thu, Oct 01, 2015 at 09:02:09AM -0700, Ólafur Guðmundsson wrote:
> Only validating resolver will send follow up query,

Correct, but it would send them to every name server until it
got a non-bogus reply. This is unnecessary collateral damage.

> Here is the deal there are 3 sources of ANY queries to authoritative
> servers
> a) Malicious ones  both direct or reflected flood via open resolvers
> b) Someone debugging or trying to zone walk
> c) Resolver forwarding a ANY query because the cache for that name was
> EMPTY.

I see five categories.  Malicious queries can come in directly, or
through a resolver, or from a spoofed source.  Legitmate queries can
come in directly or through a resolver.

- With spoofed source queries it doesn't matter what we answer.  Setting
  TC=1 or dropping would be fine.

- With a direct query (from dig, for example) it doesn't matter what we
  answer. REFUSED would be fine.

- With a query from a resolver, we have to send an answer that the resolver
  will accept, so it doesn't keep trying; we also have to send an answer
  that will *not* impair the resolver's ability to resolve other names
  later.

The problem is, we can't perfectly distinguish between these categories.
DNS COOKIE will help to weed out the spoofed sources when it's deployed
widely enough to rely on, and DNS RRL will mitigate the damage, but things
will always get through.

I see no choice but to assume the least convenient case:  that a query for
type ANY is coming from a resolver which is passing along a query from a
legitimate client.

In order to avoid doing any harm to that presumptive resolver, we *must*
perform a database lookup to find out whether the qname exists and whether
it's below a zone cut, so we'll know whether to return NXDOMAIN, a
delegation, or a minimized response.  And if the zone is signed and
we're sending a minimized response, then it *must* include a valid
signature.

> There is NO need to sign, unsigned HINFO returned for ANY query looks to an
> validating resolver just like an
> incomplete answer thus it can either return the HINFO or ask the followup
> question for the HINFO and get a signed
> denial that the HINFO exists ==> which looks like the HINFO was just
> deleted from the zone i.e. temporal inconsistency.

It doesn't look like an incomplete answer; it looks like a *bogus* answer.
A validating resolver will react by sending the same query to every other
auth server for the zone until it gets something that validates.
Eventually it'll SERVFAIL, and at that point perhaps the application
will do something sensible, but we're wasting resolver resources in the
meantime.

> Given the assumption that we are optimizing for defense there is no need
> for an authoritative resolver to know if it is authoritative for the zone
> the query was for, it can just return HINFO as an negative answer to the
> ANY query type.

You've got to search the database for zone cuts, or you'll end up with a
resolver thnking example.com is authoritative for www.child-zone.example.com.

You've got to search down to see if there's a leaf node above the qname,
or the resolver won't be able to use a cached NXDOMAIN as a signal to
stop sending queries for descendant nodes in the future.

> In our proposal you are optimizing for c) without knowing if the type you
> return is of value to the originator of the query,

I don't care whether the response is of value to the originator; I'd
return no answer at all if I could.  (Unfortunately, NODATA for type ANY
is interpreted by some caches to mean "no data of any type", and REFUSED
wouldn't stop a resolver from asking.)

> furthermore your answer is likely to be larger.

Admittedly true.  Still an improvement over conventional ANY responses.

> If we agree that both are acceptable and each server only needs to support
> one of the two then that is fine with me.

Both are acceptable as long as we don't break the DNS.

I cannot support a proposal that does break the DNS.

If we do what's necessary to avoid breaking the DNS, then I don't
believe there's any practical advantage to the HINFO approach, but
I wouldn't oppose.

-- 
Evan Hunt -- each@isc.org
Internet Systems Consortium, Inc.

v2.23.0 | Report a Bug | By Email