Re: [DNSOP] [Ext] Call for Adoption: draft-sah-resolver-information

tirumal reddy <kondtir@gmail.com> Tue, 06 August 2019 08:04 UTC

Return-Path: <kondtir@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A9563120131 for <dnsop@ietfa.amsl.com>; Tue, 6 Aug 2019 01:04:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j7HZiIZKtsgg for <dnsop@ietfa.amsl.com>; Tue, 6 Aug 2019 01:04:27 -0700 (PDT)
Received: from mail-oi1-x235.google.com (mail-oi1-x235.google.com [IPv6:2607:f8b0:4864:20::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 48689120121 for <dnsop@ietf.org>; Tue, 6 Aug 2019 01:04:27 -0700 (PDT)
Received: by mail-oi1-x235.google.com with SMTP id 65so65260789oid.13 for <dnsop@ietf.org>; Tue, 06 Aug 2019 01:04:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=imDWyEtfx6CgdgimjV3IEoGm4JG30zVndFEUdBazQwA=; b=YNtMoWZaLzckkaxaz3zdo8mLwYRRRcpgJeltiZ3HMoNCOeFODTGg2SoWGT9hyMUQV6 Zm32DMbe734Ab6SCujsxJIoBulnlIJV8Vx78wV4j+VJSlPftCR+BlQ901YG8rPGQtplY iH8s5pbObLItbMxyblWCzMpdM5eNf0CeriCxwvCpRfhpWzuQp2sGOqN7YYzzKRTgRWb3 uy4kF1Rxwso64nU9eYUis4rinv3GHO8SHpzcpi+ptQMRPI+TWql6XcjyaPQC+igkBOlk h0tOsDmtcyDgXvM92X4HR2xYBYhYVIiv1ZeGS5NpkKXOslYsx2r7EXLJ3UjSPeFR0I/5 UVdg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=imDWyEtfx6CgdgimjV3IEoGm4JG30zVndFEUdBazQwA=; b=cc9e/EK4ag/PaaqGHYZ0E3FMdE6qEQxs1MY8XcMMiE4L5wooxU1tJxO6q6tSWQycHX bfgca7VrMTm3FLHWnR7ZytPn1feLH/BoUUCqC4+WixGoUA6pYFSQbWgGpas9fBoCso1Q Oueoba5aZYN64LRjTzauSw+fb1ZSvrQpMfOY0SOzPCLi9qV76yuycD6JBkoUZ1ubbpZ/ 7/nbUbZ1J6UiP2fVWx9pK6Ivxl5j6r/z1wma29x544Uro3upRt20OQZnQlwpUhxDRI9O fswi/7LqkbodXgJDdBaf3PqpqtrzU4jjviTWvF4vnQPqkeV8Wb73erx+EWiUgPwnOwwY SVtQ==
X-Gm-Message-State: APjAAAVYXjD42y2bIaOJxxKQSCDzqbqrWp6IFQLfSyBZsgSOKrqBEVhS kN/yoUuwTxb/KzbbXB5UALRKx2U/a/EXkp0q1zI=
X-Google-Smtp-Source: APXvYqwOJADR93o+0TJRDdhYxQ9cTqYPl9yotdqp2yC0rB/AMd+PyULig1/L8s3b12UoMZ0iFEvr1bIvijS0ca313ag=
X-Received: by 2002:a02:c50a:: with SMTP id s10mr2900521jam.106.1565078666477; Tue, 06 Aug 2019 01:04:26 -0700 (PDT)
MIME-Version: 1.0
References: <CADyWQ+EUk_Qmnk=x3-om1OMjSMFrhd9qFUKTEBk6qWjh6fgRXQ@mail.gmail.com> <CAFpG3gc7bvJNo3SF=anU5aPfEjF0j-c2q8ZUHH3Gd684m9Ypyg@mail.gmail.com> <02BB3B07-F1C1-4D2B-BA08-EF1A5AAACA4C@icann.org>
In-Reply-To: <02BB3B07-F1C1-4D2B-BA08-EF1A5AAACA4C@icann.org>
From: tirumal reddy <kondtir@gmail.com>
Date: Tue, 6 Aug 2019 13:34:14 +0530
Message-ID: <CAFpG3gcdxpd=rh93nipx9QcuOgwMo--qZhoEbtg=cM8aHG=fQQ@mail.gmail.com>
To: Paul Hoffman <paul.hoffman@icann.org>
Cc: dnsop <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f60466058f6e4540"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/B5rTyUO9rnvgsFDD-8vkZPaQWaI>
Subject: Re: [DNSOP] [Ext] Call for Adoption: draft-sah-resolver-information
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Aug 2019 08:04:31 -0000

Hi Paul,

Please see inline

On Mon, 5 Aug 2019 at 19:56, Paul Hoffman <paul.hoffman@icann.org> wrote:

> Thank you for your detailed list
>
> On Aug 5, 2019, at 4:07 AM, tirumal reddy <kondtir@gmail.com> wrote:
> >
> > I did not receive response to the attacks discussed in
> https://mailarchive.ietf.org/arch/msg/dnsop/4ubj2D4bzxS1VTsZKzcNqBcWgtM.
> > Listing the attacks and comments for further discussion:
>
> To be clear, most of what you have below are not "attacks" at all.
>

Please explain why you think these are not "attacks" at all ?


>
> > a) Attackers can also host DoH/DoT servers and claim they offer security
> and privacy policies. How will the stub resolver know the recursive server
> is not lying ?
>
> The same way it can "know" that a web site it is going to follows that
> site's claims of security and privacy policies. That is: it cannot without
> help from trusted third parties. A resolver's claims inherently can be no
> different. This can be clarified in the draft.
>

An user visiting a web site is different from an endpoint discovering a
network provided DoH/DoT server. Both good and back actors can advertise
DoH/DoT servers with the same security and privacy policies. The attacker
can also potentially block the discovery of good DoH/DoT server.

The above attacks are different from an user visiting www.google.com and
the browser rejecting the spoofed certificate from an MiTM.

How will the user/endpoint distinguish between advertised good and
malicious DoH/DoT servers  ?


>
> > b) How will the client know the policy statement is issued by a resolver
> deployed by the network administrator or by an attacker ?
>
> See above. This is barely different than the web model, if at all.
>

No, this is not the same as a web model. Attacker can host a malicious
domain, deploy DoH/DoT servers and get the server certificate signed by a
CA (it can be automated with ACME and is free of cost with letsencrypt).


>
> > c) I don't see any discussion in the draft explaining how the client
> determines the future DHCP configuration options are coming from a trusted
> > source.
>
> For the DNS method, it can use DNSSEC validation. For the HTTPS method, it
> can use normal TLS authentication. This can be clarified in the draft.
>

No, my comment is how will the client determine the future DHCP
configuration options are coming from a trusted source. TLS authentication
and DNSSEC validation will also work for malicious DoH/DoT servers.


>
> > If the source cannot be trusted, endpoint can be configured to use a
> malicious resolver server compromising the endpoint security and privacy,
> > and future DHCP configuration options will not be helpful (DHCP clients
> typically have no secure and trusted relationships to DHCP servers).
>
> Are you saying here that, because there is no typically-trusted way to get
> this information from DHCP, there should be no way to get it from the DNS
> either? If so, that seems like a harsh restriction.
>

If DHCP response can be spoofed, the endpoint has no way to know the DNS
response is coming from a trusted source even with DNSSEC and TLS
validation.

Consider the following scenario:

The network to which the endpoint attached uses OpenDNS to block access to
malicious domains. The attacker spoofs the DHCP response to send
Google DoH/DOT server instead of OpenDNS. Assuming Google does not block
access to malicious domains, the attack is successful.
Note that DNSSEC and TLS server certificate validations will not prevent
the attack.


>
> > d) What type of DNS information is self-published ?
>
> The draft clearly says that a resolver can self-publish any information it
> wants, so I don't understand the question.
>

The question is what is the information and what is its use to the
endpoint. In other words, why should a stub resolver implement this
specification and what problems will it solve to the end user ?


>
> > e) What type of decisions will the stub resolver make based on the
> features advertised by the recursive resolver ?
>
> Whichever decision it wants. This is true for any protocol, yes?
>

No, the decisions may have privacy and security implications.


>
> > f) What is the need for both new RRtype and new well-known URI ?
>
> As I said earlier in the thread, it is not a "need".
>
> Some clients who want the information will want to use HTTPS because
> that's what they already do (such as applications with DoH clients); there
> is no need to force them to also have DNS transport stacks just to get the
> information.
>
> Some clients who want the information will want to use DNS because that's
> what they already do (such as stub resolvers); there is no need to force
> them to also have HTTPS transport stacks just to get the information.
>

> > g) Why isn't the information the resolver will publish discussed in this
> document itself ?
>
> This is the same as asking "why isn't every DHCP option defined in the
> main DHCP protocol specification". We cannot know all the kinds of
> information that a resolver will want to publish. Different resolver
> operators have told me that, if this is adopted, they will suggest types of
> information they want stubs to know about them. There is no reason to
> restrict them in that, I believe.
>

DHCP discusses several options (see
https://tools.ietf.org/html/rfc3315#section-22) and discusses scope for
future options in separate documents. This draft does not even specify any
details on the information the resolver will publish.


> > h) An on-path attacker can modify the response to return NXDOMAIN
> response. How is this attack prevented ?
> >     Looks like DNSSEC validating client is mandatory to detect fake
> NXDOMAIN response.
>
> Yes, exactly. If you have a better suggestion, that would be great.
>

If DNSSEC is mandatory to implement by the endpoint, it should be specified
in the document. Please note  neither https://tools.ietf.org/html/rfc8310
 nor https://tools.ietf.org/html/rfc8484 mandate the use of DNSSEC.


>
> > i)  If the server certificate cannot be validated,  why will the client
> trust the resolver information provided by server whose identify cannot be
> validated ?
>
> That's up to a client's policy for the specific information they receive.
> Again, this is no different than DHCP.


I don't see any such client policy mentioned in
https://tools.ietf.org/html/rfc8484. Are you aware of any browsers that
ignore server certificate validation
and why would the browser ignore the results of server certificate
validation ?


> The fact that few DHCP clients actually use DHCP authentication hasn't
> stopped the world from using it widely.
>

And the world is moving away from clear text HTTP to use HTTPS. Ignoring
the server certificate validation will compromise the endpoint security and
privacy, and needs strong justification.


>
> > The draft does not look ready for adoption.
>
> Given the above, and given that the WG would be able to change any part of
> the draft it wants, do you still feel that way?


Yes, the draft look premature for adoption. As you already know, the
outcome of this work will impact DPRIVE, DoH and the discussions in ADD
mailing list. You may want to inform them about this draft, and seek
feedback.


> Or do you feel that there is no need at all for a resolver to be able to
> announce its features?
>

No.

Cheers,
-Tiru


>
> --Paul Hoffman