[DNSOP] structured-dns-error-03 and EDE-unaware poisoning attack
Dan Wing <danwing@gmail.com> Mon, 29 May 2023 00:32 UTC
Return-Path: <danwing@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 249F7C151085 for <dnsop@ietfa.amsl.com>; Sun, 28 May 2023 17:32:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.094
X-Spam-Level:
X-Spam-Status: No, score=-7.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t7dbtrZn3Up8 for <dnsop@ietfa.amsl.com>; Sun, 28 May 2023 17:32:24 -0700 (PDT)
Received: from mail-pj1-x1032.google.com (mail-pj1-x1032.google.com [IPv6:2607:f8b0:4864:20::1032]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 63FB2C14F736 for <dnsop@ietf.org>; Sun, 28 May 2023 17:32:24 -0700 (PDT)
Received: by mail-pj1-x1032.google.com with SMTP id 98e67ed59e1d1-25394160fd3so1770220a91.3 for <dnsop@ietf.org>; Sun, 28 May 2023 17:32:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1685320343; x=1687912343; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:from:to:cc:subject:date:message-id:reply-to; bh=VB4iiNoVo/cHuSIbO+XSKUV4z8OROsIrglFX+CiNqXc=; b=lIuxLGKI9/JztTCLULnmuNVBZ1p2sPto0kPsr/jVMVY/wDqYAJPTm+5JdTvrxYHimN /5id2w+9bTvbN0HfHFdMJLoj3//fJp0g/tTRWsPkRrn88D1f1IpVaE02QzMxKt2qhfL1 s4fBOWRa7704z6TtMQMr3OMCAAMfLJRycfjpge1su02m8jYR2Y8agsOUoPJTqhPs2Lr8 esgL8mINQ4u/IojHqdrGyFBqtFFHQZeZDCAQo58cNj731FXNlFhC1whoMOmdCTDE8tIU RrTX9trpsoxDEyM7Lgnc2xQ1Te7DwJLeunZ23nP0B4CW+DVqMzW/DrQJs+1VXcylQCzQ dcMw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1685320343; x=1687912343; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=VB4iiNoVo/cHuSIbO+XSKUV4z8OROsIrglFX+CiNqXc=; b=G0TnFME8e0IJLXhDdckN2HT0dLBmUu370k+FNb8Ayw8gUIQ8SGtnfKcG43SSfAKgFC XS+9lk/kruf7kco2I9EBPaybJbgTzrafx9ywl65YrDhXIeFjJRho32o6cCLifasP0xBq ZA5N9+OIFHUutqW+JEoDCM2j/lMuPqeE+QvvbySdu6WqdYT2yuvdq3ZPYKPq5FwbjGQ1 bKwDgrs4UyKVbgaNSrN8HcmNCfwCnFWoUpJouGhwGOsus69gPEzF8nssEyZhU5VQKgrx l86uslZwGa+hu+ByLVyZZwf0vkyJiVvWLGjnllO77I6gN3PZKDEnIHt9mL8RT7B+rCwH 8f0w==
X-Gm-Message-State: AC+VfDyB9OFJjOCH5zbs1itJUFKGQOLXbE2T5ALtf/xbrpnEMdOWNm87 Q6ekx2SU6Z2fRUYFqTlCo+P/ZFovwLzrWA==
X-Google-Smtp-Source: ACHHUZ6wqqi37tLq+MLclZMWP2azc86tA4bbXjdWjW1nv4H66fcXh0gAywdJD068r4LO/Jo0X/XxrA==
X-Received: by 2002:a17:90b:a57:b0:255:f01e:5aff with SMTP id gw23-20020a17090b0a5700b00255f01e5affmr8767357pjb.34.1685320342954; Sun, 28 May 2023 17:32:22 -0700 (PDT)
Received: from smtpclient.apple ([47.208.218.46]) by smtp.gmail.com with ESMTPSA id e12-20020a17090a804c00b0023d386e4806sm5875594pjw.57.2023.05.28.17.32.22 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sun, 28 May 2023 17:32:22 -0700 (PDT)
From: Dan Wing <danwing@gmail.com>
Message-Id: <99285548-C1F6-4A00-8E50-2F97AE66A992@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_5124E9E3-C8A1-4A3D-BB70-7A01D555BAE2"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.600.7\))
Date: Sun, 28 May 2023 17:27:21 -0700
In-Reply-To: <168515581831.37448.1256320039353350019@ietfa.amsl.com>
Cc: Joe Abley <jabley@strandkip.nl>
To: DNSOP WG <dnsop@ietf.org>
References: <168515581831.37448.1256320039353350019@ietfa.amsl.com>
X-Mailer: Apple Mail (2.3731.600.7)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/CF_bCfHmciJBhbjOujzOymq-FgU>
Subject: [DNSOP] structured-dns-error-03 and EDE-unaware poisoning attack
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 May 2023 00:32:28 -0000
The significant changes in -03 are: a. EDE length=2 with INFO-CODE=0 (to improve interoperation as highlighted by Tommy Pauly). b. Significant reduction of discussion of the threat of a non-EDE-aware DNS server forwarding along bogus EDE information which it didn't generate itself. It now only has this mention in Security Considerations: An attacker might inject (or modify) the EDE EXTRA-TEXT field with a DNS proxy or DNS forwarder that is unaware of EDE. Such a DNS proxy or DNS forwarder will forward that attacker-controlled EDE option. To prevent such an attack, clients can be configured to process EDE from explicitly configured DNS servers or utilize RESINFO [I-D.ietf-add-resolver-info]. As Joe suggested, we can certainly dump that paragraph from Security Considerations, as well. The threat is of similar nature to the threat of other bogus data that might be cached and returned by a DNS responder through cache poisoning attacks, such as bogus resource records themselves. -d > On May 26, 2023, at 7:50 PM, internet-drafts@ietf.org wrote: > > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. This Internet-Draft is a work item of the Domain Name System > Operations (DNSOP) WG of the IETF. > > Title : Structured Error Data for Filtered DNS > Authors : Dan Wing > Tirumaleswar Reddy > Neil Cook > Mohamed Boucadair > Filename : draft-ietf-dnsop-structured-dns-error-03.txt > Pages : 21 > Date : 2023-05-26 > > Abstract: > DNS filtering is widely deployed for various reasons, including > network security. However, filtered DNS responses lack information > for end users to understand the reason for the filtering. Existing > mechanisms to provide explanatory details to end users cause harm > especially if the blocked DNS response is to an HTTPS server. > > This document updates RFC 8914 by signaling client support for > structuring the EXTRA-TEXT field of the Extended DNS Error to provide > details on the DNS filtering. Such details can be parsed by the > client and displayed, logged, or used for other purposes. > > The IETF datatracker status page for this Internet-Draft is: > https://datatracker.ietf.org/doc/draft-ietf-dnsop-structured-dns-error/ > > There is also an HTML version available at: > https://www.ietf.org/archive/id/draft-ietf-dnsop-structured-dns-error-03.html > > A diff from the previous version is available at: > https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-structured-dns-error-03 > > Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts > > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop