IETF Logo Mail Archive

Re: [DNSOP] [v6ops] [IANA #989438] ipv4only.arpa's delegation should be insecure.

Warren Kumari <warren@kumari.net> Thu, 14 June 2018 02:20 UTC

Return-Path: <warren@kumari.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D16F130FF8 for <dnsop@ietfa.amsl.com>; Wed, 13 Jun 2018 19:20:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3JIwKeESf5eG for <dnsop@ietfa.amsl.com>; Wed, 13 Jun 2018 19:20:00 -0700 (PDT)
Received: from mail-wr0-x22e.google.com (mail-wr0-x22e.google.com [IPv6:2a00:1450:400c:c0c::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 64A49130FF3 for <dnsop@ietf.org>; Wed, 13 Jun 2018 19:19:56 -0700 (PDT)
Received: by mail-wr0-x22e.google.com with SMTP id v13-v6so4646821wrp.13 for <dnsop@ietf.org>; Wed, 13 Jun 2018 19:19:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=EOku+BVZ6URVGeTqJJ5UuSAGR2bPA1H2LADp0wufiGs=; b=f6rN74cnMLRqBrWoPOZ2ZnJ+t9CcdObRy65dTnz8IendsFskLTpHrPcjC6NXv4beUE IqUsAEnjYj37kYo0PYDRSCr0Dj15O5AALXTKXdAQYQztOk7YBtlT11pW6uMFdDLwCKiC V9/WHyE3l0qDaT31DCeRbs0h+g/m9wRiA2ycKydTtT4/WFC30wVtQeodVjClfpZHrGc8 liklFDPf+Jhp6k/GQL0teNlULDr1jHGE0mga+8gMxHLn4tHxuRmeb8351EpgPabkdNiw Iu23P3MYlOP1yrZAP3pU5VcazPIbiTQctY1qDbYWiIhPY+i8/26t/OJpGXhw1BUYFRQ2 HmPQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=EOku+BVZ6URVGeTqJJ5UuSAGR2bPA1H2LADp0wufiGs=; b=V6GebaxgjbYfHBjtagTtqnX5hx/dWFAwPH7P/u0PTFoajd87AFuUIHq8W+yz5jLQY6 YGRyfd8Trtgm1Vwi2hQKP5dfpKHNSgZ9IWEPV9F+Q1mwvW18Vl8PcS8LI1M5TYTojK6g oGuJR+gqF9xOvk8kYIpiR8XSG0lOJDbVN5R9zk0SCosh5rBIn+CM6EBDCbylCj80osiW c2oiE4dTdMa4smRR/Q23rfImWTqYRyGwGh0pFqxfe1okRx05PcRx4XTZ6CY2LFGmjGQ9 nBZVP2+OI6MCzO+yAayQ5mjvp6VKn3WyGD0cNvnpDrlbEcfM3oa2sp9hcHoCBk022NVH VrhQ==
X-Gm-Message-State: APt69E3kKTYS9XNlVdf9BNNBf61fIfJ3dCEUajC2nl3T/obI8jFvAmHz lmcU/U/M+hdoK7ytopYjmgfr9BNltaURN/5uTlXmgA==
X-Google-Smtp-Source: ADUXVKIisur1YrAfsiHFUG+5OsZKZbBYbJpSEs2uM+Zkv5/IFMPh+z98jfPciR8/oLGvufiE1UQjg4JNiJ60BJY1UeI=
X-Received: by 2002:adf:b691:: with SMTP id j17-v6mr451313wre.10.1528942794615; Wed, 13 Jun 2018 19:19:54 -0700 (PDT)
MIME-Version: 1.0
References: <rt-4.2.9-2607-1515188710-296.989438-6-0@icann.org> <FAA35F1A-9AD4-4993-9A5C-53A6143B9DE7@isc.org> <43D81243-B2D8-4622-B03D-D20DB7EC243C@apple.com> <DE670372-BF0E-4A81-8DB3-6CC2595B7D8E@isc.org>
In-Reply-To: <DE670372-BF0E-4A81-8DB3-6CC2595B7D8E@isc.org>
From: Warren Kumari <warren@kumari.net>
Date: Wed, 13 Jun 2018 22:19:17 -0400
Message-ID: <CAHw9_iKBiWe4-EgMkT6_rYHDS0QLjbaZ1BYAsg3XkF2368g+rg@mail.gmail.com>
To: Mark Andrews <marka@isc.org>
Cc: David Schinazi <dschinazi@apple.com>, Stuart Cheshire <cheshire@apple.com>, iana-questions@iana.org, dnsop <dnsop@ietf.org>, IPv6 Operations <v6ops@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000027c26e056e90bc08"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/CSvk0MlvcKPspn0K3dbeOrC9emc>
Subject: Re: [DNSOP] [v6ops] [IANA #989438] ipv4only.arpa's delegation should be insecure.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Jun 2018 02:20:05 -0000

On Tue, Jun 12, 2018 at 11:16 PM Mark Andrews <marka@isc.org> wrote:

>
> > On 13 Jun 2018, at 12:28 pm, David Schinazi <dschinazi@apple.com> wrote:
> >
> > Hi everyone,
> >
> > Stuart and I have a draft that attempts to address these issues, please
> let us know if you think it does or doesn't.
> >
> > https://tools.ietf.org/html/draft-cheshire-sudn-ipv4only-dot-arpa
> >
> > Thanks,
> > David Schinazi
> >
>
> This does not meet my requirements.  There is zero need for any part of
> the normal DNS resolution
> process to know the IPV4ONLY.ARPA is special if IANA stopped signing the
> zone.  That would
> allow getaddrinfo() to be able to lookup up the AAAA records without any
> intermediate software
> having to special case IPV4ONLY.ARPA.  IPV4ONLY.ARPA would then validate
> as insecure rather
> than as secure as it currently does.
> ​
>

I'm not sure that I agree with you on that (let's ignore DNSSEC for now) --
there is little *technical* reason for the normal DNS resolution process to
know that ipv4only.arpa is special, but administrators sometimes install
ipv4only.arpa resolution locally (for disconnected networks, to improve
reliability (e.g when .arpa is slow), or when users are using non-local DNS
resolvers (like 8.8.8.8). This is not a technical thing, but rather a
blessing that NAT64 / DNS64 admins can do that -- personally this sounds
more like an argument for adding it to locally served zones not SUDN. What
am I missing here?

​
>
> The document needs to explicitly state that the delegation for
> IPV4ONLY.ARPA in ARPA MUST
> be insecure (no DS record).
>
>
RFC7050 Section 7 says:
"A signed "ipv4only.arpa." allows validating
   DNS64 servers (see [RFC6147] Section 3, Case 5, for example) to
   detect malicious AAAA resource records.  Therefore, the zone serving
   the well-known name has to be protected with DNSSEC."

I read that a few times, and even when squinting I cannot figure out how
that is supposed to work. Can someone enlighten me? I can see how a signed
ipv4only.arpa allows a validating DNS64 server to validate the (well
known!) v4 addresses, but the malicious AAAA RR detection bit confuses me...



> You then have other issues to deal with like not sending queries for
> IPV4ONLY.ARPA to servers
> which have DNS64 configured or have a local IPV4ONLY.ARPA zone.  These are
> similar to the issues
> for HOME.ARPA but are at the ISP rather than the CPE.
>
> One way to handle that would be for CPE to always use the DHCP/RA DNS
> servers for IPV4ONLY.ARPA
> and require a explicit override just for IPV4ONLY.ARPA.
>
> Another way would be for middle boxes to intercept queries but then you
> have to account for
> anti spoofing technology TSIG, DNS COOKIE etc.  DNS COOKIE just needs the
> delegated servers
> for IPV4ONLY.ARPA to not serve any other zones.  That way any DNS COOKIE
> state learnt for the
> IP addresses of the servers for IPV4ONLY.ARPA does not impact on
> IPV4ONLY.ARPA lookups.
>
> I mention TSIG because that could be used with a well known TSIG key to
> defeat fragmentation
> attacks and because TSIG can be used between clients and recursive servers
> that are not
> operated by the ISP.  This would be one case where DNS resolution software
> may want to be
> altered by default.  This scenario is even rarer than DNSSEC.
>
> Mark
>

​W
​

>
> >> On Jun 12, 2018, at 18:29, Mark Andrews <marka@isc.org> wrote:
> >>
> >> The Domain Name Reservation Considerations in RFC 7050 do not cover
> whether
> >> a delegation should be signed or not.  Due to that omission in
> constructing the set
> >> of questions to be asked RFC 7050 fails when the client is behind a
> validating resolver
> >> that has NO SPECIAL KNOWLEDGE of IPV4ONLY.ARPA.
> >>
> >> There are 2 pieces of work that are required.
> >> 1) update the list of questions that need to be asked needs to include
> whether a delegation
> >>     needs to be signed or not.
> >> 2) update RFC 7050 to include explicit instructions to say DO NOT sign
> IPV4ONLY.ARPA.
> >>
> >> Item 1 is dnsop work as far as I can see.  Item 2, I think, should be
> v6ops work.
> >>
> >> HOME.ARPA is a example of a unsigned delegation.
> >> 10.IN-ADDR.ARPA is a example of a unsigned delegation.
> >>
> >> There is zero benefit in IPV4ONLY.ARPA being signed.  Its contents on
> the Internet
> >> are well known.  The contents with NAT64 in using are well known except
> for the
> >> AAAA query.  The answer to that query is *expected to change*.  That
> answer cannot
> >> be validated.
> >>
> >> Mark
> >>
> >>> Begin forwarded message:
> >>>
> >>> From: "Michelle Cotton via RT" <iana-questions@iana.org>
> >>> Subject: [IANA #989438] ipv4only.arpa's delegation should be insecure.
> >>> Date: 6 January 2018 at 8:45:10 am AEDT
> >>> To: marka@isc.org
> >>> Reply-To: iana-questions@iana.org
> >>>
> >>> Hello,
> >>>
> >>> Following up on a thread from the end of the year.  Who will bring
> this to the DNSOps working group?  Will someone notify us if there is an
> consensus on a conclusion of what needs to be done?
> >>>
> >>> Thanks in advance.
> >>>
> >>> --Michelle Cotton
> >>>
> >>>
> >>> On Sun Dec 10 22:40:29 2017, danwing@gmail.com wrote:
> >>>> I had replied to the errata. I agree it warrants additional
> >>>> discussion, and had also suggested same. Dnsops seems appropriate.
> >>>>
> >>>>
> >>>>
> >>>> The question is not to much where the attacker is, but what DNSSEC
> >>>> guarantee is provided. DNS64 imagines the client could do its own
> >>>> validation — if it wanted.  To date, effectively zero clients seem to
> >>>> want to do their own DNSSEC validation.
> >>>>
> >>>> -d
> >>>>
> >>>>> On Dec 10, 2017, at 11:13 AM, Savolainen, Teemu (Nokia-TECH/Tampere)
> >>>>> <teemu.savolainen@nokia.com> wrote:
> >>>>>
> >>>>> Hi,
> >>>>>
> >>>>> Dan Wing seem to have moved to VMWare, but cc'ing him now with an
> >>>>> email address I found from an I-D..
> >>>>>
> >>>>> I'm not really following IETF nowadays, so I don't know if this has
> >>>>> been discussed.
> >>>>>
> >>>>> Also I'm not sure why ISPs couldn’t first verify the A response's
> >>>>> validity and then generate AAAA response to the client as document...
> >>>>> but I suppose it could be considered to be more proper action to
> >>>>> modify insecure responses than secure responses. I'm just worried
> >>>>> what happens if there's attacker between ISP and root, in which case
> >>>>> the IPv4 address part of the response could be modified by attacker
> >>>>> and then delivered to client in the ISP's synthetic AAAA record..
> >>>>>
> >>>>> So I cannot accept the errata straight away, but it should be
> >>>>> discussed with people who are more experts on this than I am.
> >>>>>
> >>>>> Best regards,
> >>>>>
> >>>>> Teemu
> >>>>>
> >>>>>
> >>>>> -----Original Message-----
> >>>>> From: Michelle Cotton via RT [mailto:iana-questions-
> >>>>> comment@iana.org]
> >>>>> Sent: 9. joulukuuta 2017 1:22
> >>>>> Cc: ietf@kuehlewind.net; spencerdawkins.ietf@gmail.com;
> >>>>> jouni.nospam@gmail.com; Savolainen, Teemu (Nokia-TECH/Tampere)
> >>>>> <teemu.savolainen@nokia.com>
> >>>>> Subject: [IANA #989438] ipv4only.arpa's delegation should be
> >>>>> insecure.
> >>>>>
> >>>>> Hello,
> >>>>>
> >>>>> Just checking to see if anyone had a chance to look at this.
> >>>>> Dan Wing's email addressed bounced (dwing@cisco.com).
> >>>>>
> >>>>> Thanks,
> >>>>> Michelle
> >>>>>
> >>>>>
> >>>>>
> >>>>>> On Tue Nov 28 14:43:00 2017, michelle.cotton wrote:
> >>>>>> Hello Authors and Area Directors,
> >>>>>>
> >>>>>> We have received a message pointing out an errata report that would
> >>>>>> modify the actions that were performed for RFC7050.
> >>>>>>
> >>>>>> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.rfc-
> >>>>>>
> 2Deditor.org_errata_eid5152&d=DwIGaQ&c=uilaK90D4TOVoH58JNXRgQ&r=IMDU0f3LtPMQf5XkZ06fNg&m=hjPiqrkJLcvBw1fuqRPXMX6h76vuapCYz_DxRRq7SkM&s=uCKCSggUUCCU7iPuRs-
> >>>>>> usGcL3T69Fia9gTOy4UQwhLk&e=
> >>>>>>
> >>>>>> Has this report been discussed?  Will the result be an approved
> >>>>>> errata
> >>>>>> report or a new RFC?
> >>>>>>
> >>>>>> Thanks in advance.
> >>>>>>
> >>>>>> Michelle Cotton
> >>>>>> Protocol Parameters Engagement Sr. Manager
> >>>>>
> >>>>>
> >>>>>
> >>>
> >>>
> >>>
> >>
> >> --
> >> Mark Andrews, ISC
> >> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> >> PHONE: +61 2 9871 4742              INTERNET: marka@isc.org
> >>
> >> _______________________________________________
> >> v6ops mailing list
> >> v6ops@ietf.org
> >> https://www.ietf.org/mailman/listinfo/v6ops
> >
>
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742              INTERNET: marka@isc.org
>
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops
>


-- 
I don't think the execution is relevant when it was obviously a bad idea in
the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair of
pants.
   ---maf

v2.23.0 | Report a Bug | By Email