Re: [DNSOP] I-D Action: draft-ietf-dnsop-rfc8109bis-04.txt
Willem Toorop <willem@nlnetlabs.nl> Thu, 22 February 2024 10:36 UTC
Return-Path: <willem@nlnetlabs.nl>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D4304C14F726; Thu, 22 Feb 2024 02:36:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nlnetlabs.nl
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FBFyIqiigYBb; Thu, 22 Feb 2024 02:35:58 -0800 (PST)
Received: from mout-b-206.mailbox.org (mout-b-206.mailbox.org [195.10.208.51]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EC7A2C14F70F; Thu, 22 Feb 2024 02:35:54 -0800 (PST)
Received: from smtp1.mailbox.org (smtp1.mailbox.org [IPv6:2001:67c:2050:b231:465::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-b-206.mailbox.org (Postfix) with ESMTPS id 4TgV0k2hLHz9wBc; Thu, 22 Feb 2024 11:35:50 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nlnetlabs.nl; s=MBO0001; t=1708598150; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references:autocrypt:autocrypt; bh=R+wqMgtR+do2V3ekFOQhsg1LoGwXJjWXXJNdE9/dSfI=; b=x1JEXyYzJWAtrzeS5jmh5HfulArJoUJcc0FMqNBEsPI0rbRZPY9iL75aN5ErQfiWNBK0pe U8u6XOHJAE/YtCYWuGdmEs75jIOOv63x0k0jmsAyXO6IzR8Me/cIMMP8yzndVMEUzn7yXG Zm8uaflDXUJgO3z8/v0+4rXmRUG5JFjUwNFdRC/UjpLSey5M2DIcUm67qj1A18T4kD6SR3 NLYLn+R5xUjl7Wupcb08GPQy1/KOoTYouXcOwEj97n1UW03XlhoQe0jVCHeG75bif/VVX/ +5ow3ZroJhNym2GvKqmEAMl1B1wsYshC9m2M0EYecz08ffFY5TCJLQCcavhL5g==
Message-ID: <d4d74546-dd64-4e28-a27f-e7d272fac94f@nlnetlabs.nl>
Date: Thu, 22 Feb 2024 11:35:48 +0100
MIME-Version: 1.0
Content-Language: en-US
To: dnsop@ietf.org, internet-drafts@ietf.org, i-d-announce@ietf.org
References: <170793515468.3221.11050184009551055348@ietfa.amsl.com>
From: Willem Toorop <willem@nlnetlabs.nl>
Autocrypt: addr=willem@nlnetlabs.nl; keydata= xsFNBE1s81EBEACuJzGgccrmYEAzHc//vBq66gH7orM0GtKfQZHh4uR1FMxZXl07WevUYNuB ywTpinU9rpY1Q3S4w6QgNklgpsaHXmbOpyFjJ8FpllV8TRPiXiNrNxTpMnlb6InoszopX69t kBVHTP6cJkNgPx6R4BM0ARqEGQmOL8mAcoWyGVzbsamuGRaia54zs/kc3i9yiqEzRkoQmfwr 7sr49n7gOpmaqXvonOSiUvgEziep77emMcqVa/qZxR1r7KUq85qTNTqsQwl2cQdKS7WwOeuG 6ZIJmJ1bakriKzLBYF5xIHKSYJW0ZA20tNFrVKgTkEjiXvAJh4HlJEIi35tqa/IzWUJSc1ai nhBjxbwSl8BRq5aaPgwB+xXiDqY6BrQW1slvl5TF2A6Xr7JJ0rkH3EZgXxABAZ3WJ3RLwq1z 8jnNYj+UW/mSLsbOtgfOiBhFUXMZneHvVVvz6F6XAtyrejDl5sD2gnzm1VDfK6T6bvLtR7zr kWre0lpycDmgmUKgaEiXzfLvwT9RaWk8GdqU2GG+QOiwf+hT0peDieuodjMr59sUbx7GqVe/ 45rJBRSx+HCl2Jm7Th2Xr0kpStCd7ebVoEq9wpMyu+dM9wOTtibA9P3+9u4rAdimpAdQxEbh WbRNCng2EVhThbqRK3cTZLbtqKaWgAJqa/IQVpL9b5ps8Z4JVQARAQABzSNXaWxsZW0gVG9v cm9wIDx3aWxsZW1AbmxuZXRsYWJzLm5sPsLBjwQTAQIAOQIbIwYLCQgHAwIGFQgCCQoLBBYC AwECHgECF4AWIQTcNO5dskF7zBUeUQDl+PghL3ekmAUCXgm/sAAKCRDl+PghL3ekmLEOD/0W 50GFW5OfS/aZ3k7BfoBgSYEpgs3wUPxFCvkw4LsREcSLSdE9jFfIWh7sGiS1yP/kQGZr/yUn R58nAjGr9exyB90VsgEQqUlbks5nCqQZZrMcZRgHCB0IitYZqewBfl/GON/mqApTEQXgTJS7 0wi66828X7AyCA6kPgUfDl5V/zOE0GKm8ejNtKIIEnscNHUwpNpwTF/EegU6Fo6Ih4/bMvpg RytCgIi1tdmWETeyKjL7ASIGZL0kZkTfhQZV+V5NgToDnMFxPyndvv57Fip2mUSPkAAWRhgq ApL797C/KMpc1mCK43g6gD21KP01e5yz1BnSc09NJ7huLHYDFQKRBCfbUZuJe0KSibpRgmNE YaWT1sxByxqPbTmWDgvRXy4TGhkPm21wLqRACVmymd/KiFHdaB5NzWzrC5C0eWSCs2oziDuy Szf8/71sI8pNwjqBIp/8zA8ZI9AZrCkgzeuEeyKBcjW8O83iJkx2S9CC0KBrryvTi2QwitHX +WxJnGlOFNLQG4fp9/6EDuPUEKgmbqaiooCgDyU4aHYPFpUrHTc8aajahJ29wcXkWkIrm6rB mWzT/+05jyrrMl0HoSmZIqhwgtGHrWw+bnCxBZV2JOynDE0n+z4zh8N4rQ1vvCXu36CcR/62 YFTliLVKowkFtqO+om6DO8MBws/FoYnw/M7BTQRNbPNRARAApOziFbP3grro+2weP9wG0eYk InH0Gwc/x6hSN3iIFHtxaBNOC3U8YI0HMI8Yi5SJrzTx2rG7Uvw5aNCnBcMKNeoCJufSYIkx E41WzPEkqSNidkYoY6jxyDs6ZAFnIR3qqt/FV/93Acux1BMlnPP1sY7G5hUAC7Src8dbmAYV z6mnd43jurMYzESOygROP9yVrGOqKyiEbXf+GQ/o+8OgPs4504Z1BA/xvgZEEPqtn8Wowu/g LzTMOfMIfWsuk0ZCmV/VqfLTpZMCwMvh/qAQAsfrZMjE5fhTtbF668fHIpc4C4357H8y8XZr PXbhhtxYLu3V2pVbfKzbTMpp6Z6bJdIrFXpoyfgoFwkXcJ0zWgAFkPK+Iv16XtD/JDKWlkLo SXhCjBo8g4C7M50hzpy4zo9Na8ECtwpWBCFZ8myF94WZ+TGnP+FZz0rjTIKOZv6E9kivdFtd KxAi1RSQGo5Iwc2ugiBf4hpYyrd7vIwd0yqUqvSVTnaV8Ft8QKOV4H807grdIYkE/NOAu3N7 4uxbFIlChAxYq/ohLBCtbeuyZSOqBA2tIZE5fetHLw2+7Otq+zhrcWZ1SkchbDYp9jYzoCxf 0cEW5GyKaCoWNCblVupcDs20ckKcDVG+peWD+InnD4MSUeizHCMdL5Rt6MMaZVD4hOqWHf33 Wiw+NmrUjLUAEQEAAcLBdgQYAQIAIAIbDBYhBNw07l2yQXvMFR5RAOX4+CEvd6SYBQJeCb+w AAoJEOX4+CEvd6SYnQwQAKUN8F1N3G5rRgdyorRjX9+NEvZSn6sFAZZsngkO1fWny3z9PoGS 9n3OrKdqO2U9NdwvdWELyuFIv+3spd6Mn6DSYLSfqjg9i+YGC3AiQNoRR+VX1FWQ/TatFLpq +o1Lby04sWABhKic6pCxeCPXY2CzE7DSfUtMwBsPheK4JhpQNt6U4+7x24QIHbxcivpTq59V 7fZB8JpUgoN1k7DEAes9MEd1iOKM6ZucKgx1Q3elaS8DjRW7nJl+U9eaufa3BVt3+J3eL3Lr Q6ep4IDNEkQJoOwJytBzVQJcGkE0pdkSjO4jEocsNcQRVTahOazuYVUyYezqHDxUltAJqBux jnyyR2zZayDCoX82+UI0jtubwz1rFMqCdzID8n3PPn0AlmcHAsSNnCv4mIhI+tofc6bndNcu tJZMjoYA1MmEhgx1TStQptAQP/ZRNwV2TZFR20gwQWV1p/5R/GTlP3olNdC9Ojy0AmFMBLZb x7PI75HVJ2wtF8aq7vo2iltEM1k1zhl0Su5Ov/TEBq6JhqD5UzpqJPV6tTz76EEXfx58AxFh fVkytieLXCPI0kQTWfenexd9DUANCoa/TfYIEOi7YHJGYx/DpjfSPfThDxTGfWt0WaMILpOq +YTFA468fQW5xgeVvJlBNry4dT1XXgVbe/H+CN7q7C0Y1Ng11VOfO65X
In-Reply-To: <170793515468.3221.11050184009551055348@ietfa.amsl.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------eo9Rr7MaE0Ym5vkDeEtKtFh3"
X-Rspamd-Queue-Id: 4TgV0k2hLHz9wBc
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/D2Ha-Hk2lpvvkcXx7k4RILpgaPQ>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-rfc8109bis-04.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Feb 2024 10:36:03 -0000
Thanks Paul, I feel Section 3.3. "DNSSEC with Priming Queries" may not do the effects of redirected query traffic enough justice. RFC 8109 already didn't do it enough justice I think. For starters, the second paragraph already assumes a "machine-in-the-middle" attack, but there may also be off-path attacks that manage to spoof priming responses. The first paragraph already states that the address records are not signed. I think that should be the emphasis of the attack vector. I have some alternative text proposals for the first two paragraphs. I will copy the original text as well, followed by my proposals. For the first paragraph I would like to add that the NS RRset is signed and can be validated, so instead of: > The resolver MAY set the DNSSEC OK (DO) bit. At the time of > publication, there is little use to performing DNSSEC validation on > the priming query. At the time this document is published, all root > server names end in "root-servers.net" and the AAAA and A RRsets for > the root server names reside in the "root-servers.net" zone. All root > servers are also authoritative for this zone, allowing priming > responses to include the appropriate root name server A and AAAA > RRsets. But, because the "root-servers.net" zone is not signed at the > time this document is published, these RRsets cannot be validated. I propose this text: > The root NS RRset is DNSSEC signed and can be validated by a DNSSEC > validating resolver. At the time this document is published, the > addresses for the names in the root NS RRset reside in the > "root-server.net" zone. All root servers are also authoritative for > this zone, allowing priming responses to include the appropriate root > name server A and AAAA RRsets. But, because the "root-servers.net" > zone is not signed at the time this document is published, these > RRsets cannot be validated. An attacker that is able to provide a > spoofed priming response can provide alternative A and AAAA RRsets and > fool a resolver into taking addresses under the control of the > attacker to be authoritative for the root zone. Then, the second paragraph is all about how DNSSEC signed data cannot be modified undetected and can only be a denial of service attack, but I think this obvious and not really interesting. What is more interesting is that the unsigned parts can be altered. So instead of > A machine-in-the-middle attack on the priming query could direct a > resolver to a rogue root name server. Note, however, that a validating > resolver will not accept responses for signed TLDs from rogue root > servers if they are different from the real responses because the > resolver has a trust anchor for the root and the answers from the root > are signed. /In between note: This is not true, the unsigned parts can be altered/ > Thus, if there is a machine-in-the-middle attack on the priming query, > the results for a validating resolver for signed TLDs could be a > denial of service, or the attacker seeing queries while returning good > answers, but not the resolver's accepting the bad responses; however, > for unsigned TLDs, the attack would be successful. I propose instead of this second paragraph, this text: > A rogue root name server can view all queries from the resolver to the > root and alter all unsigned parts of responses, such as the parent > side NS RRsets and glue in referral responses. Resolvers following > referrals from a rogue root server, that do not explicitly query the > authoritative NS RRset at the apex of the child (TLD) zone and do not > explicitly query for the authoritative A and AAAA RRsets for those > child (TLD) NS RRsets, can subsequently be fooled into taking > addresses under the control of the attacker to be authoritative for > those delegations. With such resolvers (that do not do those explicit > follow up authoritative NS and address queries), an attacker that > controls a rogue root server effectively controls the entire domain > name space and can view all queries and alter all unsigned data > undetected (see also Section 3 of [draft-ietf-dnsop-ns-revalidation]). > > An attacker controlling a rogue root name server also has complete > control over all unsigned delegations, and over the entire domain name > space in case of non DNSSEC validating resolvers. > The third paragraph is fine I think. -- Willem Op 14-02-2024 om 19:25 schreef internet-drafts@ietf.org: > Internet-Draft draft-ietf-dnsop-rfc8109bis-04.txt is now available. It is a > work item of the Domain Name System Operations (DNSOP) WG of the IETF. > > Title: Initializing a DNS Resolver with Priming Queries > Authors: Peter Koch > Matt Larson > Paul Hoffman > Name: draft-ietf-dnsop-rfc8109bis-04.txt > Pages: 11 > Dates: 2024-02-14 > > Abstract: > > This document describes the queries that a DNS resolver should emit > to initialize its cache. The result is that the resolver gets both a > current NS Resource Record Set (RRset) for the root zone and the > necessary address information for reaching the root servers. > > This document, when published, obsoletes RFC 8109. See Section 1.1 > for the list of changes from RFC 8109. > > The IETF datatracker status page for this Internet-Draft is: > https://datatracker.ietf.org/doc/draft-ietf-dnsop-rfc8109bis/ > > There is also an HTMLized version available at: > https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-rfc8109bis-04 > > A diff from the previous version is available at: > https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-rfc8109bis-04 > > Internet-Drafts are also available by rsync at: > rsync.ietf.org::internet-drafts > > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop
- [DNSOP] I-D Action: draft-ietf-dnsop-rfc8109bis-0… internet-drafts
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-rfc8109b… Willem Toorop