IETF Logo Mail Archive

Re: [DNSOP] DNS cookies and multi-vendor anycast incompatibility

Daniel Salzman <daniel.salzman@nic.cz> Thu, 21 June 2018 07:22 UTC

Return-Path: <daniel.salzman@nic.cz>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 513BD130E39 for <dnsop@ietfa.amsl.com>; Thu, 21 Jun 2018 00:22:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.999
X-Spam-Level:
X-Spam-Status: No, score=-6.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nic.cz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eVy9sb-yriGT for <dnsop@ietfa.amsl.com>; Thu, 21 Jun 2018 00:22:02 -0700 (PDT)
Received: from mail.nic.cz (mail.nic.cz [IPv6:2001:1488:800:400::400]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1F8F312F1AB for <dnsop@ietf.org>; Thu, 21 Jun 2018 00:22:01 -0700 (PDT)
Received: from [IPv6:2001:1488:fffe:6:e153:5e1f:323e:a0ab] (unknown [IPv6:2001:1488:fffe:6:e153:5e1f:323e:a0ab]) by mail.nic.cz (Postfix) with ESMTPSA id C7C6960839; Thu, 21 Jun 2018 09:21:58 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nic.cz; s=default; t=1529565718; bh=qtv3W94dIkeMrpAelmDRCtlL7PJpzhLoj238ULwvXb4=; h=To:From:Date; b=VR8WPQtPFYSqyE5zfBdxfS/WfWSxjlVnXB3g4G0DrMb8rvbQE++dSAyYLzz5d2UPA SsTcO1pcmUF5Jzyc+TJ5YCWmTSe4oBzsqTFfbWdCg6LMsrCzE2tuRpQMu5XgjWcSXj DQ8od9nSQf96R20kPRkYAreiSOtsKt+c7Iv6pueM=
To: Mark Andrews <marka@isc.org>, Petr Špaček <petr.spacek@nic.cz>
Cc: Paul Wouters <paul@nohats.ca>, "dnsop@ietf.org WG" <dnsop@ietf.org>
References: <c70f058c-8e82-f905-e352-f3e2fd0d4cfc@nic.cz> <alpine.LRH.2.21.1806201006530.6077@bofh.nohats.ca> <107c3532-a07d-9821-70ab-94c00a9dd2f0@nic.cz> <9A860D2F-C02D-4D89-B54D-7FDA9823101B@isc.org>
From: Daniel Salzman <daniel.salzman@nic.cz>
Openpgp: preference=signencrypt
Autocrypt: addr=daniel.salzman@nic.cz; prefer-encrypt=mutual; keydata= xsFNBFljlBcBEACuCSBlN1vTS9eEDqowZcLAAF8NytcTlRjXTLWMQtjU+fXkz9Vz10n9TIFj 9Kcec0p0+8F+SowybecwhmYoUzhKI7S9M1ziUmaIhFs2KvZ1GzigE/W5L448P/7pugh875e1 tIrkrbbcIp6+SxaLbgvXlFl630ILZl/gbYOa/Wk21sLu4RjQY39oHb0WTiwPnKhdMdwlnxm6 HeWkHzlvI9N8tlDc6oVnUfqVI8gUyExLnEYjDpZforTVgHRq6RNyfTRZkh8zRsXSTnJlk/bV EDW5i/VgIQugzkgpuTGWlCstryi/MRheNxU1YEUenT69okb96QStfr1J00n8L4VAs8V5IuFU cSc8UqSpB+LgERRTMRFo9IrEXAW/gEKlEVR+501BvJ0/Qggxbgz4PEnKNaxXmAnykJzot2VD KTzrr26a9LnrT0GWom9rg89Ih876PA53vUXBB+FWP9QOFDcOfz3nMjCrLbMzhTsAzrNFXxch zLq+66CLqsQQytDVFpLI+X++sKRTOHkq6vV1bAPjlljrannLnn1y/DvkOOkiHOdYyjmR7Dfk vxgcWh/3Gx4J9gipxZITOr7LamEYgHfElY/UWCtc1Vjt8Xvgt4dofDpvSwY9YzgRWxJKC5ew YdqTCI+zxL1f0fjkeiRYNi959UMMjgdcY7Zpi8oPPQmlyBw15QARAQABzSZEYW5pZWwgU2Fs em1hbiA8ZGFuaWVsLnNhbHptYW5AbmljLmN6PsLBfQQTAQoAJwUCWWOUFwIbAwUJA8JnAAUL CQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRAQu3r2/rvWq1+eEAClhOEK2MZOz+nwJSeX7iIN Kbw477Y+LSvYkKG81pve+xtblQEn7rI3cYnDrqlUb3bXdbMHujYrg1fPoccpCvf6d/JvlN6W XCE25R+GR6vxr6v7jycHdSObFe4sTcwce6IViwiWiSizh4UCkz8285LjLcf3AnT2v6GJwHiZ bPOeMQUNIRj6PEYLSQsq0ZlqEx8LGKLTc5Ukrkoi4lN44SI1rzSwDPIqvlvrVnDXcDB8M7E2 Ii51zU8/TVk920KeayUeCPxpmgQW3USI45NrE/jEgyodyxMGp5lg3OqzHT2wu9BVLWkQvTjF fLfEsTay4K4kUSbYzbpS93b33J+I20rYLGBBYlTrN5417IgF6Bb8NzyrfVy1WdqhcggAEKX5 EkOmZM8oduRxsHqiRLC/xKF8GqTo6t3GMS5i8RClNvmdq0WUkQUvld4bOnXBCZ2QLbjV7sXj cr56ee+qdpiuRQjEidjHzpibcIBN8LVupVgXAZl9lsiBtoJXOHsvSdU3VgGWnRGtzFjSHzl3 TRPIsaVVqD7aCzQDfXDjrGlmhzgDfMwkqmBGgsku8tSR3Ag0MRAouJFXiZrcM3XGeYVbHT6d t7UMAB27Xc5foc0kGRo5tzlK6rWG2sJIlcQB7tKvwI/tE9lwJDjw+XNekEdIpcdcQ7mWa1CO YkcYTre3oPmN+87BTQRZY5QXARAA6RnxYG82/X+A49srgHR9yIxlHqSq6IhNn+iJQ5lpVpfe BItOG4NDu4Aq5X41pAJ3NKxsCPV62gEald/C7gJrTI5rag/87GYFFo6QRrwGsWVGORGs9G1p BF7ZZwhPJwD3MeagGZNfWZzRxXefL1P3mrpO3etSEEwENHtCqEMP6x/JHh3SKonKAlL4xfj3 F54aKj4upIcjxGBAJH8u66bN1GmYjstBzzbD4TWNTwfKgp15XxjrTgbThFy7CBoOgcaApiYT PE7D5nB1+AyhGjnO3ZlNgy1ZIHVDFk6HEakaqKM9QlkJnZsB2+cTqXlV0etmFQsedCg2sUie r0hhIrEOOtGQbY1P+0vv+VRoaNym3ritl+70RG8WgrHNLMRHVGeLRq3gOFnt+d/3h7meAKbO RW/ZY30UpwthtlZYgciFzoDJCW8Be1i1X4toiUaMkFh79jd7YTvZ87+P4DllC9MNsoq5cY/b HBNZYtXf7y6XqVqYo2IbFUR3VXKtzSN5eYm5YpFPczzmg1bNgl3i6WBcOF4EPEJEVjZ+u1r5 9NvfVLQ8XVh/QmLoG7x8oFcvhWctMy17Vdm4qZjpSA+B1sQocehdra+xT+PWV0kcrYpsqwkY eFRQnJGqIupWHnotqGOBNAyQWIcjK6K5y0CeioJZpNN5Oe5XloMXsYmgXsR+gTUAEQEAAcLB ZQQYAQoADwUCWWOUFwIbDAUJA8JnAAAKCRAQu3r2/rvWq+IQD/9ikZ5MtdDOVLtULPqXXeP3 6Oss2Ie4/4IQ7xkUZZ/Ujig0x1rW+d21o92VryH1s4K+nyCIW31rbtexK/0a54/wZyyjbqfh 6Tgo9n3f5bMV9qyubb49cfTSKfgzoOkG8Xdc/TIO1IjWHy1NBDl8GWKJ0QPYz78SCCkEFiVC AFBjuIQsoPqDKcZTs7k661w0A75ken88JJLgUgffZJRQK0i1dCw8kS4c2pqm24Q6d0AF5Edq Xn2IFH82p49Pp5bRMY3LnibRL3Sq0xvXs7i5vY+oJLuPAdomiGbdEbxcLytqQ2KitVdrGvrn ZJxPs16m0uuTeM06krorDlgGBXFp5+Z9JbQpViHkVpLo+vf/GuT9WOWWH8gG0r14ZLVQTvCG XiAR4Aju7W5jPMPmVDJ+wMrDcLta1Jv0U0+AnVe67mRXb0n5E/7kVshB3rfGzunPSlqT5kEi OXq6fJWB2l0lzCv0WtNuINmU9U3ap1oZBGSYl83vyuRUIlx61/tlnJvwseBL1FmASXOgfedC sxjHIlgFSUeScLxnOSyap/4ePqZ0C76Nkvzx43SfM1LJUeCHwon0o+LZv2GlBmlEp6PbekRQ Tz1hewLBbfAeXZRnwxvmkRqTP4DJCIVu2AE47+rbqVEjJZuEO4ORlkKoBdLOV3HNxWbfbG7+ n/h2cnUw3pqbHw==
Message-ID: <c4de878b-2559-cb68-a033-48ed6322a4a2@nic.cz>
Date: Thu, 21 Jun 2018 09:21:58 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.8.0
MIME-Version: 1.0
In-Reply-To: <9A860D2F-C02D-4D89-B54D-7FDA9823101B@isc.org>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-Virus-Scanned: clamav-milter 0.99.2 at mail
X-Virus-Status: Clean
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/G-Qg3K0NA6-huT4ZlWvlyj5HLnA>
X-Mailman-Approved-At: Fri, 22 Jun 2018 05:57:27 -0700
Subject: Re: [DNSOP] DNS cookies and multi-vendor anycast incompatibility
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Jun 2018 07:24:23 -0000

Hello Mark,

On 06/20/2018 11:01 PM, Mark Andrews wrote:
> 
>> On 21 Jun 2018, at 12:25 am, Petr Špaček <petr.spacek@nic.cz> wrote:
>>
>> On 20.6.2018 16:10, Paul Wouters wrote:
>>> On Wed, 20 Jun 2018, Petr Špaček wrote:
>>>
>>>> it seems that current specification of DNS cookies in RFC 7873 is not
>>>> detailed enough to allow deployment of DNS cookies in multi-vendor
>>>> anycast setup, i.e. a setup where one IP address is backed by multiple
>>>> DNS servers.
>>>>
>>>> The problem is lack of standardized algorithm to generate server
>>>> cookie from a shared secret. In practice, even if users manually
>>>> configure the same shared secret, Knot DNS and BIND will use diffrent
>>>> algorithm to generate server cookie and as consequence these two
>>>> cannot reliably back the same IP address and have DNS cookies enabled.
>>>>
>>>> One of root server operators told me that they are not going to enable
>>>> DNS cookies until it can work with multi-vendor anycast, and I think
>>>> this is very reasonable position.
>>>>
>>>> So, vendors, would you be willing to standardize on small number of
>>>> server cookie algorithms to enable multi-vendor deployments?
>>>
>>> I think this is a good idea but there are already two examples in RFC
>>> 7873 for cookie generation. Is there a problem with those examples, or
>>> is there only a lack of options in the implementation to configure
>>> these? If the latter, than no new IETF work would be needed.
>>
>> These are mere examples and not specifications with all the details
>> necessary for reliable interoperability.
> 
> The server cookie examples have all the details required to build a interoperable
> implementation.  i.e. with the same inputs you will get the same outputs.
> 

So how should the DNS cookies be implemented? IMHO if one server uses https://tools.ietf.org/html/rfc7873#appendix-B.1
and another server uses https://tools.ietf.org/html/rfc7873#appendix-B.2, then it's not interoperable.
Actually the upcoming Knot DNS 2.7 implemented "B.1" using Siphash instead of FNV. Bind probably implemented B.2.
Are both implementations correct?

Thanks,
Daniel

>> E.g. when a cookie is "old" according to B.2.?
>> E.g. are there privacy considerations with plain HMAC vs. encryption?
> 
> 
>> Besides this, BIND defaults to AES-based algorithm which is not
>> specified in the RFC and Knot DNS has its own because developers
>> considered the BIND's approch overkill.
>>
>> If we decide to standardize we need to find a reasonable algorihm and
>> standardize all its variables to make it work without run-time
>> synchronization (posssibly except key rotation but it can be done
>> avoided as well).
>>
>> This message is for other DNS vendors to see if there is an interest in
>> standardizing something we can all share and operators use in practice.
>>
>> -- 
>> Petr Špaček  @  CZ.NIC
>>
>> _______________________________________________
>> DNSOP mailing list
>> DNSOP@ietf.org
>> https://www.ietf.org/mailman/listinfo/dnsop
>

v2.23.0 | Report a Bug | By Email