Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-svcb-https-05.txt

Ben Schwartz <bemasc@google.com> Tue, 11 May 2021 17:05 UTC

Return-Path: <bemasc@google.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 849933A1E92 for <dnsop@ietfa.amsl.com>; Tue, 11 May 2021 10:05:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.599
X-Spam-Level:
X-Spam-Status: No, score=-17.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Prv0c7ed-qWM for <dnsop@ietfa.amsl.com>; Tue, 11 May 2021 10:05:13 -0700 (PDT)
Received: from mail-wr1-x433.google.com (mail-wr1-x433.google.com [IPv6:2a00:1450:4864:20::433]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 07DB93A1E85 for <dnsop@ietf.org>; Tue, 11 May 2021 10:05:12 -0700 (PDT)
Received: by mail-wr1-x433.google.com with SMTP id a4so20888912wrr.2 for <dnsop@ietf.org>; Tue, 11 May 2021 10:05:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Lh0N0R7LPwgJ9gm7sikZRZJkeAIi9ZVEt/j1RlSZVSQ=; b=sUPsD9mC2AxBffRvDJL84gdqcRZTzntcqr4BIBn9MxPjStl52uFfDbOb4+hJy0ps6w eJNNH5T5+gBaPOfD4+8W5cSTpwpPI9biGeBzS5OClgll+FUG4TZ80L4VE+k+DzL5TpAy bhc7KB6kd9/LfFg5BYmWRD1rVTyzt5FfTRCbHWBs8M/OdcxbVmPKC8RclhkpdjZ0hgjC 4fWHdXo90e2TFozSlx+l28TUcLciiCqhD9eOLwL4hg5Uw66VZ+70aeAyQCjSozr0Plzh Jmdt2+1JW80VxW/TLwoVfz7QOdR2c8lY23YzoOmHkIrj+yHyPzgb1xE8ILOUGkaWIUU2 9mfw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Lh0N0R7LPwgJ9gm7sikZRZJkeAIi9ZVEt/j1RlSZVSQ=; b=dC9LWAxSUcrC5r0MW1yDrR5eyM1E88LNAU+CmgocHzZN7YCGZt4q5PlH5kQ8jVKhf3 Yn3Dr9cBKD6Ctwtzldh0wMKFrjfEMMCbKAfJ4kJyWU0ax1gFb2Qlb8X2mygdh5uh6zmY +2r5MkZTRjCac/XyPvaVdcxFTf/DFD8uPKXpTlQQZBeu2feIaq9Z32lgOk5PG89bRwD+ vEQgxKYr/ZazhORbHZFlEFeMXfJy5D/KmWmXWvO7fIamYoiwjXrJrVSEq5rk9od9ffQ3 LUNMpxAfWM5xi/mwonSGiIkexMw7328VMHfb4SEhLziiwzG8IvO5uTAU7dFdYJGQA7Xp +iJQ==
X-Gm-Message-State: AOAM5333t60EklqzVJmHbZ34y57rn/OQssTHRUaM5oCHhPemosyT0Pka Az4zGGa8iw78OrO401Htb9Bvqb2075TI89WJGpG/GQ==
X-Google-Smtp-Source: ABdhPJx65G2sZxfq+uBTC6QvIsTOhWPjskW/32vpjqqiDxszyrPsrKjcGDpINoTCCaUP4FBfqfFjPWIj06/h9Bpj+VY=
X-Received: by 2002:adf:eec4:: with SMTP id a4mr39834523wrp.159.1620752710321; Tue, 11 May 2021 10:05:10 -0700 (PDT)
MIME-Version: 1.0
References: <161901308063.21005.875603362157576926@ietfa.amsl.com> <6245BB4F-4E2F-435F-ABC0-18C0420C8541@akamai.com> <CAHbrMsDGq0usDiqr0HtbFCR4Y8swtyv_0i7UOFf=C_ExW+0FNQ@mail.gmail.com> <303AD4A1-A9BE-4C31-B730-7B4D42587206@akamai.com> <CAHbrMsCj8OToEhjo7O0YkW4WGosGK7stBYTneYHUoX_KckY7Uw@mail.gmail.com> <80539395-F1F6-4BA1-8AFF-667DDF7604B1@icann.org> <CAHbrMsAC3Mb+e18Gv361XnCU3kBOWqCbUXPujuuqOULh4e-v=g@mail.gmail.com> <CAKW6Ri4Yi2v+owa7KABATBoRmEB9u0k_hxd235iDL0ngbGhuLA@mail.gmail.com> <B0F5B473-9A40-447D-9555-F549F54CE0B5@isc.org> <CAHbrMsDNUKzYC__R1z6yzt_9xxyp4Eov1FekumT9sDpFkmPVPw@mail.gmail.com> <CAKW6Ri6bybyLTZOPFjR=Gpus96OYz1_DcxsJe8r+K9u7z=_LXQ@mail.gmail.com> <CAHbrMsCgShoeTbSruFH_zigYtXEQEoEOihjE6kjSUmfW5VSVUw@mail.gmail.com> <CAKW6Ri6HWTv_7_qcJX5mnxJODfwGsDmc1X2UW4kxPi=ZfZBDcA@mail.gmail.com> <CAHbrMsCYFmmM+WfS8VQWfSvRQgp4wXHEsOJcHi3Nvunb++wuHg@mail.gmail.com> <CAKW6Ri6BPXPeb_jExwoUk2MNccCVTwPTZRahqSouEUcMeskA=g@mail.gmail.com> <aa9f870b-b3f1-ffa5-3a64-f5882e26e116@powerdns.com> <E2CCC482-58FC-4771-AC60-E731FF681BC7@icann.org> <CAKW6Ri4EwbH8fNgXZtSot4mU9Y4K3ktX7sRoAOxhmndpRUeBNg@mail.gmail.com> <CAKW6Ri7XQWSc2vr1VxMCKWtKHn0_eBhORaz2PLPBnWx3-rmZJw@mail.gmail.com>
In-Reply-To: <CAKW6Ri7XQWSc2vr1VxMCKWtKHn0_eBhORaz2PLPBnWx3-rmZJw@mail.gmail.com>
From: Ben Schwartz <bemasc@google.com>
Date: Tue, 11 May 2021 10:04:58 -0700
Message-ID: <CAHbrMsBxmxEAD=eYrkbKaXVE59adOp+1H-BzHLa=0vX1pDiAKw@mail.gmail.com>
To: Dick Franks <rwfranks@gmail.com>
Cc: dnsop <dnsop@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="000000000000972e9205c210e54b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/JVSzWLWrE_zNCcgge1lqq6skuRg>
Subject: Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-svcb-https-05.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 May 2021 17:05:15 -0000

On Tue, May 11, 2021 at 9:41 AM Dick Franks <rwfranks@gmail.com> wrote:

> All,
>
> As part of a side discussion, I was admonished for my rather flippant
> approach to a significant security issue and failure to explain
> clearly how it manifests itself..
>
> On Sun, 9 May 2021 at 13:01, Dick Franks <rwfranks@gmail.com> wrote:
> >8
> >
> > Pre-processing of '\\,' into the RFC1035 standard '\,' is
> > superficially attractive, but also fraught with danger.
> >
> > A parser could have some fun with this one:
> >
> >     $ORIGIN example.com
> >     @   SVCB   1 foo
> > key6="\032\001\013\184\000\000\000\000\000\000\000\000\\\\,\000"
> >     ; a.k.a.   ipv6hint=2001:db8::5c5c:2c00
> >
>
> Although a few sharp-eyed people recognised the security implications
> immediately, I realise that I should have included the broken result
> to illustrate the problem more clearly.
>
>  example.com.    IN    SVCB    ( \# 38 0001     ; 1
>     03666f6f076578616d706c6503636f6d 00     ; foo.example.com.
>     0006 000f 20010db800000000000000005c2c00 )
>
> instead of the expected:
>
>  example.com.    IN    SVCB    ( \# 39 0001     ; 1
>     03666f6f076578616d706c6503636f6d 00     ; foo.example.com.
>     0006 0010 20010db800000000000000005c5c2c00 )
>
> Observe that the IPv6 address is shortened to 15 octets.
>

I'm not sure what the concern is here, but Section 2.1 of the current draft
[1], which specifies the parsing behavior in this case, simply says that
the value in this form is a char-string.  There is no mention of commas
anywhere in that section, so any special handling of commas is clearly
incorrect.  (Previous versions of the draft have long specified the same
behavior, with only editorial adjustments.)

[1]
https://www.ietf.org/archive/id/draft-ietf-dnsop-svcb-https-05.html#name-zone-file-presentation-form