Re: [DNSOP] Review of draft-livingood-dns-redirect-00
Andrew Sullivan <ajs@shinkuro.com> Mon, 13 July 2009 20:30 UTC
Return-Path: <ajs@shinkuro.com>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6980D28C6A0 for <dnsop@core3.amsl.com>; Mon, 13 Jul 2009 13:30:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.147
X-Spam-Level:
X-Spam-Status: No, score=-2.147 tagged_above=-999 required=5 tests=[AWL=0.452, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jlMlalSoaalp for <dnsop@core3.amsl.com>; Mon, 13 Jul 2009 13:30:02 -0700 (PDT)
Received: from mail.yitter.info (mail.yitter.info [208.86.224.201]) by core3.amsl.com (Postfix) with ESMTP id B5DFA28C3AA for <dnsop@ietf.org>; Mon, 13 Jul 2009 13:30:01 -0700 (PDT)
Received: from crankycanuck.ca (76-10-166-247.dsl.teksavvy.com [76.10.166.247]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.yitter.info (Postfix) with ESMTPSA id B42EC2FE8CA1 for <dnsop@ietf.org>; Mon, 13 Jul 2009 20:29:51 +0000 (UTC)
Date: Mon, 13 Jul 2009 16:29:49 -0400
From: Andrew Sullivan <ajs@shinkuro.com>
To: dnsop@ietf.org
Message-ID: <20090713202948.GE3018@shinkuro.com>
References: <C67B83C4.E855%Jason_Livingood@cable.comcast.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <C67B83C4.E855%Jason_Livingood@cable.comcast.com>
User-Agent: Mutt/1.5.18 (2008-05-17)
Subject: Re: [DNSOP] Review of draft-livingood-dns-redirect-00
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Jul 2009 20:30:04 -0000
Dear colleagues, On Thu, Jul 09, 2009 at 11:23:48AM -0400, Livingood, Jason wrote: > If anyone is interested and has time before IETF 75, I¹m happy to take > feedback before then obviously. Please note that there is a list of open > items at the end, which we plan to address in subsequent versions. I have read draft-livingood-dns-redirect-00. I have some (actually, many) comments. I write as a contributor of the DNS Operations working group and not in any other capacity (especially not as co-chair of DNSEXT). I will leave it for others to debate the extent to which the document actually proposes changes to the DNS protocol. I apologise for the length of this mail, but it seemed best to me to go over the document in detail. To begin with, I must state that I am opposed to adopting the draft as it stands as a working group item with a target of BCP. That said, I agree that if people are going to do these sorts of things, it'd be better that we have a document to explain what the least bad way to do them is (although one might be excused for wondering what "least bad" means in a context such as this). It is a fact that people are doing these DNS tricks, and we will not be saved from them by refusing to talk about them any more than we were saved from the stupidest possible NAT implementations by the IETF's collective refusal to work on NAT. Still, I am not sure that the document as it currently stands represents that "least bad", so there's some work to do. First, in section 3 we have a note that there are alternative strategies to DNS redirects. It is one thing to rule discussion of those alternatives out of scope; it is quite another to present the alternatives as completely neutral. This discussion should be strengthened to point out that performing redirects in the DNS have extremely wide consequences, and that the DNS-based approach is a terribly blunt instrument to perform what is intended to be surgical redirections, akin to doing an appendectomy with a club. In addition, I think the discussion should point out that DNS-based redirection violates the basic principle of the DNS: it is supposed to be a distributed, loosely-coherent database of records originally provided by authoritative sources of data. DNS redirections violate that principle by design, even if they do it for the noblest reasons. This is an important factor in the discussion of DNSSEC, to which I'll turn near the end of this message. I note this text in section 5.1.3: Design considerations for the Web Error Search and Malicious Site Protection services should include properly and promptly terminating non-HTTP connection requests. I would find it helpful if the draft included some text explaining how to terminate "non-HTTP connection requests" (and make a subsequent connection request operate correctly)? There's nothing in the DNS request that would tell a resolver whether the DNS query was happening because the client planned to make an http connection as opposed to something else. Is the idea to monitor DNS requests, then sniff the traffic to see if it's an HTTP request and then do something with that knowledge? (This sounds just shy of practically impossible to me, but I'd be happy to be wrong.) What about https requests? Surely, malware people will quickly learn to send the requests via https if that's a clear path, so that won't work. And anyway, one can't sniff encrypted traffic. In section 5.2.3, it says A range of resource records may be redirected, such as A, AAAA, MX, SRV, and NAPTR records, in order to fulfill the objective of preventing access to certain network elements containing malicious content or which and in some way used to transmit, relay, or otherwise transfer malicious content. All other resource record types must be answered as if there was no redirection. I think the last sentence is just a rhetorical flourish. It seems to say that any RR may be redirected, depending on the objective; but other ones must (MUST? I suppose this depends on where one stands on 2119 language in BCPs. If the authors want 2119 language, there are some other places that could do with it too) be answered as if there were no redirection. This boils down to, "Redirect whatever you think you need to." So the last sentence in the quoted bit is just decoration: it merely makes the passage read as though the technique isn't too invasive, but it has no practical effect. (Section 5.5 has this, too.) Section 5.3 ought to point out that legally-mandated DNS redirect may do harm, because the ability to send desirable traffic (such as cease-and-desist emails, for instance) is lost (this is especially important in light of the discussion of proxy servers at the end of 5.3.3). Section 5.3.3 reads like it was written by actual lawyers (note that in my idiolect, "lawyer" is not automatically a term of derision): there are here a lot of and/ors, other slashes, and lists of possible authorities. For readability, I suggest that this be made simpler and more neutral. "Legal authority" probably covers everything needed to encompass the various kinds of agencies in question. I'm also not sure the apparent requirement to disclose that the redirection is enforced by law has any practical value, although I think it's nice if my ISP tells me it's fooling with the bits because of law enforcement rather than local policy. What is the interaction between the manual DNS server reconfiguration discussed at the end of section 6.3, and the persistence recommendation in section 6.1? It seems to me all but inevitable that a manual modification will bumped out of the way by a subsequent automatic configuration unless the automatic system is informed of the manual changes. Therefore, it seems to me that there needs to be a mechanism by which manual configuration changes can be communicated back up to the automatic assigner, so that the manual changes don't later get undone. (It'd probably be enough to specify the ability to disable the manual changes, without perhaps needing to send all the new configuration to the ISP.) In section 6.4, the text appears to suggest that setting an attribute in the browser will affect how the DNS lookups happen. I suggest removing that text or else including a pointer to the section in which you explain why it is a bad (not to say "ludicrous") idea. The subsequent text is the right direction to go: to allow users to opt out, just change their network configuration. I think some more exposition of the tradeoffs may be needed, however, since the current text seems to be fairly narrowly tailored to the present-era arrangement where the CPE has a single IPv4 address with a NATted LAN sitting behind it. Given that some other participants in the IETF are busily telling everyone to assign fairly large IPv6 ranges to every customer, the model in the draft probably needs some more refining. I think the discussion in 7.1 isn't drawing the wanted distinction quite as clearly as it might. The proposal is that a _good_ redirection captures the query, detects it is one of the redirection targets, and takes the user to a web page where the user is told that they've been redirected. The complaint in 7.1 is really that the very same redirection has happened, but the user is not informed. The discussion of "valid reason for the redirection" is just a distraction: the issue isn't whether the redirection is somehow justified (since there are some of us who would reply that such a redirection is _never_ justified), but whether the user is told about it. Section 7.4 would benefit from some characterization of what would be acceptable additional latency introduced by a redirector. Citations of user-experience studies would help. It seems to me the section is talking about one of the trade-offs to be made when trying to decide whether to add a redirector, and without some well-founded numbers, this is just hand waving. Section 7.5 seems to suggest that there are cases where it is acceptable to intercept DNS queries and redirect them silently. These cases are typified as being "reasonable", "justifiable", &c. The problem with any of this sort of thing is that it is the ISP who gets to decide what is "reasonable". I presume that those ISPs who are capturing and blocking or, worse, redirecting all DNS traffic think it _is_ reasonable and justifiable. Since what is reasonable and justifiable is right at the core of disagreement, reasonableness and justifiability can't be the criteria. I suggest that discussion be removed: there just is no reason to capture the DNS traffic. If you want to turn someone off, _turn them off_. Section 8 could be improved considerably by discussing the way that redirection breaks other protocols. A diagram that looks very like (e.g.) Figure 5, only with no place in the protocol where the Web response box goes, might make clearer why the redirection is problematic. Section 9.7 says, "This example represents an improper redirect occurring when a valid DNS RR should have been returned in response to a DNS recursive query for an example website, the resulting HTTP transaction, and that no DNS query or HTTP traffic was sent to the valid authoritative DNS server and valid web server." This makes it sound like there should be an HTTP request going to the DNS server. I know that's not the intent, but given that the target audience is presumably confused about the relationship between DNS servers and web servers (to the point that they're willing to break every other application in the interests of supporting the web servers), this should be cleared up. Section 10's consideration of DNSSEC seems to have some fairly deep misapprehensions of the DNS protocol. First, it has a completely naive idea of the actual DNS ecosystem. It starts by shutting down any discussion of non-stub resolvers on the grounds that "DNS redirections take place on the recursive server", as though only one recursive server could be involved in a resolution request from a stub. But previously in the draft there was some discussion of networks in households, and so on. One model of deployment there is surely a gateway server that runs its own DNS recursive resolver, and provides service to all the systems behind it, often with a single IPv4 anddress and an RFC1918-addressed NAT. Such gateways are obvious targets for DNSSEC deployment. Now, since they usually get the address from the ISP via automatic means, they will get the DNS configuration from the ISP. There is nothing whatever about a given query that could tell you, "Oops, this one's not from a stub; better give it the real DNS." So, the draft should address the case of a full-service recursing validating resolver inside the redirect boundary. It is interesting to compare bullet 2 with the advice we editors of the DNS64 document (over in BEHAVE) have received. In our case, the suggestion has been that, if the security-aware translator validates the answer from the DNS containing an A record, and is going to provide the querying resolver (which set DO=1 and CD=0) an answer, it is perfectly acceptable to set the AD bit in the answer. This is because of the language in RFC 4035: "The name server side SHOULD set the AD bit if and only if the resolver side considers all RRsets in the Answer section and any relevant negative response RRs in the Authority section to be authentic." In the case of DNS64/NAT64, the trick here is to expand the definition of "authentic" to include the NAT64 technique. I suspect this is really acceptable to people because the DNS64 knows about the NAT64 configuration, and is attempting to hook the querying host up with the target host (and is just compensating for the fact that the v4 and v6 networks are really different networks). But strictly, the justification for setting the AD bit is that the DNS64 host knows about the NAT64 configuration, and therefore is in a position to assert the authenticity of that address (having assured itself of the authenticity of the destination address). The redirection case is on purpose sending the querying client to some target host _other than_ the requested one. In some sense, then, the decision in the draft not to set the AD bit on these responses is praiseworthy. However, the redirector presumably is tightly coupled to the configuration of redirection and the host that is used to offer landing pages. Therefore it seems to me by the logic used above, setting the AD bit would not strictly be a violation of the protocol, if it isn't in DNS64. I confess this conclusion makes me extremely uncomfortable. I think a great deal of additional text will be needed to explain how the ISP-provided "mitigating" trust anchor is supposed to help solve the issue that the redirector's answers will fail validation by a downstream validator. Part of the point of DNSSEC is supposed to be that we can prove delegations haven't been mucked with along the chain between resolvers, and also that the trust across zone cut boundaries is not broken. This is the cryptographic assurance of the integrity of the distributed database I mentioned at the beginning of this message. The goal of redirection is to subvert that integrity (never mind whether it's justified -- that's the goal). The only way, it seems to me, that a redirector can use an alternative trust anchor is to get its clients to accept an alternative (or, rather, "additional") root key. Then any validation chain can be produced using that key, at the cost of a considerable increase in state on the part of the redirector (because presumably the redirector is going to need to remember what queries need supporting keys chasing all the way down from the root.) If such a system could be built such that it could be reliably deployed, it would amount to a frontal assault on DNSSEC itself, and on the principle of the single root. And so we arrive at the really fundamental problem of the draft: it presents a plan to fracture the namespace selectively. Sometimes, just in cases reflected in the redirector's own configuration, the namespace delegation points are _not_ those as reflected in a common hierarchy descended from a root (let's leave aside the "unique root" for the moment, since it's not precisely relevant to this argument), but instead a delegation to some other point. Under such a model, a coherent distributed database becomes totally unreliable. We might say DNSSEC is designed to foil the sort of attempt redirection makes precisely because this kind of fracturing undermines the database itself, and that the result of being able to prove you've arrived at the right host is just a happy instantiation of the more general principle. It is therefore mind-boggling that there is nothing in the Security Consideration sections of the draft to say, "Oh, and we've broken the DNS Security Extensions, too." Section 11 also includes the following text, which probably needs to say "no-one" where it says "someone": Security best practices should be followed regarding access to the opt-in and opt-out functions, in order that someone other than the user is able to change the user's DNS Redirect settings. These are all the remarks I have at the moment. Best regards, Andrew -- Andrew Sullivan ajs@shinkuro.com Shinkuro, Inc.
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Roy Arends
- [DNSOP] Review of draft-livingood-dns-redirect-00 Livingood, Jason
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Stephane Bortzmeyer
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Stephane Bortzmeyer
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Evan Hunt
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Paul Hoffman
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Florian Weimer
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Florian Weimer
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Dan Wing
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Ralf Weber
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Jelte Jansen
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Florian Weimer
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Florian Weimer
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Jelte Jansen
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Tony Finch
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Antoin Verschuren
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Roy Arends
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Livingood, Jason
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Livingood, Jason
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Livingood, Jason
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Livingood, Jason
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Livingood, Jason
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Tony Finch
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Rose, Scott W.
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Ray.Bellis
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Paul Hoffman
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Paul Wouters
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Todd Glassey
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Paul Hoffman
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Andrew Sullivan
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Livingood, Jason
- Re: [DNSOP] Review of draft-livingood-dns-redirec… YAO Jiankang
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Alan Barrett
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Livingood, Jason
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Ray.Bellis
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Tony Finch
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Suzanne Woolf
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Suzanne Woolf
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Paul Hoffman
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Andrew Sullivan
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Stephane Bortzmeyer
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Stephane Bortzmeyer
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Stephane Bortzmeyer
- Re: [DNSOP] Review of draft-livingood-dns-redirec… k claffy
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Paul Wouters
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Andrew Sullivan
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Paul Hoffman
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Tony Finch
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Paul Hoffman
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Roy Arends
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Paul Wouters
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Paul Wouters
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Mark Andrews
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Paul Wouters
- Re: [DNSOP] Review of draft-livingood-dns-redirec… George Barwood
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Mark Andrews
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Paul Wouters
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Eric Brunner-Williams
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Mark Andrews
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Stephane Bortzmeyer
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Stephane Bortzmeyer
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Florian Weimer
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Florian Weimer
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Paul Wouters
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Andreas Gustafsson
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Paul Hoffman
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Andrew Sullivan
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Livingood, Jason
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Livingood, Jason
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Stephane Bortzmeyer
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Livingood, Jason
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Livingood, Jason
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Livingood, Jason
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Tony Finch
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Florian Weimer
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Jeroen Massar
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Florian Weimer
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Tony Finch
- Re: [DNSOP] Review of draft-livingood-dns-redirec… David Conrad
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Suzanne Woolf
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Paul Wouters
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Florian Weimer
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Jeroen Massar
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Tony Finch
- Re: [DNSOP] Review of draft-livingood-dns-redirec… David Conrad
- Re: [DNSOP] Review of draft-livingood-dns-redirec… David Conrad
- [DNSOP] DNS redirection for fun and profit Jim Reid
- Re: [DNSOP] DNS redirection for fun and profit David Conrad
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Mark Andrews
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Antoin Verschuren
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Andreas Gustafsson
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Jim Reid
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Jim Reid
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Eric Brunner-Williams
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Paul Hoffman
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Paul Hoffman
- Re: [DNSOP] Review of draft-livingood-dns-redirec… John Schnizlein
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Dave CROCKER
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Livingood, Jason
- Re: [DNSOP] Review of draft-livingood-dns-redirec… Rob Austein