IETF Logo Mail Archive

Re: [DNSOP] DNS cookies and multi-vendor anycast incompatibility

Mark Andrews <marka@isc.org> Fri, 22 June 2018 00:00 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B3608130DC7 for <dnsop@ietfa.amsl.com>; Thu, 21 Jun 2018 17:00:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I3X8PWgxBWdB for <dnsop@ietfa.amsl.com>; Thu, 21 Jun 2018 17:00:12 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A549F130DC3 for <dnsop@ietf.org>; Thu, 21 Jun 2018 17:00:12 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 8F6183AB044; Fri, 22 Jun 2018 00:00:12 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 3FB2716006A; Fri, 22 Jun 2018 00:00:12 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 1B98A160068; Fri, 22 Jun 2018 00:00:12 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id ycLxcOPH9AHD; Fri, 22 Jun 2018 00:00:12 +0000 (UTC)
Received: from [172.30.42.90] (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id C1B4F16003D; Fri, 22 Jun 2018 00:00:10 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: Mark Andrews <marka@isc.org>
In-Reply-To: <CAHw9_iLdsTPjxwm6Tpah0kMXwwM894SG+407Muv3AcN3js-ZbQ@mail.gmail.com>
Date: Fri, 22 Jun 2018 10:00:08 +1000
Cc: Petr Špaček <petr.spacek@nic.cz>, dnsop <dnsop@ietf.org>, Paul Wouters <paul@nohats.ca>, daniel.salzman@nic.cz
Content-Transfer-Encoding: quoted-printable
Message-Id: <65EFDF6B-48C7-4AAE-8ACB-C70942D54805@isc.org>
References: <c70f058c-8e82-f905-e352-f3e2fd0d4cfc@nic.cz> <alpine.LRH.2.21.1806201006530.6077@bofh.nohats.ca> <107c3532-a07d-9821-70ab-94c00a9dd2f0@nic.cz> <F6CB5212-461C-4E91-8E56-43B9E6377A7C@isc.org> <CAHw9_iLdsTPjxwm6Tpah0kMXwwM894SG+407Muv3AcN3js-ZbQ@mail.gmail.com>
To: Warren Kumari <warren@kumari.net>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/R5su825ScqMNlDfgKH_KduRd6cY>
Subject: Re: [DNSOP] DNS cookies and multi-vendor anycast incompatibility
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Jun 2018 00:00:25 -0000

> On 22 Jun 2018, at 1:19 am, Warren Kumari <warren@kumari.net> wrote:
> 
> 
> 
> On Thu, Jun 21, 2018 at 10:36 AM Mark Andrews <marka@isc.org> wrote:
> 
> > On 21 Jun 2018, at 12:25 am, Petr Špaček <petr.spacek@nic.cz> wrote:
> > 
> > On 20.6.2018 16:10, Paul Wouters wrote:
> >> On Wed, 20 Jun 2018, Petr Špaček wrote:
> >> 
> >>> it seems that current specification of DNS cookies in RFC 7873 is not
> >>> detailed enough to allow deployment of DNS cookies in multi-vendor
> >>> anycast setup, i.e. a setup where one IP address is backed by multiple
> >>> DNS servers.
> >>> 
> >>> The problem is lack of standardized algorithm to generate server
> >>> cookie from a shared secret. In practice, even if users manually
> >>> configure the same shared secret, Knot DNS and BIND will use diffrent
> >>> algorithm to generate server cookie and as consequence these two
> >>> cannot reliably back the same IP address and have DNS cookies enabled.
> >>> 
> >>> One of root server operators told me that they are not going to enable
> >>> DNS cookies until it can work with multi-vendor anycast, and I think
> >>> this is very reasonable position.
> >>> 
> >>> So, vendors, would you be willing to standardize on small number of
> >>> server cookie algorithms to enable multi-vendor deployments?
> >> 
> >> I think this is a good idea but there are already two examples in RFC
> >> 7873 for cookie generation. Is there a problem with those examples, or
> >> is there only a lack of options in the implementation to configure
> >> these? If the latter, than no new IETF work would be needed.
> > 
> > These are mere examples and not specifications with all the details
> > necessary for reliable interoperability.
> > E.g. when a cookie is "old" according to B.2.?
> 
> I really depends on the algorithm being used.
> 
> > E.g. are there privacy considerations with plain HMAC vs. encryption?
> 
> Not the way AES is being used. 
> 
> > Besides this, BIND defaults to AES-based algorithm which is not
> > specified in the RFC and Knot DNS has its own because developers
> > considered the BIND's approch overkill.
> 
> What does it matter what the default algorithm is.  Unless you are
> running a anycast cluster IT DOES NOT MATTER.  If you are running
> a anycast cluster you just needs to make sure all the server are set
> up the same way.
> 
> 
> ​There are a number of anycast clusters which run different implementations on the same IP.
> 
> As an example: https://www.ripe.net/analyse/dns/k-root
> "A K-root node consists of one or more servers running BIND, Knot or NSD."​
> 
> ​Unless I'm missing something obvious, it would be good having cookies be valid when you e.g happen to hit a node in Lyon then a node in Geneva ​(because of routing changes).
> 
> ​W​

Having different cookies return was a EXPECTED failure mode and the
client has code to handle that if they have followed RFC 7873.  These
servers all handle TCP clients.  They should be stable enough to not
trigger the fallback to TCP.

   If the extended RCODE in the reply is BADCOOKIE and the Client Cookie
   in the reply matches what was sent, it means that the server was
   unwilling to process the request because it did not have the correct
   Server Cookie in it.  The client SHOULD retry the request using the
   new Server Cookie from the response.  Repeated BADCOOKIE responses to
   requests that use the Server Cookie provided in the previous response
   may be an indication that either the shared secrets or the method for
   generating secrets in an anycast cluster of servers is inconsistent.
   If the reply to a retried request with a fresh Server Cookie is
   BADCOOKIE, the client SHOULD retry using TCP as the transport, since
   the server will likely process the request normally based on the
   security provided by TCP (see Section 5.2.3).

> > If we decide to standardize we need to find a reasonable algorihm and
> > standardize all its variables to make it work without run-time
> > synchronization (posssibly except key rotation but it can be done
> > avoided as well).
> 
> BIND implemented 3 algorithms.  All three were similar.  The only
> difference was how the hash is generated.  The hmac-sha1 and hmac-sha256-8
> take identical inputs.  AES is slightly different because it is AES.
> 
> > This message is for other DNS vendors to see if there is an interest in
> > standardizing something we can all share and operators use in practice.
> > 
> > -- 
> > Petr Špaček  @  CZ.NIC
> > 
> > _______________________________________________
> > DNSOP mailing list
> > DNSOP@ietf.org
> > https://www.ietf.org/mailman/listinfo/dnsop
> 
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742              INTERNET: marka@isc.org
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
> 
> 
> -- 
> I don't think the execution is relevant when it was obviously a bad idea in the first place.
> This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants.
>    ---maf

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email