Re: [DNSOP] questions about Signaling Cryptographic Algorithm Understanding (RFC 6975)
Brian Somers <bsomers@opendns.com> Thu, 04 June 2020 16:02 UTC
Return-Path: <bsomers@opendns.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5FE3C3A0929 for <dnsop@ietfa.amsl.com>; Thu, 4 Jun 2020 09:02:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=opendns-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ky4Xb-mADTOX for <dnsop@ietfa.amsl.com>; Thu, 4 Jun 2020 09:02:10 -0700 (PDT)
Received: from mail-pl1-x62c.google.com (mail-pl1-x62c.google.com [IPv6:2607:f8b0:4864:20::62c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7FE273A0921 for <dnsop@ietf.org>; Thu, 4 Jun 2020 09:02:10 -0700 (PDT)
Received: by mail-pl1-x62c.google.com with SMTP id t16so2346890plo.7 for <dnsop@ietf.org>; Thu, 04 Jun 2020 09:02:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=opendns-com.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=3oyGRTWHHmv1qgS5GAm8udziSTT3bn0Nx7xibcTcZaU=; b=HU17xCD9iPEJspwRhagbvMvasEajIQkUvu5eYXHeGkV3ofEAQ4nJDL9CJO0US+jy2M vCSSFVY8/SjD93GrLelApAcdM2AClFs/DqvDjG9KED7q+DDz98s63rg73x/sMjVpI2V5 vDT1QhyeZYkoFw6bPyeEwiCHhmZnZwy1/RRFttVo9hJLpGNtPnytP0RGwVK27CLaho+y oCL2rkC/PL1o+LspIyUqSt/CpmSDUbJxHdQfsBCY5JuQFgQTjdvb9vDZ6ly5HAg/2H8i btwt7I4ZgZgWZcesxeWAuLnL1h4qbHsg9j6JK0rvS+DVzvcjdxhNbOW9hFKhAT/SQ4M5 WzsA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=3oyGRTWHHmv1qgS5GAm8udziSTT3bn0Nx7xibcTcZaU=; b=pcaPvPBpMRCjNI36XneT+DzIPl7EMD8l1HLW/v5V+DODWN4nPgM3Kfb96hoq83YII4 aY2hd5xhTFeoUwOZHCeh3ZhYH5HZoFLwCB6Nf2464ws0mdXGuR1LtPEgttI3QuGwFLzg DJW9rSVp4Ht65RtJ96ti9tJ0InFDk1NtT+TQvJ+OHMMzNHqzUyI9+YA8yFxXk+h/rV6h lgE+Jq84kcBMzM1WRUCmLmY1wxwXNAJApIOraVBvsN+cHjlKhfD8EzXpM2H57nrhpDG1 QJMfk//teXhWW8dIB7Nz9rqPXVJanz5VyUyPsZ+wLJMWMCxLax97OZSBF1CHjPzr3nxC sfOw==
X-Gm-Message-State: AOAM530RFcm5I2VHnAw20cOl5O8DHvSHcdpyA3RZRrFmYpDRHgKpqHau kYFdCY/X+G5fSuLc4lKN1THcbGhEdYA=
X-Google-Smtp-Source: ABdhPJyXh/Jfm52O4pfNXAaJN2IFGmtSfUYuLk0TXfhn1FNQiON+1UHcz8GdoCVnTzCPOoAtl7oMYw==
X-Received: by 2002:a17:902:c40c:: with SMTP id k12mr5584421plk.105.1591286529710; Thu, 04 Jun 2020 09:02:09 -0700 (PDT)
Received: from bmacbook.wireless.awfulhak.org (S010600e0b602e722.vn.shawcable.net. [24.87.153.175]) by smtp.gmail.com with ESMTPSA id q6sm2095501pff.79.2020.06.04.09.02.07 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 04 Jun 2020 09:02:08 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
From: Brian Somers <bsomers@opendns.com>
In-Reply-To: <ba766aed-885c-b247-9444-66731af3fa86@nic.cz>
Date: Thu, 04 Jun 2020 09:02:05 -0700
Cc: Brian Somers <bsomers@opendns.com>, IETF DNSOP WG <dnsop@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <F7F9B730-66D8-4902-B161-B5CD4E95F660@opendns.com>
References: <ba766aed-885c-b247-9444-66731af3fa86@nic.cz>
To: Petr Špaček <petr.spacek@nic.cz>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/WipGwHJzX7tQclNbYOBgmJxehAA>
Subject: Re: [DNSOP] questions about Signaling Cryptographic Algorithm Understanding (RFC 6975)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Jun 2020 16:02:12 -0000
On Jun 3, 2020, at 2:40 AM, Petr Špaček <petr.spacek@nic.cz> wrote: > > Hi dnsop, > > it seems that OpenDNS is the first to implement RFC 6975: > https://lists.dns-oarc.net/pipermail/dns-operations/2020-June/020219.html > > This reminded me of its existence so I looked at definition for validating recursors: > > 4.2.1. Validating Recursive Resolvers > > A validating recursive resolver sets the DAU, DHU, and/or N3U > option(s) when performing recursion based on its list of algorithms > and any DAU, DHU, and/or N3U option lists in the stub client query. > When the recursive server receives a query with one or more of the > options set, the recursive server MUST set the algorithm list for any > outgoing iterative queries for that resolution chain to a union of > the stub client's list and the validating recursive resolver's list. > For example, if the recursive resolver's algorithm list for the DAU > option is (3, 5, 7) and the stub's algorithm list is (7, 8), the > final DAU algorithm list would be (3, 5, 7, 8). > > If the client included the DO and Checking Disabled (CD) bits, but > did not include the DAU, DHU, and/or N3U option(s) in the query, the > validating recursive resolver MAY include the option(s) with its own > list in full. If one or more of the options are missing, the > validating recursive resolver MAY include the missing options with > its own list in full. > > > What is your opinion on: > a) Sending RFC 6975 EDNS options with queries which target zone cuts which are not signed (DS provably not present in parent)? > That sounds like waste of bytes, but maybe it is not worth optimizing. Opinions? The OpenDNS/Cisco implementation doesn’t optimize for this. If a nameserver does EDNS, it gets these codes. I don’t yet know if this is a naive approach - we’ve already had to turn it all off due to www.qq.com nameservers returning SERVFAIL (It has since been fixed). > > b) It is not clear if/how authors took into account deduplication of queries: > the recursive server MUST set the algorithm list for any > outgoing iterative queries for that resolution chain to a union of > the stub client's list and the validating recursive resolver's list. > > Multiple queries from stubs can translate to a single upstream query. Typically this happens for very frequently asked names on cache miss event. E.g. many stubs ask "www.google.com AAAA" but recursor can optimize traffic upstream and send only single query to auth. > Of course stub queries will likely not arrive simultaneously so the first query to auth (possibly with union of algo sets) is already in flight when second stub query (possibly with diffent set) arrives. Now what? > > (Section 7. Traffic Analysis Considerations shifts the problem to oneone else, but I think deduplication trick + interaction with DNS cache should be pointed out because it significantly complicates analysis.) The OpenDNS/Cisco implementation doesn’t remember downstream option codes in any way once the client is answered. An upstream query to a nameserver will include client codes & algorithms if present, but only for the client being “charged” for the upstream query. > c) Is union of sets even a good idea? Why not copy ENDS options from stub and append _another_ "instance" of options so the auth can see there are multiple parties with different set of options? That would certainly be easier in the resolver. > d) Is there a risk of inflating queries too much/new attack vector? What about stub sending EDNS option with all alg fields present (700+ bytes)? Should there be a limit on number of algs? (I cannot see any in the RFC.) I explored behaviours, including inflating the packet size to >512 bytes and sending the query over TCP. After a bit of experimentation I discovered that dig (9.11.5-P4-5.1-Debian) already made a call on this by limiting the # algorithms to 122. So I introduced a configuration option in our implementation that allows values between 0 (off) and 122, defaulting to 15. If we end up with more than the configured number of algorithms for any of DAU, DHU or N3U, we drop the client data for that code. If we’re still over with our own algorithms, we drop the code altogether. This allows us to limit ridiculous client data and to turn it all off quickly If required. > e) What should happen if multiple options are present? Answer with FORMERR? (But see questions c,d above.) We answer FORMERR. > Thank you for opinions! > > > P.S. Sorry for opening this topic again, but this seems like another example of RFC which would benefit from more implementation experience prior publication. > > -- > Petr Špaček @ CZ.NIC — Brian
- [DNSOP] questions about Signaling Cryptographic A… Petr Špaček
- Re: [DNSOP] questions about Signaling Cryptograph… Brian Somers