Re: [DNSOP] DNS cookies and multi-vendor anycast incompatibility
Mark Andrews <marka@isc.org> Thu, 21 June 2018 15:09 UTC
Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 17C9B130DE2 for <dnsop@ietfa.amsl.com>; Thu, 21 Jun 2018 08:09:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2DoniWzhAZJz for <dnsop@ietfa.amsl.com>; Thu, 21 Jun 2018 08:09:20 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EEBF61292AD for <dnsop@ietf.org>; Thu, 21 Jun 2018 08:09:19 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 009183AB007; Thu, 21 Jun 2018 15:09:19 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id ACAF116003D; Thu, 21 Jun 2018 15:09:18 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 8B149160068; Thu, 21 Jun 2018 15:09:18 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id YQV9eu5xmjzA; Thu, 21 Jun 2018 15:09:18 +0000 (UTC)
Received: from [172.30.42.90] (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id 6B07516003D; Thu, 21 Jun 2018 15:09:17 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: Mark Andrews <marka@isc.org>
In-Reply-To: <c4de878b-2559-cb68-a033-48ed6322a4a2@nic.cz>
Date: Fri, 22 Jun 2018 01:09:14 +1000
Cc: Petr Špaček <petr.spacek@nic.cz>, Paul Wouters <paul@nohats.ca>, "dnsop@ietf.org WG" <dnsop@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <20D2731B-C3DF-461D-B48D-F1CB1BC69DEE@isc.org>
References: <c70f058c-8e82-f905-e352-f3e2fd0d4cfc@nic.cz> <alpine.LRH.2.21.1806201006530.6077@bofh.nohats.ca> <107c3532-a07d-9821-70ab-94c00a9dd2f0@nic.cz> <9A860D2F-C02D-4D89-B54D-7FDA9823101B@isc.org> <c4de878b-2559-cb68-a033-48ed6322a4a2@nic.cz>
To: Daniel Salzman <daniel.salzman@nic.cz>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/XtBG2-7GaZn_bjnp5MLTeXFNzg0>
Subject: Re: [DNSOP] DNS cookies and multi-vendor anycast incompatibility
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Jun 2018 15:09:22 -0000
> On 21 Jun 2018, at 5:21 pm, Daniel Salzman <daniel.salzman@nic.cz> wrote: > > Hello Mark, > > On 06/20/2018 11:01 PM, Mark Andrews wrote: >> >>> On 21 Jun 2018, at 12:25 am, Petr Špaček <petr.spacek@nic.cz> wrote: >>> >>> On 20.6.2018 16:10, Paul Wouters wrote: >>>> On Wed, 20 Jun 2018, Petr Špaček wrote: >>>> >>>>> it seems that current specification of DNS cookies in RFC 7873 is not >>>>> detailed enough to allow deployment of DNS cookies in multi-vendor >>>>> anycast setup, i.e. a setup where one IP address is backed by multiple >>>>> DNS servers. >>>>> >>>>> The problem is lack of standardized algorithm to generate server >>>>> cookie from a shared secret. In practice, even if users manually >>>>> configure the same shared secret, Knot DNS and BIND will use diffrent >>>>> algorithm to generate server cookie and as consequence these two >>>>> cannot reliably back the same IP address and have DNS cookies enabled. >>>>> >>>>> One of root server operators told me that they are not going to enable >>>>> DNS cookies until it can work with multi-vendor anycast, and I think >>>>> this is very reasonable position. >>>>> >>>>> So, vendors, would you be willing to standardize on small number of >>>>> server cookie algorithms to enable multi-vendor deployments? >>>> >>>> I think this is a good idea but there are already two examples in RFC >>>> 7873 for cookie generation. Is there a problem with those examples, or >>>> is there only a lack of options in the implementation to configure >>>> these? If the latter, than no new IETF work would be needed. >>> >>> These are mere examples and not specifications with all the details >>> necessary for reliable interoperability. >> >> The server cookie examples have all the details required to build a interoperable >> implementation. i.e. with the same inputs you will get the same outputs. >> > > So how should the DNS cookies be implemented? IMHO if one server uses https://tools.ietf.org/html/rfc7873#appendix-B.1 > and another server uses https://tools.ietf.org/html/rfc7873#appendix-B.2, then it's not interoperable. > Actually the upcoming Knot DNS 2.7 implemented "B.1" using Siphash instead of FNV. Bind probably implemented B.2. > Are both implementations correct? Well you are free to inspect the code to ensure that it behaves the way we said it did. The code is in lib/ns/client.c:compute_cookie. Older branches that is bin/named/client.c:compute_cookie > Thanks, > Daniel > >>> E.g. when a cookie is "old" according to B.2.? >>> E.g. are there privacy considerations with plain HMAC vs. encryption? >> >> >>> Besides this, BIND defaults to AES-based algorithm which is not >>> specified in the RFC and Knot DNS has its own because developers >>> considered the BIND's approch overkill. >>> >>> If we decide to standardize we need to find a reasonable algorihm and >>> standardize all its variables to make it work without run-time >>> synchronization (posssibly except key rotation but it can be done >>> avoided as well). >>> >>> This message is for other DNS vendors to see if there is an interest in >>> standardizing something we can all share and operators use in practice. >>> >>> -- >>> Petr Špaček @ CZ.NIC >>> >>> _______________________________________________ >>> DNSOP mailing list >>> DNSOP@ietf.org >>> https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
- Re: [DNSOP] DNS cookies and multi-vendor anycast … Daniel Salzman
- Re: [DNSOP] DNS cookies and multi-vendor anycast … Daniel Salzman
- Re: [DNSOP] DNS cookies and multi-vendor anycast … Mark Andrews
- Re: [DNSOP] DNS cookies and multi-vendor anycast … Mark Andrews
- Re: [DNSOP] DNS cookies and multi-vendor anycast … Mukund Sivaraman
- Re: [DNSOP] DNS cookies and multi-vendor anycast … Warren Kumari
- Re: [DNSOP] DNS cookies and multi-vendor anycast … Mark Andrews
- Re: [DNSOP] DNS cookies and multi-vendor anycast … Mark Andrews
- Re: [DNSOP] DNS cookies and multi-vendor anycast … Mark Andrews
- Re: [DNSOP] DNS cookies and multi-vendor anycast … Petr Špaček
- Re: [DNSOP] DNS cookies and multi-vendor anycast … Donald Eastlake
- Re: [DNSOP] DNS cookies and multi-vendor anycast … Ondřej Surý
- Re: [DNSOP] DNS cookies and multi-vendor anycast … Petr Špaček
- Re: [DNSOP] DNS cookies and multi-vendor anycast … Mark Andrews
- Re: [DNSOP] DNS cookies and multi-vendor anycast … Petr Špaček
- Re: [DNSOP] DNS cookies and multi-vendor anycast … Paul Wouters
- [DNSOP] DNS cookies and multi-vendor anycast inco… Petr Špaček
- Re: [DNSOP] DNS cookies and multi-vendor anycast … Mukund Sivaraman
- Re: [DNSOP] DNS cookies and multi-vendor anycast … Warren Kumari
- Re: [DNSOP] DNS cookies and multi-vendor anycast … Evan Hunt
- Re: [DNSOP] DNS cookies and multi-vendor anycast … Evan Hunt
- Re: [DNSOP] DNS cookies and multi-vendor anycast … Petr Špaček