Re: [DNSOP] Working Group Last Call draft-ietf-dnsop-resolver-priming
Warren Kumari <warren@kumari.net> Mon, 15 August 2016 17:05 UTC
Return-Path: <warren@kumari.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 96E2512D110 for <dnsop@ietfa.amsl.com>; Mon, 15 Aug 2016 10:05:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LpYRZ6V15TN1 for <dnsop@ietfa.amsl.com>; Mon, 15 Aug 2016 10:05:24 -0700 (PDT)
Received: from mail-qk0-x236.google.com (mail-qk0-x236.google.com [IPv6:2607:f8b0:400d:c09::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EA10E12D0B6 for <dnsop@ietf.org>; Mon, 15 Aug 2016 10:05:23 -0700 (PDT)
Received: by mail-qk0-x236.google.com with SMTP id l2so47917293qkf.3 for <dnsop@ietf.org>; Mon, 15 Aug 2016 10:05:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=GF2fNYYN3MQRjH/sM9No5ozvRI958r6AcGaNbxxtl70=; b=1KNHp3PkqzT9BvBTsUfAundYg3VxhBZHIJ7kww8h65KjAq+A/w50tIwLDkSa1KZuqh 9/HgCSZJKPPLJw9Ck86C+OFpA91SXWMLzBj4RHmRgT6M/WN8tU6kK6httGIlcku5gID5 haWdlwZI+jxF8rHreyuRb/tYCEVlIdBH2FvJvYq9C2iY/DBYBsnDXoet1vMC2BigkC1f 6VrFhX56/xUCIi0HiS1y4LW4aexOHdVNOW8ktJXtaR4U/CqyzbwascjlOxdoB6+OaIQZ Rm1cG7qM4GFh8eaCKJxoYrYT+/dnrDcLGczs2cltT9t/wT2hTNIoDyhhxozf8oyGnzoP caug==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=GF2fNYYN3MQRjH/sM9No5ozvRI958r6AcGaNbxxtl70=; b=kIxVVScQa3MuxWERS9sGBe+dNxOEngROpz02SBQhwVkgXnQ5zy3+WjDxWic032MABG Ptgug0GQ7thlvna3TcZqM8YGjL49C2rymVy8qFFgUKatqUZjLNkDhkWB+j08XTg0ctRr aLComFANyfoo6KibhY43EhOKHdhkRdLYoBslK02MRVWUbNwKSe4C6/n4uybEwXalsvIx W8buE+0SPBOSzpXw0X0QLuvA81egde4Y9Vxv91WUNXbh4k491VfJqxdOuxqcIEwy7Ksc uTw2vnT+5HeCWNhq8xlPgr57UTkz5fS2CkuKEsrqBd1Lb8GkS65dijmPLb+R8UFTKx+/ Lrzg==
X-Gm-Message-State: AEkoouvV914q5IggpqZ5trtWp7alUZoqUILj3cybn1tWM7kDr8QwZgoz/4edaJMouyx7WoSlY0V9yNzdAD9V8SgV
X-Received: by 10.55.72.79 with SMTP id v76mr32233208qka.194.1471280722899; Mon, 15 Aug 2016 10:05:22 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.55.176.199 with HTTP; Mon, 15 Aug 2016 10:04:52 -0700 (PDT)
In-Reply-To: <ADB85FEB-62B8-4ABB-BFD8-74AAABE66E24@vpnc.org>
References: <f8c62b82-258c-2b2b-5186-c3cd8e7d7448@gmail.com> <20160805114511.3ab76c8e@pallas.home.time-travellers.org> <ADB85FEB-62B8-4ABB-BFD8-74AAABE66E24@vpnc.org>
From: Warren Kumari <warren@kumari.net>
Date: Mon, 15 Aug 2016 12:04:52 -0500
Message-ID: <CAHw9_iLM3E=+GmKbBK08c6XZLyGLcoKaDMMGnkoROTQutb15mg@mail.gmail.com>
To: Paul Hoffman <paul.hoffman@vpnc.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Y3Tq2uRFVPPiKwaZQSIuATsZHvI>
Cc: Shane Kerr <shane@time-travellers.org>, dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] Working Group Last Call draft-ietf-dnsop-resolver-priming
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Aug 2016 17:05:25 -0000
On Sun, Aug 14, 2016 at 6:27 PM, Paul Hoffman <paul.hoffman@vpnc.org> wrote: > On 5 Aug 2016, at 2:45, Shane Kerr wrote: > >> First, we have: >> >> "If a priming query does not get a response within 2 seconds, the >> recursive resolver SHOULD retry with a different target address from >> the configuration." >> >> The "2 seconds" seems a bit arbitrary. I'm not sure why any >> recommendations need to be made at all. The document already says that >> these are basically normal DNS queries elsewhere - surely that is enough? >> (And maybe if we do want to recommend a retry then we need to be clear >> that if an answer comes from an earlier query that the resolver may >> accept it?) > > > It's sounding like people don't like the mention of a time at all. Proposed > replacement: > > If a priming query does not get a response within a short time, the > recursive resolver needs to retry the query with a different target address > from the configuration. > > (I am avoiding saying "within a configured time" because I don't think this > is easily configured in some common recursors.) This sounds fine / good to me -- or perhaps even: "If a priming query does not get a response, the recursive resolver needs to retry the query with a different target address from the configuration." s/ within a short time//. This avoids the obvious "What did you mean by 'short'?!" question. IMO implementors can make their own decision here. W > >> Second, a possible additional security consideration is that a priming >> query typically signals a resolver starting with an empty cache >> (although not always - the Knot resolver has a persistent cache, for >> example). This may be an especially vulnerable time for a resolver for >> cache poisoning. I don't know what can be done to mitigate this though >> aside from requiring TCP or DNS cookies for a time after startup, so >> perhaps this can be left out. > > > Proposed wording: > > An on-path attacker who sees a priming query coming from a resolver can > inject false answers before a root server can give correct answers. If the > attacker's answers are accepted, this can set up the ability to give further > false answers for future queries to the resolver. False answers for root > servers are more dangerous than, say, false answers for TLDs because the > root servers are the highest node of the DNS. > > --Paul Hoffman > > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf
- Re: [DNSOP] Working Group Last Call draft-ietf-d… Tim Wicinski
- Re: [DNSOP] Working Group Last Call draft-ietf-dn… 神明達哉
- Re: [DNSOP] Working Group Last Call draft-ietf-dn… Marek Vavruša
- Re: [DNSOP] Working Group Last Call draft-ietf-dn… Warren Kumari
- Re: [DNSOP] Working Group Last Call draft-ietf-dn… Paul Hoffman
- Re: [DNSOP] Working Group Last Call draft-ietf-dn… Andreas Gustafsson
- Re: [DNSOP] Working Group Last Call draft-ietf-dn… Bob Harold
- Re: [DNSOP] Working Group Last Call draft-ietf-dn… Paul Hoffman
- Re: [DNSOP] Working Group Last Call draft-ietf-d… Shane Kerr
- [DNSOP] Working Group Last Call draft-ietf-dnsop… Tim Wicinski
- Re: [DNSOP] Working Group Last Call draft-ietf-d… Edward Lewis
- Re: [DNSOP] Working Group Last Call draft-ietf-d… Stephane Bortzmeyer