Re: [DNSOP] Working Group Last call for draft-ietf-dnsop-dns-error-reporting

Ben Schwartz <bemasc@meta.com> Fri, 23 June 2023 01:27 UTC

From: Ben Schwartz <bemasc@meta.com>
To: Benno Overeinder <benno@nlnetlabs.nl>, DNSOP Working Group <dnsop@ietf.org>
CC: DNSOP Chairs <dnsop-chairs@ietf.org>
Thread-Topic: [DNSOP] Working Group Last call for draft-ietf-dnsop-dns-error-reporting
Thread-Index: AQHZmfAJny+/7BI3tUyfCW5NhYgymK+Xq3pX
Date: Fri, 23 Jun 2023 01:27:21 +0000
Message-ID: <BN8PR15MB32811A729AA0F3D979C7B6EBB323A@BN8PR15MB3281.namprd15.prod.outlook.com>
References: <fa6ec641-0eab-dec6-2267-3ca818402812@NLnetLabs.nl>
In-Reply-To: <fa6ec641-0eab-dec6-2267-3ca818402812@NLnetLabs.nl>
Accept-Language: en-US
Content-Language: en-US
msip_labels:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BN8PR15MB3281:EE_|MW4PR15MB4601:EE_
x-ms-office365-filtering-correlation-id: efb39f25-405b-430f-d70a-08db7388fe25
x-fb-source: Internal
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 2mDCWE91lxLvkD+cvbBsZCWpLxu6VeqRs5BoaeDOCie9zZxHQ/vPHbNxRw02hFq/4gUKC/2iV/RRKGKWybue7LC+xscxf4u+Xq0mSHvMswV/qifpUVTA4weA2BAViUsjHtV/uT3cgYGIUipNXsMnP9iwW5WVBbLc58/mY6vO2OPDYE0e3Rvo6UOxCWht4XigTMWkuy+ZmqFc0KIAOzx7sA1qnci5edSdtbuLe3lwXExgZI6Se4pYmb9aYYKpwFneEtocMayYGEIJ++wZDI7ac5/qQ2324XWQIGpKrhBqcMR/vSPJirIliux7u1/nsxLLzaZi34oYdVGRUlrgSIrUhJPLW/QJhNXAhiFwQoMuYnxqb4VtonVeCMu3r8CQxjJH7YFvdPIfadVjrVuBPAr21ObCCYbjyZC7OMx0mj+qC5nKCk+nL2PYq4osXovwqA3qhIWdVYiJjuMj8hdT1IrlXXaxYWi3Ujb3ey/vKAFDBIHA+E1HXlLlhruN0R/rFIgvfCasndvXQt7patnYrScfW4yHRBeVk6SnKk5I3E1yA2kdQJY0FU2I2h8QrE7cf6lOtsU9cOlafJh/w/coAAyXNk8o16PTfk/OtJ8n6CfeZSk=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN8PR15MB3281.namprd15.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(4636009)(376002)(346002)(396003)(366004)(39860400002)(136003)(451199021)(8676002)(41300700001)(8936002)(91956017)(2906002)(110136005)(66556008)(66476007)(66446008)(76116006)(478600001)(66946007)(64756008)(71200400001)(52536014)(5660300002)(4326008)(316002)(53546011)(19627405001)(83380400001)(122000001)(38100700002)(55016003)(66899021)(33656002)(6506007)(7696005)(966005)(9686003)(186003)(166002)(38070700005)(86362001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: pqJIvC4jFtojaO1aTXc0BpmCiyKSOiX1+TwoHVFlBJAuE4ykOkz2UbenGoB6MsRRJXMurl8mUNiEAm20mNw5roo5HVJeOJ+uaZziCPzdfnw3rrxiQCzjx0FpAMj8ofPYicKEr8UELUnOoNSEcbRL6n3t2ZYFYD4ktLhT4gwFRy5Z/O9A5HmLWoZjMZj+vGcsy/SbBVcqc9InfzHbYW2NNgjxwNHt1oFwIoI2MqE4yJ2DA03EFB6pmyxxKj/BwR8z5pVtvZO6WZTxZlLdRVbo1R/voMsGVlxXajoWAvD06mOe+ZoT5TEiaOeuucM3FicySwJfStAauU8HdBCCjfjQsTG3HgnnfG1Oeyio9VytMeCe96dxVAASjX8yJVnOZNwkZ2qvX2p1PSd0FQztrD0EYgbQlK5o47VW7RCx1MzK4JBMmdfWPPKnKq4XxDjRSuYlSwxu9gdRJ+yjizwgUk0q194lNOh3J10oKxeMVl/BrR/jsH+hZ7x4p7UsZBKBKBABzoMZ5FRfyGdPelMGaziiyyafwwkrnyQR1Oj1sGihXotUt5Yt1hFgaROEPC0Dg3IUSwDi9y5qRzrHIGdLBj1BLqJJaS/f+DEZi5wPf9MfGqiVhdTKv3rr2P3Ue8W6a9ItJKmz5VQYsiwzvd+kzVhZ28tdFeEba4k13SOmDmXBi3QHrloyOneOSrI6QRYdD1xPz6Gal/trZPFin7ACEq9KIH6D8kVt7rG0dcZ8uM1hTc7FZ5p/VPOOcjkKV9Fe3NCIV5xZGzSlxy+FMkli9xooM/kvhNgCBHj26XMxA3U6sNMalb4xdKqRRd3zbc3fq0+bMzvCIkEplX5WP1AOtUy4A+HGWe6niWh/H22lBEj7kfhpxjRx31r/j++ko8bJAqvIvUlKGmKWmXmvBpWE3sLsnRCV0RnM4Rlnc8ay4QsGJNQtdD7UyRekTxK0X8OgBmHGcvzOKxpimpZBo48vTDpA/XDDEr/WzI8ROADCEfG4H4k/4evXCBzIyBRKMrsBR6WxbGMlXbWRY6RFskwNbKgdwPnwX/jaGxgeAPqXYx7xAQeMPw+nSGkOPLb1Xrd+50sJ1SclZrYzpZMNQ7ys51zAgjK9JScl1GNcb0Wv4bfOjhKS1Pclgq0zeb41mMvwbjpGe+VbaQ9/CTL8ajJdSIWl3HubrDBTbsnyIYsRCiyqpP2YVTf5Sdu+tjBKMPAJCyRrfLs0sRZTJlYITrEOq+gRfcx4CWq18heg+vuOcf+fsSGkaSn6qpj83W/NVOnvQW13Bc8FOB59LLZOl5MBi1Z48d9g8qg47JLuJVHx9b7WnVeTsAzyUKNBcswlIH5x5L/HQ/BzX0y9wBehOefw0pJvFcbRGZyaDxMvniKtslPP0wtUgHPeQexsK/5XQpdHB51S5fjG8SDEGDZ+ZjmIiidEURvWv9b12iQxYSNosao8se4sJjrMi8T+Ge610Yk2plFnIRwbRKKjq8PVbNnyJU+hEPSRdrthxWwZf9OABC/KoJUJJ4DEfBbIWlVlpGF+WxC2WfcdZEL0/5+uH/H95cUjQXyMYuwx1vWJ/EAuhBVSohGm4+/FlLMKQvWfC1+k8l7O
Content-Type: multipart/alternative; boundary="_000_BN8PR15MB32811A729AA0F3D979C7B6EBB323ABN8PR15MB3281namp_"
X-OriginatorOrg: meta.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN8PR15MB3281.namprd15.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: efb39f25-405b-430f-d70a-08db7388fe25
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Jun 2023 01:27:21.9135 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: wOLRvuC3SqcC6/R2udumk6NWC/VFIBt9a9dnns5OZZScUSPnyrJZPVKy6uh5mZ+B
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW4PR15MB4601
X-Proofpoint-GUID: m5tKPiM4w-P9TXj1kPNSNcp71HOSAMRn
X-Proofpoint-ORIG-GUID: m5tKPiM4w-P9TXj1kPNSNcp71HOSAMRn
X-Proofpoint-UnRewURL: 8 URL's were un-rewritten
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.957,Hydra:6.0.591,FMLib:17.11.176.26 definitions=2023-06-22_18,2023-06-22_02,2023-05-22_02
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/ZoTFXnyvYYsRB10xj_lSftfBZi4>
Subject: Re: [DNSOP] Working Group Last call for draft-ietf-dnsop-dns-error-reporting
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Jun 2023 01:27:29 -0000

I want this draft to move forward, but upon review I noted with concern the security section text:


   DNS error reporting is done without any authentication between the
   reporting resolver and the authoritative server of the agent domain.
   Authentication significantly increases the burden on the reporting
   resolver without any benefit to the monitoring agent, authoritative
   server or reporting resolver.

Strong authentication (e.g. to a zone identity with DNSSEC) is probably excessive, but the current draft appears to have no defense against even trivial IP spoofing.  Anyone in the world who can spoof IP addresses can impersonate a reputable resolver and pollute the error reports sent to authoritative servers.  As an authoritative server operator, I would place a lot more trust in reports from reputable resolvers than from unrecognized sources.

I think the draft should probably say something like: "To defend against spoofing of source IP addresses used for error reports, reporting resolvers MUST use DNS over TCP [RFC 7766], DNS COOKIE [RFC 7873], or another procedure that defeats IP address spoofing."

--Ben Schwartz
________________________________
From: DNSOP <dnsop-bounces@ietf.org> on behalf of Benno Overeinder <benno@NLnetLabs.nl>
Sent: Thursday, June 8, 2023 5:59 AM
To: DNSOP Working Group <dnsop@ietf.org>
Cc: DNSOP Chairs <dnsop-chairs@ietf.org>
Subject: [DNSOP] Working Group Last call for draft-ietf-dnsop-dns-error-reporting

!-------------------------------------------------------------------|
  This Message Is From an External Sender

|-------------------------------------------------------------------!

Dear DNSOP WG,

The authors and the chairs feel this document has reached the stage
where it's ready for Working Group Last Call.

This starts a Working Group Last Call for:
draft-ietf-dnsop-dns-error-reporting.

Current versions of the draft is available here:
https://datatracker.ietf.org/doc/draft-ietf-dnsop-dns-error-reporting/ .

The Current Intended Status of this document is: Standards Track.

Please review the draft and offer relevant comments.
If this does not seem appropriate please speak out.
If someone feels the document is *not* ready for publication, please
speak out with your reasons.
Supporting statements that the document is ready are also welcome.

This starts a two week Working Group Last Call process, and ends on:
June 22nd, 2023.

Thanks,

-- Benno

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

[DNSOP] Working Group Last call for draft-ietf-dn… Benno Overeinder
Re: [DNSOP] Working Group Last call for draft-iet… Roy Arends
Re: [DNSOP] DNSOPWorking Group Last call for draf… Wes Hardaker
Re: [DNSOP] Working Group Last call for draft-iet… Benno Overeinder
Re: [DNSOP] DNSOPWorking Group Last call for draf… Roy Arends
Re: [DNSOP] Working Group Last call for draft-iet… Dick Franks
Re: [DNSOP] Working Group Last call for draft-iet… Willem Toorop
Re: [DNSOP] Working Group Last call for draft-iet… Roy Arends
Re: [DNSOP] Working Group Last call for draft-iet… Roy Arends
Re: [DNSOP] Working Group Last call for draft-iet… Dick Franks
Re: [DNSOP] Working Group Last call for draft-iet… Dick Franks
Re: [DNSOP] Working Group Last call for draft-iet… Roy Arends
Re: [DNSOP] Working Group Last call for draft-iet… Dick Franks
Re: [DNSOP] Working Group Last call for draft-iet… Dick Franks
Re: [DNSOP] Working Group Last call for draft-iet… Roy Arends
Re: [DNSOP] Working Group Last call for draft-iet… Paul Wouters
Re: [DNSOP] DNSOPWorking Group Last call for draf… Wes Hardaker
Re: [DNSOP] Working Group Last call for draft-iet… Ben Schwartz
Re: [DNSOP] Working Group Last call for draft-iet… Viktor Dukhovni
Re: [DNSOP] Working Group Last call for draft-iet… Roy Arends
Re: [DNSOP] Working Group Last call for draft-iet… Viktor Dukhovni
Re: [DNSOP] Working Group Last call for draft-iet… Roy Arends
Re: [DNSOP] Working Group Last call for draft-iet… Ben Schwartz
Re: [DNSOP] Working Group Last call for draft-iet… Roy Arends
Re: [DNSOP] Working Group Last call for draft-iet… Viktor Dukhovni
Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-erro… Viktor Dukhovni
Re: [DNSOP] Working Group Last call for draft-iet… Benno Overeinder
Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-erro… Roy Arends