IETF Logo Mail Archive

Re: [DNSOP] New Version Notification for draft-jabley-dnsop-refuse-any-00.txt

Ólafur Guðmundsson <olafur@cloudflare.com> Thu, 01 October 2015 16:02 UTC

Return-Path: <olafur@cloudflare.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9EC581B2D89 for <dnsop@ietfa.amsl.com>; Thu, 1 Oct 2015 09:02:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.478
X-Spam-Level:
X-Spam-Status: No, score=-0.478 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, J_CHICKENPOX_55=0.6, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wQitC0mn45Bc for <dnsop@ietfa.amsl.com>; Thu, 1 Oct 2015 09:02:10 -0700 (PDT)
Received: from mail-ig0-x233.google.com (mail-ig0-x233.google.com [IPv6:2607:f8b0:4001:c05::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2D31E1B2D83 for <dnsop@ietf.org>; Thu, 1 Oct 2015 09:02:10 -0700 (PDT)
Received: by igbkq10 with SMTP id kq10so19130220igb.0 for <dnsop@ietf.org>; Thu, 01 Oct 2015 09:02:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=bK238koxDykDtCWjvCN/2q7xJCrTv9GYE/t4GZHIFuI=; b=UvxmaLquZWNBUjtQTB6LjMZkuUAeJwnCUnmSb/I6fpPvUtkB63junTC2XGLKQ2qHDG rCtyjOhNdV7mbQn+6wvIcW1rV+APe59F1TuN3r5qzRwqjQnbkSwhnXZzAISHvc/tTGJ0 sBpaBZDTOVS8UXCRHY26VUaE96Aw4vySzD4fg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=bK238koxDykDtCWjvCN/2q7xJCrTv9GYE/t4GZHIFuI=; b=Q3IKZe3o1TGYv6c/uBiwWdubdrjOM4OXlfJ17h8zjNIkMQxWMavOATVYQpti8mNfJG f9qSgDtLeg+gTMfxjHHEuiLngbqMxW6aq35SfA9LcdkahdFpGlFol1EdwNQsVWmbrrSs vmOuGJzjb0sIPp1g/H9w/u4GeOg3qbuLNcMDa7mRZxV7O9ofnluilvVpcxklR1LtZklr 26uX6SjjF2SRyBiQmoNf3sFDXRMqKItd2OHTAnzcI9ZrzZc+7CQkyIUsdUaXQiY/HCXd EGEDMfrGfbDKpr2NCYKM649NuAlBt4oqumgLMiFYpvqUmRLFTLkOTP8wCR8qv8eRpW+P 5TrA==
X-Gm-Message-State: ALoCoQnqUMXkSU2OPsJPdKVgfci6mRehMgb0vD3bhoMKTNx1tNJNwx3SPu/Et1xhQ/RfCArROIYz
MIME-Version: 1.0
X-Received: by 10.50.178.145 with SMTP id cy17mr4481585igc.92.1443715329380; Thu, 01 Oct 2015 09:02:09 -0700 (PDT)
Received: by 10.107.16.29 with HTTP; Thu, 1 Oct 2015 09:02:09 -0700 (PDT)
In-Reply-To: <20151001050850.GA51763@isc.org>
References: <20150930190405.17300.40441.idtracker@ietfa.amsl.com> <20151001025833.GA51655@isc.org> <0F438B6C-4797-4250-ABCA-4C5AE1D5F232@hopcount.ca> <20151001050850.GA51763@isc.org>
Date: Thu, 01 Oct 2015 09:02:09 -0700
Message-ID: <CAN6NTqyskX6AhnHzchAaOBEjWcehnhj2P7rot39Pi4VY==Ongg@mail.gmail.com>
From: Ólafur Guðmundsson <olafur@cloudflare.com>
To: Evan Hunt <each@isc.org>
Content-Type: multipart/alternative; boundary="089e01538ab65d65cf05210d2b1b"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/_vui0MSwe4wsQ7DcOTLuE6p66Hc>
Cc: dnsop <dnsop@ietf.org>, Joe Abley <jabley@hopcount.ca>, Ólafur Guðmundsson <olafuratcloudflare.com@isc.org>
Subject: Re: [DNSOP] New Version Notification for draft-jabley-dnsop-refuse-any-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Oct 2015 16:02:12 -0000

On Wed, Sep 30, 2015 at 10:08 PM, Evan Hunt <each@isc.org> wrote:

> On Wed, Sep 30, 2015 at 11:28:45PM -0400, Joe Abley wrote:
> > 1. Return an unsigned response. This will be marked as bogus, and
> > trigger a QTYPE=HINFO re-query that will either return an actual signed
> > HINFO from the zone or a signed proof of non-existence. We think. I
> > haven't actually tested that a re-query will happen, but Olafur is
> > confident. :-)
>
> I haven't tested it either, but that is not what I would expect.
>

Only validating resolver will send follow up query,



>
> If the resolver gets a bogus response to a query of type ANY, I
> would expect it to try the same query at another name server,
> until it had exhausted all authoritative name servers, and then
> reply with SERVFAIL.
>

Here is the deal there are 3 sources of ANY queries to authoritative
servers
a) Malicious ones  both direct or reflected flood via open resolvers
b) Someone debugging or trying to zone walk
c) Resolver forwarding a ANY query because the cache for that name was
EMPTY.

We need to look at each one  and
for a) what we return does not matter but it should be small as it is just
noise
for b) we need them to comprehend the answer
for c) we need the resolver to accept the answer and not send followup
queries when a)  or b) is the reason they got the query

HINFO meets all the goals for a) and b).
This leaves us with c) in the case when query source is a legitimate
application, but in this case the HINFO is a useless
information and the application should realize that this attempt at getting
something for free failed and fall back on queries for what it wants i.e.
MX and A + AAAA records.

I used to be in the camp for TC bit but that was before I realized that
open resolvers/forwarders are quite happy to do TCP, meaning you get a
flood of TCP connections. TC only addresses the issue of direct forged
floods.


> > 2. Sign the HINFO RR as it is synthesised (or pre-sign one, to avoid the
> > edge authority servers needing access to a signing key).
>
> Pre-signing essentially reduces to adding an empty HINFO to every node in
> every zone, then using the pick-one-RRset method, but ensuring that HINFO
> is always selected first.
>
> > That is true. However, one of the use-cases for this approach is a
> > nameserver for which a search for records present at a particular owner
> > name (as would normally be performed when responding to an ANY query) is
> > expensive.
>
> It's not at all obvious to me that this is cheaper.
>

There is NO need to sign, unsigned HINFO returned for ANY query looks to an
validating resolver just like an
incomplete answer thus it can either return the HINFO or ask the followup
question for the HINFO and get a signed
denial that the HINFO exists ==> which looks like the HINFO was just
deleted from the zone i.e. temporal inconsistency.

The draft optimizes against a) and b) the the  cost of the possible extra
queries for c) when there is a validating resolver, which most of the time
might be a be answering out of cache thus it is not  forwarding ANY query.
The goal of the draft is to give resolvers something to cache. thus getting
help from the resolvers in deflecting the flood.
We wanted to optimize defending against the misuse of ANY query in attacks.
It is up to each operator to decide what to do and when.
Not having a well documented way to deal with this is  the main problem.

For off-line signed zones the auth server can copy this behavior of
"forging" unsigned HINFO and then dealing with the verification triggered
extra queries.

>
> With either method, you have to search down through the zone to find out
> whether the node exists (otherwise you'd be returning NXDOMAIN, rather than
> a minimized response).  Since you're doing that search anyway, choosing an
> RRset to return is pretty cheap.  And actually, you really *should* also
> look through the RRsets at the node to make sure there isn't a non-empty
> HINFO record before you synthesize an empty one, and if you're doing *that*
> anyway, choosing an RRset wouldn't cost any more and could well cost less.
>

Given the assumption that we are optimizing for defense there is no need
for an authoritative resolver to know if it is authoritative for the zone
the query was for, it can just return HINFO as an negative answer to the
ANY query type.

The whole question is around the following equation "ANY == ALL"
 I say ANY != ALL, your proposal was so say stop after first RRset found so
we agree on the core question the
only difference is on what to return.
In our proposal you are optimizing for c) without knowing if the type you
return is of value to the originator of the query,
furthermore your answer is likely to be larger.

For me answering few hundred ANY queries a second is not a problem (steady
state) ,
answering few millions a second is a problem (regular events) is.
Simple forwarders will keep asking thus what is returned does not matter,


> Assuming we aren't considering the possibility of native HINFO records,
> I agree that synthesizing an unsigned HINFO would be little quicker
> than pulling an RRset out of the node, but not *so* much quicker as
> to seem obviously worthwhile.
>

Depends on how auth server looks up records, not all auth servers have full
zones in memory, thus the lookup might be significantly more expensive.


>
> And for signed zones, synthesizing a signed HINFO would almost
> certainly be slower, while returning a pre-signed HINFO would be
> no faster than choosing an RRset.
>

See above about the need to for signing the answer and see if you agree.


>
> The disadvantages of pick-one-RRset that I can see are 1) more
> information leaked (but nothing that couldn't be obtained by sending
> queries for individual qtypes anyway), and 2) modestly larger response
> size (but still a lot better than unminimized ANY responses).
>
> Perhaps both approaches should be described in the draft.
>

If we agree that both are acceptable and each server only needs to support
one of the two then that is fine with me.

 Olafur

v2.23.0 | Report a Bug | By Email