IETF Logo Mail Archive

[DNSOP] Re: Potentially interesting DNSSEC library CVE

Martin Schanzenbach <schanzen@gnu.org> Wed, 24 July 2024 16:20 UTC

Return-Path: <schanzen@gnu.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 66C2FC1D6FDA for <dnsop@ietfa.amsl.com>; Wed, 24 Jul 2024 09:20:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.543
X-Spam-Level:
X-Spam-Status: No, score=-3.543 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_SOFTFAIL=0.665, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OvxapPF3H8Nw for <dnsop@ietfa.amsl.com>; Wed, 24 Jul 2024 09:20:14 -0700 (PDT)
Received: from mout02.posteo.de (mout02.posteo.de [185.67.36.142]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 682CCC1D6FCA for <dnsop@ietf.org>; Wed, 24 Jul 2024 09:20:14 -0700 (PDT)
Received: from submission (posteo.de [185.67.36.169]) by mout02.posteo.de (Postfix) with ESMTPS id B07F1240104 for <dnsop@ietf.org>; Wed, 24 Jul 2024 18:20:11 +0200 (CEST)
Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4WTfPQ4NYdz6tyQ; Wed, 24 Jul 2024 18:20:10 +0200 (CEST)
Message-ID: <fc306ade9816e06e19a1e2c9828c1c9ef2f0e2bb.camel@gnu.org>
From: Martin Schanzenbach <schanzen@gnu.org>
To: Philip Homburg <pch-dnsop-5@u-1.phicoh.com>, dnsop@ietf.org
Date: Wed, 24 Jul 2024 16:20:09 +0000
In-Reply-To: <m1sWe2O-0000OKC@stereo.hq.phicoh.net>
References: <m1sWF8d-0000LsC@stereo.hq.phicoh.net> <1070949df20a6ac1f9c2c2dd401d5953bb362bf2.camel@aisec.fraunhofer.de> <m1sWe2O-0000OKC@stereo.hq.phicoh.net>
Autocrypt: addr=schanzen@gnu.org; prefer-encrypt=mutual; keydata=mQINBFZlTN8BEADIXdWebdUepgP8YkULGh2EClt/q2Nkh5QB+V88ZtWVdEfz6ELbKeKE/ 39yllXso20H56OfWGgcU2SF6EKdT+FDir5pDxM+RQiIjrYHLMj9MG87LBcW65PHny6hmXtrfrWISX q7x2Si5G9pMz33jp5Dsx/IMTbTPbdK09b34S9aqIjTkpQ4yqByi07nkRcYgSOzx1Dr/7oatKn5/tT RQm9CQ2pqcYYD5Rqg1jcNpKRUWFX/m+LRd3iQ6ZF/F2W9hR6BYWRUi3eJOFYX/ngWrSj3q3c3zQgP y7R/4weZRT/WYjwccHyvLHbw3YFVLDgM2RAu2q765+3iWrH4RvYxS0eMDan7uK6q3+83KB83ofnH8 IEt6PWK3tmmQJ1vYbQDSqeLxiptPlOgoQuaJCCAFJaBIwamLZJq0BPmncDzZ3bGksROgV31qqFYsd KfyUnKQZZpEVsdpOz1oMK0RSlqW2j759C8E4DrsqCBoBm63lZPQsYp94s4gT5W2D3vfPqF3dOht6n ByGVYvwh3ildcBtKcU8vctlms+izbb0p94pviM10/vIuuAzerB4Pb8qMN8+KuSfIUtTWprD/D0NAP RBpc7Uiv8sSufldNhN+A4GdkkXe409+AWGusKMlZO9fP3BYf+J3jDxlbRoVoEyl67dioT0QbFdhOq Qt1EjJH9XT77QARAQABtC1NYXJ0aW4gU2NoYW56ZW5iYWNoIDxtc2NoYW56ZW5iYWNoQHBvc3Rlby 5kZT6JAlEEEwEIADsCGwMFCwkIBwIGFQgJCgsCBBYCAwECHgECF4ACGQEWIQQ9EQY8EPmNFL0k0Uc LCZjvhvWbagUCY470egAKCRALCZjvhvWbaopMEACfIHV7sgIv5bhrooTh+k9hpVjzIjomiy4HeVTK aZb6ZATHsa///YiWKrYM2OjO3u7+tQ73c9xW4EOIL3Fy/XE237k0urdU+urQkCcDvJAimoZn0c07T eRflqswco3lp/uyUhCb6UH4f7Os/HqMsLQCZFFutsvvU++bTiWJNBpoP8ntbqG2ZYhs2asFTWOBLH +BqyfiCfwsj4Rz/HyrOZC5DcXp591JZu8zaOF3zyu/uhODE6PNY08+gdN8s1/CmENp5oi7ir4EmHE h+VnVYVXe1zEk52jHNaKuHIb1l9q3xbJ8JczKDiOCe6ahRlmhSwdO0OTHyhrQWnGnG0hPscagTpTP hjooMVVnKtB4AEE2qVm5WAEA6EuYfgyp4+MuS1KWfgNGCHIbNyZ7Rc9D4fVtHl/ZUrF/k7KVEQ+HS y7WW9X2oDRtYuS6tvbNFnao3nq+EtZ8kzuSdt1yBtv0SeXNqj/ZrgI+gzz96U4D0lbVXCB7MpEsve O15fszATVN7rYJXY4Yjl2B64Z3bwNTFuIJjvih+nUp0Ls56GAcCvqCi1JLxOVu9ZR8lGSKKjl/RPl FcVyHzE7AiMTgKN6VdoCCsVNgMSBoGz9qg5Jey1lsrmTaNAUG28hJuAiNn4ZlQCsIz/XaMuIWb04/ xkgpLHpiT1smzUYOS9QxPEbtvsV3VbQpTWFydGluIFNjaGFuemVuYmFjaCA8c2NoYW56ZW5AZ251b mV0Lm9yZz6JAk4EEwEIADgCGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AWIQQ9EQY8EPmNFL0k0U cLCZjvhvWbagUCY470egAKCRALCZjvhvWbaskiEACc/tMSZBbVh5Bv9clLZvk1fsXn2J6HjOc0SE0 AImCaoYM0K3IGACj3HZckBZG6ZrX9z0PXtuoWKHR8QDcfeWCcp/pIWZQyzwZDQsuCCK1DT7MW4B3i vHeqLODR/7saZ2xnpbq35l/41BPb539wZuTph2LDZh9SRl6Yzgma9WdJNBF4EBXpodrVshrQ0WuOr WrIY4sPzlUPT25nayHgeCH6FKPhAV0t23GYPy0gq0kXXUJC1mVYai+6w4haJ+Y3p7MDgscdnd0BJ/ ijyOSH/lIumV8E+T1KgwLkGIKfPYzdNU+zi/g74RIXucuLPkl/Hs2mMj+l1Rtje0zPMy7jEmfp47X bFAF8Mo2/ME2HipiEV1kzf9mWSVEcEJE4lK+bg+K2S0hrBcqudF4PizxUnQ9FW+YJLJwkoVripk3H F0TFUu6IMHe60aF+Mlnc8MlgIvArRIKOFWvIk9wbCgziIDrp+WqFikAGtHfcjtJIM1OW0MSZ4rKWN QQWe4LFAIhQfys4iqjI9HNrUu6wqHjElotFTLdwyOfVJFnZmAjNwPR87E+N1RR1Lsl7NlajRyalfX A9ilXqhHKyzcTkFc7yl4dvu8w5+ptoBpF/UrUQa+W0auxcPxYmFFfymaK5z/NVS5U0/YUea5UuaUj eJseVMrkqTY+etXv4e/54Qhfaan6QV7QmTWFydGluIFNjaGFuemVuYmFjaCA8c2NoYW56ZW5AZ251 Lm9yZz6JAk4EEwEIADgCGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AWIQQ9EQY8EPmNFL0k0UcLC ZjvhvWbagUCY470egAKCRALCZjvhvWbaheYD/9ajvG1PENl/kuOE1g3HjN8vqbzbl06iFeJSl9Zr1 j18D4qeXMODbk0wFZZ8/pnqDJxUdcwvI/RviJuMKS0k+aUE3v4pIHGU6U3YxqSr3Cfk+JgGmpzP8C bZWLh9Zs5T2UWf57/nmyk0aiK4VF+bb9OYTxRu7lR+l0/psQqRUTm6XSDoqHsQ7EGZapxEy+KiiS2 4iCmLjGicpT05S08xGTIhZpd2B25BES3LVfe6rJfR9mJvCNoSSPKAvyvlu0l30DH7wBRS36dokalA K4tYcDF3ceHSdafzLgya3GvJppTW65zlq+rtwWwOj07dYR1RiMt6x68Mr+JvH9robPwLZ8TPOmxcG iEgNEWxunr81KLjRNckjEyF90oGdCGzckgmKx/rSgb8y3Lk7ivvohjoNydUYX7JGPWnyR9q+Nk7EV /fzT87bT//5I+86ECzIK/D0hL0gXhJa0cm7rQkn/OOzS4KEI/4pOmgNts7zfEm1VEB3f+VXpgRN/o /ikWfLsdu1K7PgdPYvF39V8Nl8AZKGzd5zUy1r3AMt0Lb3iBvsCsmry82b4Vj+CLvv9YvqyukBgPm P3N7XL12om6+VrGxnX1a/6KA1RU6UBSnzEg3L5addzeGrqT4hokLFBkizwBy0K62M+sCzVDWcwYQE juB7e/yimk3AVhbHl7lTb5ncNWzLQqTWFydGluIFNjaGFuemVuYmFjaCA8bWFydGluQHNjaGFuemV uYmEuY2g+iQJRBBMBCAA7AhsDBQsJCAcCAiICBhUKCQgLAgQWAgMBAh4HAheAFiEEPREGPBD5jRS9 JNFHCwmY74b1m2oFAmOO9HoACgkQCwmY74b1m2rvwQ/+J+tQZnN9L5AAeP35QV5aMmEJGiYUlMlKp hpivs0wR58an7umZWnbDyam3nx2N0rX7mpzYFD26ix0F7cHV5LGICqf2uA3Ek4IKNrlwNdPe5bzGi mnAlzZpqEjJRee0vnrEMJFh8QpBgGKrIQLgbVX9+FIZ7NqJTC9Bylm9D5015iPja6adtghH2D18EF 8Rs8cwofjwTToUUh6i/2/JU/EiOifqGzY/075+EMXDAYbm9k1yPt6uddfzLfiMwMxBh41M2Ua5KQm bESAiPUxOWRKEAo4uWCjrOlub/Mo9Zg04oMOg4HKuKbb81srmWJgX9UINw58ugucYHuGMph5MxNsk F47M9ZQV5ZvYl/7S2n9zx1sYlCQdElzxZcdZuzXjFrll3NtcX9cO1qt/ulxaEbkZIrdYw0HyTcRcn BaO3RQP6w2K8JjbcTHbWFGENrbZ70ISY2qgu6LHgWGbOO/391mm6/rI1pVc8VprxMAz9C+T3KuxGH /gK26ALV8roxi3en7wIGLRcybxY9fmrnj4YahHyMCWEg7MATN4BIUXDQy+u7vdBmLn+iv6KBFszo8 9KwBfzd08Rqb+N77z9BgkrJp9etRSlqqh0D4YtzWXmBnxSShU/xQac/qMdIDVYFK9HypIcD0rHJgg sEaq/0g3ECnVLR/IFpBrKIPNjA7U+d2W9g=
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="=-LJHkv3HgQZhzsTWVprP/"
MIME-Version: 1.0
Message-ID-Hash: ME3QBKMOY25ZHWVKPBMVZEE6CXWTAX6R
X-Message-ID-Hash: ME3QBKMOY25ZHWVKPBMVZEE6CXWTAX6R
X-MailFrom: schanzen@gnu.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "Bellebaum, Thomas" <thomas.bellebaum@aisec.fraunhofer.de>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: Potentially interesting DNSSEC library CVE
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/akv4s1Fo-jBbapQXQnrpchU7U_0>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

Hi,

On Wed, 2024-07-24 at 17:36 +0200, Philip Homburg wrote:
> > Partially. I believe the DNSSEC validation and following the
> > CNAME-chain have to be implemented in the same routine.  This is
> > because to perform an authenticated denial of existence, you first
> > need to know which name and rrtype you want to prove does not
> > exist.
> 
> DNSSEC validation follows the CNAME-chain that is part of validation.
> 
> However, the ultimate user of the data also has to follow the CNAME-
> chain
> to avoid picking up unwanted additional records in the answer
> section.
> 

I think this is the core issue behind the CVE and the filed bug.
Who is the "ultimate user"? And where is this expectation formulated
exactly?
I would believe that most applications using DNS libraries such as
dnsjava do not expect that they have to sift through CNAMEs in the
replies and filter according to their initial query.
So is dnsjava in your opinion the "ultimate user" that is expected to
filter? If yes, "ultimate user" is an odd description because dnsjava
is a resolver implementation, whereas "ultimate user" to me means
application using a resolver (library/implementation).

BR
Martin

> _______________________________________________
> DNSOP mailing list -- dnsop@ietf.org
> To unsubscribe send an email to dnsop-leave@ietf.org

v2.39.1 | Report a Bug | By Email | System Status