[DNSOP] Re: Potentially interesting DNSSEC library CVE

Mark Andrews <marka@isc.org> Fri, 26 July 2024 20:59 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 774AFC14F6E2 for <dnsop@ietfa.amsl.com>; Fri, 26 Jul 2024 13:59:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isc.org header.b="lRTPAUlQ"; dkim=pass (1024-bit key) header.d=isc.org header.b="TdtjNJJX"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q1LN-CExo4T4 for <dnsop@ietfa.amsl.com>; Fri, 26 Jul 2024 13:59:12 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.2.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9E4F1C14F5F9 for <dnsop@ietf.org>; Fri, 26 Jul 2024 13:59:12 -0700 (PDT)
Received: from zimbrang.isc.org (zimbrang.isc.org [149.20.2.31]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id E66143AB267; Fri, 26 Jul 2024 20:59:11 +0000 (UTC)
ARC-Filter: OpenARC Filter v1.0.0 mx.pao1.isc.org E66143AB267
Authentication-Results: mx.pao1.isc.org; arc=none smtp.remote-ip=149.20.2.31
ARC-Seal: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1722027552; cv=none; b=J/2dyseo+B+lqwHV++UmdiT9GKtPTc5PeGGKiyVbI175NOORjJ4quJS+MzBqPYDBAr9G2GKwnA/WzkCx3X5l2prrk+bs32WZiZ+bwrbFAhfvHyycyXGoH1KxSUHx3k9f6mYwzxhLj3ptMyqEcsSDs0UkoIOEDXo27Xsc/3eLssI=
ARC-Message-Signature: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1722027552; c=relaxed/relaxed; bh=KnDYsJSqzHm7cHhoaz5oSo7J8nBfod3+Q8+piM7hOQA=; h=DKIM-Signature:DKIM-Signature:Mime-Version:Subject:From:Date: Message-Id:To; b=Hj2OrpMIx5j2h7YztN3T/9jIDc0JAjADCi24li2H8VxU/hlIQQBhqpr8qG6MjCimciImxGz2XvPfvAH9k6xaWt80KpbSPOevKV9nYs9tGxBV/XttB1QvjxIPWdvntCwZOPWIt9eC4179h0nyKfKyq+CjBEspCgxG7VhP/CP2ALg=
ARC-Authentication-Results: i=1; mx.pao1.isc.org
DKIM-Filter: OpenDKIM Filter v2.10.3 mx.pao1.isc.org E66143AB267
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=isc.org; s=ostpay; t=1722027551; bh=PkAUuYUOwBTxJMD7o83xFr6UMo7a3v3dUAPnOnsnA9Y=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=lRTPAUlQ3e6y1GKYuU01qnxHqRCBDYaaafZFbPgscPz6rr36crcQg574TkqqDqowt C426gmqyWxXBgVtiMi0opdjYkK7cDZZliI1zCgi/Pz682Iak3sWLTC7nwFOzWb/etw m8n3MDGBNtfWFvIdStpomugHp6Bnro7Qq7kuTApU=
Received: from zimbrang.isc.org (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTPS id E0214E6E6C1; Fri, 26 Jul 2024 20:59:11 +0000 (UTC)
Received: from localhost (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTP id B7583E6E80E; Fri, 26 Jul 2024 20:59:11 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.10.3 zimbrang.isc.org B7583E6E80E
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=05DFB016-56A2-11EB-AEC0-15368D323330; t=1722027551; bh=KnDYsJSqzHm7cHhoaz5oSo7J8nBfod3+Q8+piM7hOQA=; h=Mime-Version:From:Date:Message-Id:To; b=TdtjNJJXB0etL5FZlEwgDLOv7izDQyVykjlfzTV0TlFRzfCHkZri6zTYqt8jRK/mc UynDOkwEo3hHDT72qfB8G29KxXXP97qks4SGwovFc1AKCvOtn8iWR2xs/S9nWQA8X0 P7ocUZ//0NtVEHlk9LxR29Om1yXz9gchZ6NRK0TA=
Received: from zimbrang.isc.org ([127.0.0.1]) by localhost (zimbrang.isc.org [127.0.0.1]) (amavis, port 10026) with ESMTP id b71oN1uFMjqd; Fri, 26 Jul 2024 20:59:11 +0000 (UTC)
Received: from smtpclient.apple (dhcp-9643.meeting.ietf.org [31.133.150.67]) by zimbrang.isc.org (Postfix) with ESMTPSA id 8630EE6E6C1; Fri, 26 Jul 2024 20:59:11 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.700.6.1.1\))
From: Mark Andrews <marka@isc.org>
In-Reply-To: <7373aae035616f1689a576117579ca054759c84d.camel@gnu.org>
Date: Fri, 26 Jul 2024 13:59:09 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <80C82C36-962E-4D4F-821B-1A7A9B3CBEE0@isc.org>
References: <m1sWF8d-0000LsC@stereo.hq.phicoh.net> <1070949df20a6ac1f9c2c2dd401d5953bb362bf2.camel@aisec.fraunhofer.de> <m1sWe2O-0000OKC@stereo.hq.phicoh.net> <fc306ade9816e06e19a1e2c9828c1c9ef2f0e2bb.camel@gnu.org> <m1sWxJi-0000MEC@stereo.hq.phicoh.net> <6c70aa6b316f7650d84a52135a6aa24aab147788.camel@gnu.org> <m1sWxlI-0000MGC@stereo.hq.phicoh.net> <7373aae035616f1689a576117579ca054759c84d.camel@gnu.org>
To: Martin Schanzenbach <schanzen@gnu.org>
X-Mailer: Apple Mail (2.3731.700.6.1.1)
Message-ID-Hash: XD75VGFQ46FWCISCUSRW2FVJZPXUGIWQ
X-Message-ID-Hash: XD75VGFQ46FWCISCUSRW2FVJZPXUGIWQ
X-MailFrom: marka@isc.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Philip Homburg <pch-dnsop-5@u-1.phicoh.com>, dnsop@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: Potentially interesting DNSSEC library CVE
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/ay1k_7Xnfvvvy_YggI_D4XyOOVg>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>


> On 25 Jul 2024, at 05:49, Martin Schanzenbach <schanzen@gnu.org> wrote:
> 
> 
> 
> On Thu, 2024-07-25 at 14:39 +0200, Philip Homburg wrote:
>>> As hinted to in the CVE description, Thomas asked here where this
>>> behaviour is defined exactly and did not receive a response that
>>> fits this issue:
>>> https://mailarchive.ietf.org/arch/msg/dnsop/X7ul3Updo4XP0EYdExuZ6pkp-Gk/
>>> 
>>> Yes, of course a stub resolver will have to sift through the CNAMEs
>>> (especially if DNSSEC validation is supposed to be done).  But
>>> where is the filtering between QNAME and received answers
>>> explicitly
>>> defined, exactly?
>> 
>> By and large, the IETF defines network protocols. The IETF is not
>> good
>> a defining APIs for network functions. And it is not part of its core
>> mission.
>> 
>> So what happens after a stub resolver receives a response is mostly
>> undefined. Low level C APIs were done in the past by the IEEE (POSIX)
>> and more
>> recent by the Open Group.
>> 
>> For example RFC 3493 is not an IETF standard, but the functions
>> described,
>> such as getaddrinfo, are part of the Single Unix Specification.
>> 
>>> I am pointing out that there is a root cause
>>> for this CVE/bug and it may not be simple oversight. It very well
>>> may be a gap in specification or missing security considerations
>>> that could hit any future implementer of (stub) resolvers.
>> 
>> The gap is that there is no good standards organisation for APIs
>> related to
>> internet protocols. That is unfortunate. It is not clear to me who
>> would
>> have enough cloud to create one.
> 
> Are you trying to say that the behaviour of a validating stub resolver
> is not in scope of the work on DNS(SEC)?
> Because I was pretty sure it is.
> See Thomas' post before on how separating validation from result
> filtering (following the CNAME-chain) would be tricky to do outside of
> the validating stub resolver (or only with significant overhead and re-
> validation) for any implementation.

DNSSEC was designed to be done in the client.  Recursive servers return
records that are needed to get from the original QNAME to the answer.  Stub
resolvers are expected to be able follow CNAME/DNAME and HTTPS/SVCB chains if
those are the query type.  If you request DNSSEC records you will also get back
RRSIGs, NSEC and/or NSEC3 records which prove the none existence of the
type or QNAME name.  This is just RFC 1034, RFC 4034 and a couple of others
in action.

Now an application may call a library routine to perform this work on its
behalf. gethostbyname and getaddrinfo are examples of these.  Other applications
directly parse the raw DNS message, MTAs typically fall into this class.  If the
libraries are DNSSEC aware then they should fail if the answers they are returning
are unable to be validated as secure or insecure.  For some applications the library
routine can also return whether the answer was secure or insecure.

The application or the library may make additional DNS requests to be able to
validate the original response.  These requests will typically be DNSKEY and DS
queries.

The difference between a stub resolver and a iterative resolver is who follows
the referrals.

Mark

> BR
> _______________________________________________
> DNSOP mailing list -- dnsop@ietf.org
> To unsubscribe send an email to dnsop-leave@ietf.org


-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka@isc.org