Re: [DNSOP] Incompatibility with indicating client support for EDE (draft-ietf-dnsop-structured-dns-error)

tirumal reddy <kondtir@gmail.com> Wed, 24 May 2023 07:00 UTC

Return-Path: <kondtir@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C2CACC14F73E for <dnsop@ietfa.amsl.com>; Wed, 24 May 2023 00:00:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RZ-lJ5zfrQsh for <dnsop@ietfa.amsl.com>; Wed, 24 May 2023 00:00:23 -0700 (PDT)
Received: from mail-lj1-x22d.google.com (mail-lj1-x22d.google.com [IPv6:2a00:1450:4864:20::22d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 93C7BC1519B0 for <dnsop@ietf.org>; Wed, 24 May 2023 00:00:23 -0700 (PDT)
Received: by mail-lj1-x22d.google.com with SMTP id 38308e7fff4ca-2aed75dbdddso1337681fa.1 for <dnsop@ietf.org>; Wed, 24 May 2023 00:00:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1684911621; x=1687503621; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=A4pKnT6dPOsxBrZFThJHMOVmEst/1MsmpObKujo5zYY=; b=aOgmtrf2jnjrtyuajTYA77W6qhpGM789QIg7Q0qBjXFwB0pZRXYyQ9Q8Bcgpn7NRL7 TgiEu3MCWFWMnU18sn9QJZKaYcsXwjFpNgO8QgrmrpfW0yQo4yUZ9NxnhHXaBJV93wHE 4pTih4qhG7oaShBmnVQsZdiQi5MB5aHxGRJfohupTMy7T+WaScoUixASxS3+mg+N3Iod YTZk7LSVfoswn2Cqhl6lUv2ScUxYQ1bANOfXj557LAbwgu1VVSoqdii2OUsQSwg624Xo m04mEl5zL9M4strpfaZ/mXV/MUIG5RI7CBp7cnO1b8j2lXFGANcd0bKtvNvNaOCazcp+ 7Atw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684911621; x=1687503621; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=A4pKnT6dPOsxBrZFThJHMOVmEst/1MsmpObKujo5zYY=; b=NPjm/V1v7Uf0HPOEHPoJSs/3pW/ILp30n3PPcuwDZZN/24/zaeve8/5tk/iJudGY+9 wAVsI903u4VFD8j5SyDPBFXpvBHhCYcp+Sve9Q291C9ykrta8/TOA+IwFuZqdeHsExA7 rjjttnD96sdrNieiXoCA8NJXKsznNYCJD4fVTlHRqMm9kTSmMhxVG+inKcohO5k0TQlj ESI3pHosN8dcqxY/zi8hrXw4my7CV3Q7qfLK8uGMvoU8JI+LBIZTLQdSGpuhCdRIem2x O2mg9OkdZDhQKp0mMngvAWcdhCpjuiJTSCY0/QTydRp5AQx5c+qXF+RZbkk0x2TXpbVo cVng==
X-Gm-Message-State: AC+VfDzV+M1rfNrkXxhQIW+p3J5dKFXPrk0WAFR6CCLO5K/OOIJEMMH7 ntXxumQEjaUoMGNGxV2GgpiUuLCAMwuOGxlseec=
X-Google-Smtp-Source: ACHHUZ4/FWCnmh1kP2fswwCxZ0c4JkzHwco2W7UiitVXf6S8jmfAVq0ZjCisdU/Q3Eq3B/n8xKMwyM5EhYvyLqRq+8I=
X-Received: by 2002:a2e:a37a:0:b0:2af:1b30:fa99 with SMTP id i26-20020a2ea37a000000b002af1b30fa99mr6120470ljn.0.1684911620763; Wed, 24 May 2023 00:00:20 -0700 (PDT)
MIME-Version: 1.0
References: <1BE5004E-B64D-407D-80F5-EB25D7BB671C@apple.com> <4A22932F-1980-438E-9B6A-176B82CECE50@isc.org> <A474412D-191B-48BD-8FC4-E07578E9C487@apple.com> <A79A4C21-43FD-4CC1-91C8-73F0F1C4BF28@gmail.com> <3255E1FA-0864-4BA6-A131-B478938714AE@apple.com>
In-Reply-To: <3255E1FA-0864-4BA6-A131-B478938714AE@apple.com>
From: tirumal reddy <kondtir@gmail.com>
Date: Wed, 24 May 2023 12:30:09 +0530
Message-ID: <CAFpG3gd3iJjAcAHL_0bvy9Tmhvm1POUd8YM7iuUsUhgg0YEidg@mail.gmail.com>
To: Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org>
Cc: Dan Wing <danwing@gmail.com>, DNSOP WG <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a235ed05fc6b0e11"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/cJbj5oQT4OJ6OqjcpuEIVak_6LM>
Subject: Re: [DNSOP] Incompatibility with indicating client support for EDE (draft-ietf-dnsop-structured-dns-error)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 May 2023 07:00:27 -0000

On Wed, 24 May 2023 at 01:48, Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org>
wrote:

> Using length=2 and INFO-CODE=0 sounds fine to me.
>
> For the dependency on draft-ietf-add-resolver-info, I don't think we need
> to impose that dependency. I'd much prefer to allow clients to look at that
> optionally, but still be able to include the hint and use the extra text if
> it parses correctly.
>

Dependency on draft-ietf-add-resolver-info was added to address the threat
where an attacker might inject (or modify) the EDE EXTRA-TEXT field with an
DNS proxy or DNS forwarder that is unaware of EDE.More details are
discussed in Section 10 of the draft.

Cheers,
-Tiru


>
> Tommy
>
> On May 23, 2023, at 9:52 AM, Dan Wing <danwing@gmail.com> wrote:
>
> EDE length=2 with INFO-CODE=0 works nicely.
>
> Also because non-EDE-aware DNS responders can be vulnerable to attacks
> described in Security Considerations, the Security Considerations section
> currently suggests clients use draft-ietf-add-resolver-info to check if
> server supports EDE. This needs better clarification in the document that
> client has to check draft-ietf-add-resolver-info before including EDE OPT
> in its DNS query. This check will further help interop by only sending EDE
> in requests to servers that indicated support via
> draft-ietf-add-resolver-info. However, it creates
> draft-ietf-add-resolver-info as another hurdle to deployment of Structured
> DNS error.  Thoughts?
>
> (I also put the above text into our github issues; I don't know which
> folks prefer.
> https://github.com/ietf-wg-dnsop/draft-ietf-dnsop-structured-dns-error/issues/26
> )
>
> -d
>
>
> On May 22, 2023, at 7:44 PM, Tommy Pauly <tpauly=
> 40apple.com@dmarc.ietf.org> wrote:
>
> Thanks, Mark.
>
> For what it's worth, I just ran two other tests, and for both of these
> cases, all of the resolvers I tried did accept the request:
> - Choose a new EDNS option code point (I just tested 50, randomly)
> - Use EDE but set the length to 2 and the error to 0 (other error), rather
> than a length of 0
>
> Both of these seem viable, and I’ll let the authors and WG decide which is
> the right way forward.
>
> Best,
> Tommy
>
> On May 22, 2023, at 5:00 PM, Mark Andrews <marka@isc.org> wrote:
>
>
>
> On 23 May 2023, at 02:20, Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org>
> wrote:
>
> Hello DNSOP,
>
> In draft-ietf-dnsop-structured-dns-error, there’s a description of how
> clients should indicate that they understand extended DNS errors (EDE) by
> sending an empty EDE option.
>
>
> https://www.ietf.org/archive/id/draft-ietf-dnsop-structured-dns-error-02.html#name-client-generating-request
>
> This is something that makes a lot of sense to me, and provides a great
> way to indicate that a client would prefer to receive proper
> blocked/filtered errors (with possible extra text) as opposed to a forged
> answer.
>
> However, in testing this out, I’m seeing inconsistent compatibility with
> some public resolvers. I was testing enabling this for encrypted resolvers
> only, and I see the following behavior for a sampling of resolvers using
> DoH:
>
> 1.1.1.1 - NOERROR, works fine!
> 9.9.9.9 - NOERROR, works fine!
> 8.8.8.8 - FORMERR on all responses
> dns.adguard-dns.com - SERVFAIL on all responses
>
> Do we think that this should be allowed in queries (and thus this is a bug
> in resolvers like 8.8.8.8 or AdGuard)? Or is there a problem with the
> approach this document is suggesting?
>
>
> RFC 8914 left whether EDE in requests was permitted or not undefined.  I
> can see an EDE implementation making the option parser return FORMERR if
> the EDE option length was less than 2 and applying that to both requests
> and responses.  RFC 8914 really should have said that EDE in requests
> should be ignored and then there would have been a possibility on extending
> behaviour based on adding EDE to a request.  We are already 10 years into
> trying to fix unknown EDNS option behaviour and are still getting FORMERR
> on unknown EDNS options in requests.  If the working group want to allow
> extending EDE by adding it to a request is should obsolete RFC 8914 now
> with RFC8914bis that specifies that EDE in requests are to be ignored.
>
> At the moment draft-ietf-dnsop-structured-dns-error-02 really should use
> another EDNS option code point.  It really is not backwards compatible with
> EDE the way it is currently specified.
>
>
> Best,
> Tommy
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>
>
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742              INTERNET: marka@isc.org
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>