IETF Logo Mail Archive

Re: [DNSOP] Incompatibility with indicating client support for EDE (draft-ietf-dnsop-structured-dns-error)

Tommy Pauly <tpauly@apple.com> Wed, 24 May 2023 14:00 UTC

Return-Path: <tpauly@apple.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2868CC16951B for <dnsop@ietfa.amsl.com>; Wed, 24 May 2023 07:00:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3zSGuISQo0FU for <dnsop@ietfa.amsl.com>; Wed, 24 May 2023 07:00:32 -0700 (PDT)
Received: from ma-mailsvcp-mx-lapp01.apple.com (ma-mailsvcp-mx-lapp01.apple.com [17.32.222.22]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 70348C16951E for <dnsop@ietf.org>; Wed, 24 May 2023 07:00:32 -0700 (PDT)
Received: from rn-mailsvcp-mta-lapp03.rno.apple.com (rn-mailsvcp-mta-lapp03.rno.apple.com [10.225.203.151]) by ma-mailsvcp-mx-lapp01.apple.com (Oracle Communications Messaging Server 8.1.0.22.20230228 64bit (built Feb 28 2023)) with ESMTPS id <0RV6010OD1KH9120@ma-mailsvcp-mx-lapp01.apple.com> for dnsop@ietf.org; Wed, 24 May 2023 07:00:31 -0700 (PDT)
X-Proofpoint-ORIG-GUID: laNyGKL_hp9ZBpAFVDEL5_IOtYqpcFmb
X-Proofpoint-GUID: laNyGKL_hp9ZBpAFVDEL5_IOtYqpcFmb
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.573, 18.0.942 definitions=2023-05-10_04:2023-05-05, 2023-05-10 signatures=0
X-Proofpoint-Spam-Details: rule=interactive_user_notspam policy=interactive_user score=0 mlxscore=0 malwarescore=0 phishscore=0 bulkscore=0 adultscore=0 suspectscore=0 mlxlogscore=999 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2304280000 definitions=main-2305100143
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=from : message-id : content-type : mime-version : subject : date : in-reply-to : cc : to : references; s=20180706; bh=IXSguxCQr2CgK0l73mGoAIH5GcnM1cvxlH9OAi6Xnx4=; b=M/ETfQuJ33vzXuZ7Lnzq2Tu5HHGeYc3MjwzT97H+VZ+PyTY7obapI7Jqk0v77lKEhFRW GOofr1au32er24hsYR8th050QyVBLrEel4r/Vlw9BeZJ1ipKZzRYnbyzhh5/NPOI3+wD 0FDSoyKAaRwp1F3+gNgE/zPESe8J9dEZ+TIklaa8iEqHaZ2Nf/BjzGm+hGoz6+bTVsWj lZgPNECmAOxgeVpmay7CJMFRrttRit7/eHLLPMJDy+1IJprWbKL9/SjZ4KHWqBhYkNX5 8NHcjuM3Hg6gwSyo5H1C+DPI8cFRW2JNoliW6TLPh5GukOv1NzY4pThauteUOnwUC1r3 Ng==
Received: from rn-mailsvcp-mmp-lapp02.rno.apple.com (rn-mailsvcp-mmp-lapp02.rno.apple.com [17.179.253.15]) by rn-mailsvcp-mta-lapp03.rno.apple.com (Oracle Communications Messaging Server 8.1.0.22.20230228 64bit (built Feb 28 2023)) with ESMTPS id <0RV600AHH1KLVWI0@rn-mailsvcp-mta-lapp03.rno.apple.com>; Wed, 24 May 2023 07:00:21 -0700 (PDT)
Received: from process_milters-daemon.rn-mailsvcp-mmp-lapp02.rno.apple.com by rn-mailsvcp-mmp-lapp02.rno.apple.com (Oracle Communications Messaging Server 8.1.0.22.20230228 64bit (built Feb 28 2023)) id <0RV600700117FO00@rn-mailsvcp-mmp-lapp02.rno.apple.com>; Wed, 24 May 2023 07:00:21 -0700 (PDT)
X-Va-A:
X-Va-T-CD: 6a851ae06bdcf8d0a2f580511df70408
X-Va-E-CD: 0b79d2ebc82ccddf39c2a87c6a53fc06
X-Va-R-CD: d9006b4b5f3e35bccc03845f7ae332f2
X-Va-ID: 5c911df5-7731-42f1-b158-c6027b89f6c1
X-Va-CD: 0
X-V-A:
X-V-T-CD: 6a851ae06bdcf8d0a2f580511df70408
X-V-E-CD: 0b79d2ebc82ccddf39c2a87c6a53fc06
X-V-R-CD: d9006b4b5f3e35bccc03845f7ae332f2
X-V-ID: 5eb5bfcc-1695-4e1e-8834-c12f088af243
X-V-CD: 0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.573, 18.0.957 definitions=2023-05-24_09:2023-05-24, 2023-05-24 signatures=0
Received: from smtpclient.apple (unknown [17.11.47.151]) by rn-mailsvcp-mmp-lapp02.rno.apple.com (Oracle Communications Messaging Server 8.1.0.22.20230228 64bit (built Feb 28 2023)) with ESMTPSA id <0RV6006JM1KKQ100@rn-mailsvcp-mmp-lapp02.rno.apple.com>; Wed, 24 May 2023 07:00:21 -0700 (PDT)
From: Tommy Pauly <tpauly@apple.com>
Message-id: <5CCD101E-8CC1-4557-80A3-6E4FEDD29F92@apple.com>
Content-type: multipart/alternative; boundary="Apple-Mail=_CF23ED94-C5FD-4AF6-9770-F9C7B2C02D30"
MIME-version: 1.0 (Mac OS X Mail 16.0 \(3762.100.4.1.11\))
Date: Wed, 24 May 2023 07:00:10 -0700
In-reply-to: <CAFpG3gd3iJjAcAHL_0bvy9Tmhvm1POUd8YM7iuUsUhgg0YEidg@mail.gmail.com>
Cc: Dan Wing <danwing@gmail.com>, DNSOP WG <dnsop@ietf.org>
To: tirumal reddy <kondtir@gmail.com>
References: <1BE5004E-B64D-407D-80F5-EB25D7BB671C@apple.com> <4A22932F-1980-438E-9B6A-176B82CECE50@isc.org> <A474412D-191B-48BD-8FC4-E07578E9C487@apple.com> <A79A4C21-43FD-4CC1-91C8-73F0F1C4BF28@gmail.com> <3255E1FA-0864-4BA6-A131-B478938714AE@apple.com> <CAFpG3gd3iJjAcAHL_0bvy9Tmhvm1POUd8YM7iuUsUhgg0YEidg@mail.gmail.com>
X-Mailer: Apple Mail (2.3762.100.4.1.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/dFS3sOCnVQiW7ngoZhHV_UYfzpE>
Subject: Re: [DNSOP] Incompatibility with indicating client support for EDE (draft-ietf-dnsop-structured-dns-error)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 May 2023 14:00:36 -0000


> On May 24, 2023, at 12:00 AM, tirumal reddy <kondtir@gmail.com> wrote:
> 
> On Wed, 24 May 2023 at 01:48, Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org <mailto:40apple.com@dmarc.ietf.org>> wrote:
>> Using length=2 and INFO-CODE=0 sounds fine to me.
>> 
>> For the dependency on draft-ietf-add-resolver-info, I don't think we need to impose that dependency. I'd much prefer to allow clients to look at that optionally, but still be able to include the hint and use the extra text if it parses correctly.
> 
> Dependency on draft-ietf-add-resolver-info was added to address the threat where an attacker might inject (or modify) the EDE EXTRA-TEXT field with an DNS proxy or DNS forwarder that is unaware of EDE.More details are discussed in Section 10 of the draft. 

Using encrypted DNS to a known/trusted resolver can achieve this as well, so I think it is better as a recommendation of one way, but not a required way.

Tommy
> 
> Cheers,
> -Tiru
>  
>> 
>> Tommy
>> 
>>> On May 23, 2023, at 9:52 AM, Dan Wing <danwing@gmail.com <mailto:danwing@gmail.com>> wrote:
>>> 
>>> EDE length=2 with INFO-CODE=0 works nicely.
>>> 
>>> Also because non-EDE-aware DNS responders can be vulnerable to attacks described in Security Considerations, the Security Considerations section currently suggests clients use draft-ietf-add-resolver-info to check if server supports EDE. This needs better clarification in the document that client has to check draft-ietf-add-resolver-info before including EDE OPT in its DNS query. This check will further help interop by only sending EDE in requests to servers that indicated support via draft-ietf-add-resolver-info. However, it creates draft-ietf-add-resolver-info as another hurdle to deployment of Structured DNS error.  Thoughts?
>>> 
>>> (I also put the above text into our github issues; I don't know which folks prefer.  https://github.com/ietf-wg-dnsop/draft-ietf-dnsop-structured-dns-error/issues/26)
>>> 
>>> -d
>>> 
>>> 
>>>> On May 22, 2023, at 7:44 PM, Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org <mailto:40apple.com@dmarc.ietf.org>> wrote:
>>>> 
>>>> Thanks, Mark.
>>>> 
>>>> For what it's worth, I just ran two other tests, and for both of these cases, all of the resolvers I tried did accept the request:
>>>> - Choose a new EDNS option code point (I just tested 50, randomly)
>>>> - Use EDE but set the length to 2 and the error to 0 (other error), rather than a length of 0
>>>> 
>>>> Both of these seem viable, and I’ll let the authors and WG decide which is the right way forward.
>>>> 
>>>> Best,
>>>> Tommy
>>>> 
>>>>> On May 22, 2023, at 5:00 PM, Mark Andrews <marka@isc.org <mailto:marka@isc.org>> wrote:
>>>>> 
>>>>> 
>>>>> 
>>>>>> On 23 May 2023, at 02:20, Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org <mailto:40apple.com@dmarc.ietf.org>> wrote:
>>>>>> 
>>>>>> Hello DNSOP,
>>>>>> 
>>>>>> In draft-ietf-dnsop-structured-dns-error, there’s a description of how clients should indicate that they understand extended DNS errors (EDE) by sending an empty EDE option. 
>>>>>> 
>>>>>> https://www.ietf.org/archive/id/draft-ietf-dnsop-structured-dns-error-02.html#name-client-generating-request
>>>>>> 
>>>>>> This is something that makes a lot of sense to me, and provides a great way to indicate that a client would prefer to receive proper blocked/filtered errors (with possible extra text) as opposed to a forged answer.
>>>>>> 
>>>>>> However, in testing this out, I’m seeing inconsistent compatibility with some public resolvers. I was testing enabling this for encrypted resolvers only, and I see the following behavior for a sampling of resolvers using DoH:
>>>>>> 
>>>>>> 1.1.1.1 - NOERROR, works fine!
>>>>>> 9.9.9.9 - NOERROR, works fine!
>>>>>> 8.8.8.8 - FORMERR on all responses
>>>>>> dns.adguard-dns.com <http://dns.adguard-dns.com/> - SERVFAIL on all responses
>>>>>> 
>>>>>> Do we think that this should be allowed in queries (and thus this is a bug in resolvers like 8.8.8.8 or AdGuard)? Or is there a problem with the approach this document is suggesting?
>>>>> 
>>>>> RFC 8914 left whether EDE in requests was permitted or not undefined.  I can see an EDE implementation making the option parser return FORMERR if the EDE option length was less than 2 and applying that to both requests and responses.  RFC 8914 really should have said that EDE in requests should be ignored and then there would have been a possibility on extending behaviour based on adding EDE to a request.  We are already 10 years into trying to fix unknown EDNS option behaviour and are still getting FORMERR on unknown EDNS options in requests.  If the working group want to allow extending EDE by adding it to a request is should obsolete RFC 8914 now with RFC8914bis that specifies that EDE in requests are to be ignored.
>>>>> 
>>>>> At the moment draft-ietf-dnsop-structured-dns-error-02 really should use another EDNS option code point.  It really is not backwards compatible with EDE the way it is currently specified. 
>>>>> 
>>>>> 
>>>>>> Best,
>>>>>> Tommy
>>>>>> _______________________________________________
>>>>>> DNSOP mailing list
>>>>>> DNSOP@ietf.org <mailto:DNSOP@ietf.org>
>>>>>> https://www.ietf.org/mailman/listinfo/dnsop
>>>>> 
>>>>> -- 
>>>>> Mark Andrews, ISC
>>>>> 1 Seymour St., Dundas Valley, NSW 2117, Australia
>>>>> PHONE: +61 2 9871 4742              INTERNET: marka@isc.org <mailto:marka@isc.org>
>>>>> 
>>>>> _______________________________________________
>>>>> DNSOP mailing list
>>>>> DNSOP@ietf.org <mailto:DNSOP@ietf.org>
>>>>> https://www.ietf.org/mailman/listinfo/dnsop
>>>> 
>>>> _______________________________________________
>>>> DNSOP mailing list
>>>> DNSOP@ietf.org <mailto:DNSOP@ietf.org>
>>>> https://www.ietf.org/mailman/listinfo/dnsop
>>> 
>>> _______________________________________________
>>> DNSOP mailing list
>>> DNSOP@ietf.org <mailto:DNSOP@ietf.org>
>>> https://www.ietf.org/mailman/listinfo/dnsop
>> 
>> _______________________________________________
>> DNSOP mailing list
>> DNSOP@ietf.org <mailto:DNSOP@ietf.org>
>> https://www.ietf.org/mailman/listinfo/dnsop

v2.23.0 | Report a Bug | By Email