IETF Logo Mail Archive

Re: [DNSOP] Working Group Last Call draft-ietf-dnsop-resolver-priming

Bob Harold <rharolde@umich.edu> Thu, 11 August 2016 16:11 UTC

Return-Path: <rharolde@umich.edu>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD53812D5D7 for <dnsop@ietfa.amsl.com>; Thu, 11 Aug 2016 09:11:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=umich.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r8kRJkHWvYis for <dnsop@ietfa.amsl.com>; Thu, 11 Aug 2016 09:11:38 -0700 (PDT)
Received: from mail-yw0-x231.google.com (mail-yw0-x231.google.com [IPv6:2607:f8b0:4002:c05::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 04B3F12D0FA for <dnsop@ietf.org>; Thu, 11 Aug 2016 09:11:37 -0700 (PDT)
Received: by mail-yw0-x231.google.com with SMTP id j12so149541ywb.2 for <dnsop@ietf.org>; Thu, 11 Aug 2016 09:11:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umich.edu; s=google-2016-06-03; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=ttjIgokZAmurvmKUgzyLz/lVY9SdC7LkqrFLXf1LTGM=; b=ompW24Gh5KbF1AmJBLJX1muJcuz/HvKGFOviLvRvXDULlYt/p2Q7iJC8PTNlApLJuw esz7kHn9oP+QRD7VZ1BTlO2mfUkBdK95GVjFwCN+sD0Dew1pwJL45MffojRvF+dIp1Ix dvPKdpeHDd6K4xLDIGbs6Ki+eLbx78TRm3KY/bPLrgKJAtaj7z6KCYloI6rHIZSbL66y rdse7OV7KHEILrcR2C4itHve9QXQTXQaCyenMZlQaP1qr+eZYhxFpr8Ksf2eFBc8wDCu CeNpl9g7Z7RzVaAnGWrtjj4uAvrqtaE7dp5BFdd1kYTkI9k+Gnh2LcUMKiqswmZukQSR SCaw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=ttjIgokZAmurvmKUgzyLz/lVY9SdC7LkqrFLXf1LTGM=; b=QMmaz+0uSb4e5Qj3sOeivfgQ7oclYxRvy9spmh+y3I2F70wKzNkXREVUGRb9sB55Aa OOW0TaiDaQuF4xno27rdslsx2X79K40e4u8/V48oAXoOrBibSh0Hn4b4rG8Eo5Rr32Fb xbGf/5SHVWv9ebhOhv8o7HKHr3j6kR6ujnkZzPh4G7bf2DgiRNo8q00M3U0oPv9c6Td1 i2/ycupFC+/dx9qNvMhGnDlSfYLba4JHeUG85jOjqf2KCaQYNO1enyssd+WHbs26NfqU mpgzlwhGlE1Vy5L5M84wwhrN5eTvwcuAlYeV8Z99FzeigyXrQXEdhl87sMpRx3TNVGVA bdqw==
X-Gm-Message-State: AEkoousmgiUij4wTNRJRhtB796eU8t9DN2/0s0GSBkQeoiYMG25GpVtCU/6claYdKvt+TGdSvRgE1a3DGkcdpTGq
X-Received: by 10.13.217.20 with SMTP id b20mr7329483ywe.44.1470931897126; Thu, 11 Aug 2016 09:11:37 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.13.255.3 with HTTP; Thu, 11 Aug 2016 09:11:36 -0700 (PDT)
In-Reply-To: <B0ED30A0-707B-4E07-88F3-37385CC684C4@vpnc.org>
References: <f8c62b82-258c-2b2b-5186-c3cd8e7d7448@gmail.com> <20160805114511.3ab76c8e@pallas.home.time-travellers.org> <B0ED30A0-707B-4E07-88F3-37385CC684C4@vpnc.org>
From: Bob Harold <rharolde@umich.edu>
Date: Thu, 11 Aug 2016 12:11:36 -0400
Message-ID: <CA+nkc8AcWHDGgYngnYH15LuskcECCxfdyf8J064ozNVJmb+1_g@mail.gmail.com>
To: Paul Hoffman <paul.hoffman@vpnc.org>
Content-Type: multipart/alternative; boundary="001a114fbe7437c1da0539ce05b1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/dQRa7V2ffBqak7FsnZQkCSsYoa8>
Cc: Shane Kerr <shane@time-travellers.org>, dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] Working Group Last Call draft-ietf-dnsop-resolver-priming
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Aug 2016 16:11:40 -0000

On Wed, Aug 10, 2016 at 8:38 PM, Paul Hoffman <paul.hoffman@vpnc.org> wrote:

> On 5 Aug 2016, at 2:45, Shane Kerr wrote:
>
> All,
>>
>> At 2016-08-04 20:03:35 -0400
>> Tim Wicinski <tjw.ietf@gmail.com> wrote:
>>
>> Remember the Resolver Priming draft? This thing has been kicking around
>>> for a good solid 5 years. It stalled for a few years waiting for the
>>> busy authors perform some updates.
>>> Then Paul Hoffman took the reins and has done a great job getting this
>>> ready for publication.
>>>
>>
>> w00t
>>
>> I like this document, and am happy that it is moving again. :)
>>
>
BH:  I also like the document!

>
>> This starts a Working Group Last Call  for draft-ietf-dnsop-resolver-prim
>>> ing
>>>
>>> Current versions of the draft is available here:
>>> https://datatracker.ietf.org/doc/draft-ietf-dnsop-resolver-priming/
>>>
>>> Please review the draft and offer relevant comments. Also, if someone
>>> feels the document is *not* ready for publication, please speak out with
>>> your reasons.
>>>
>>
>> I have two minor comments, which may not require any changes.
>>
>>
>> First, we have:
>>
>>   "If a priming query does not get a response within 2 seconds, the
>>   recursive resolver SHOULD retry with a different target address from
>>   the configuration."
>>
>> The "2 seconds" seems a bit arbitrary.
>>
>
> Yep. But...
>
> I'm not sure why any
>> recommendations need to be made at all. The document already says that
>> these are basically normal DNS queries elsewhere - surely that is enough?
>>
>
> The queries are normal, but the reliance on them is not. Without priming,
> nothing can be answered, so that makes them kinda special.


It seems unnecessary to say much here, trying each of the NS records, and
retrying multiple times, should be 'normal' although the details will be
implementation dependent.  Also related is what to do if none of the
servers respond, but again that is application dependent and we don't want
to go down that trail.

>
>
> (And maybe if we do want to recommend a retry then we need to be clear
>> that if an answer comes from an earlier query that the resolver may
>> accept it?)
>>
>
> That would be a radical shift. Instead, how about "If a priming query does
> not get a response within a short period (for example, 2 seconds), ..."?
>
> Second, a possible additional security consideration is that a priming
>> query typically signals a resolver starting with an empty cache
>> (although not always - the Knot resolver has a persistent cache, for
>> example). This may be an especially vulnerable time for a resolver for
>> cache poisoning. I don't know what can be done to mitigate this though
>> aside from requiring TCP or DNS cookies for a time after startup, so
>> perhaps this can be left out.
>>
>
> Priming queries happen both when there is an empty cache and at timeout of
> the root records. Unless we know for sure what the ratio between those two
> are, I'm hesitant to put anything in the document saying that it is
> "common".


Priming queries happen 1) at startup, 2) when cache is emptied (by rndc
flush for example), 3) when the TTL's expire, and 4) when the server
decides to prefetch.  Perhaps there are others, but in every case there are
the same security concerns - an attacker can:  a) inject malicious data, or
b) block valid data from reaching the server.  The first 'owns' the server,
the second disables it.


>
>
> --Paul Hoffman
>
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>

v2.23.0 | Report a Bug | By Email