IETF Logo Mail Archive

Re: [DNSOP] [Ext] Call for Adoption: draft-sah-resolver-information

Paul Hoffman <paul.hoffman@icann.org> Mon, 05 August 2019 14:26 UTC

Return-Path: <paul.hoffman@icann.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 767D312022E for <dnsop@ietfa.amsl.com>; Mon, 5 Aug 2019 07:26:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DjPS9ZEqzRK5 for <dnsop@ietfa.amsl.com>; Mon, 5 Aug 2019 07:26:28 -0700 (PDT)
Received: from out.west.pexch112.icann.org (out.west.pexch112.icann.org [64.78.40.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E209012022C for <dnsop@ietf.org>; Mon, 5 Aug 2019 07:26:28 -0700 (PDT)
Received: from PMBX112-W1-CA-1.pexch112.icann.org (64.78.40.21) by PMBX112-W1-CA-2.pexch112.icann.org (64.78.40.23) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Mon, 5 Aug 2019 07:26:27 -0700
Received: from PMBX112-W1-CA-1.pexch112.icann.org ([64.78.40.21]) by PMBX112-W1-CA-1.PEXCH112.ICANN.ORG ([64.78.40.21]) with mapi id 15.00.1473.005; Mon, 5 Aug 2019 07:26:26 -0700
From: Paul Hoffman <paul.hoffman@icann.org>
To: tirumal reddy <kondtir@gmail.com>
CC: dnsop <dnsop@ietf.org>
Thread-Topic: [Ext] [DNSOP] Call for Adoption: draft-sah-resolver-information
Thread-Index: AQHVS5nDDZcfPmFxJEuTZjH4SYXWUg==
Date: Mon, 05 Aug 2019 14:26:26 +0000
Message-ID: <02BB3B07-F1C1-4D2B-BA08-EF1A5AAACA4C@icann.org>
References: <CADyWQ+EUk_Qmnk=x3-om1OMjSMFrhd9qFUKTEBk6qWjh6fgRXQ@mail.gmail.com> <CAFpG3gc7bvJNo3SF=anU5aPfEjF0j-c2q8ZUHH3Gd684m9Ypyg@mail.gmail.com>
In-Reply-To: <CAFpG3gc7bvJNo3SF=anU5aPfEjF0j-c2q8ZUHH3Gd684m9Ypyg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [192.0.32.234]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <301695546787974E8244EE3028984C77@pexch112.icann.org>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/ehC8GQclzSmHqReB6k_3RcsjgHc>
Subject: Re: [DNSOP] [Ext] Call for Adoption: draft-sah-resolver-information
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Aug 2019 14:26:30 -0000

Thank you for your detailed list 

On Aug 5, 2019, at 4:07 AM, tirumal reddy <kondtir@gmail.com> wrote:
> 
> I did not receive response to the attacks discussed in https://mailarchive.ietf.org/arch/msg/dnsop/4ubj2D4bzxS1VTsZKzcNqBcWgtM. 
> Listing the attacks and comments for further discussion:

To be clear, most of what you have below are not "attacks" at all.

> a) Attackers can also host DoH/DoT servers and claim they offer security and privacy policies. How will the stub resolver know the recursive server is not lying ?

The same way it can "know" that a web site it is going to follows that site's claims of security and privacy policies. That is: it cannot without help from trusted third parties. A resolver's claims inherently can be no different. This can be clarified in the draft.

> b) How will the client know the policy statement is issued by a resolver deployed by the network administrator or by an attacker ?

See above. This is barely different than the web model, if at all.

> c) I don't see any discussion in the draft explaining how the client determines the future DHCP configuration options are coming from a trusted
> source.

For the DNS method, it can use DNSSEC validation. For the HTTPS method, it can use normal TLS authentication. This can be clarified in the draft.

> If the source cannot be trusted, endpoint can be configured to use a malicious resolver server compromising the endpoint security and privacy,
> and future DHCP configuration options will not be helpful (DHCP clients typically have no secure and trusted relationships to DHCP servers).

Are you saying here that, because there is no typically-trusted way to get this information from DHCP, there should be no way to get it from the DNS either? If so, that seems like a harsh restriction.

> d) What type of DNS information is self-published ?

The draft clearly says that a resolver can self-publish any information it wants, so I don't understand the question.

> e) What type of decisions will the stub resolver make based on the features advertised by the recursive resolver ?

Whichever decision it wants. This is true for any protocol, yes?

> f) What is the need for both new RRtype and new well-known URI ?

As I said earlier in the thread, it is not a "need".

Some clients who want the information will want to use HTTPS because that's what they already do (such as applications with DoH clients); there is no need to force them to also have DNS transport stacks just to get the information. 

Some clients who want the information will want to use DNS because that's what they already do (such as stub resolvers); there is no need to force them to also have HTTPS transport stacks just to get the information.

> g) Why isn't the information the resolver will publish discussed in this document itself ?

This is the same as asking "why isn't every DHCP option defined in the main DHCP protocol specification". We cannot know all the kinds of information that a resolver will want to publish. Different resolver operators have told me that, if this is adopted, they will suggest types of information they want stubs to know about them. There is no reason to restrict them in that, I believe.

> h) An on-path attacker can modify the response to return NXDOMAIN response. How is this attack prevented ?
>     Looks like DNSSEC validating client is mandatory to detect fake NXDOMAIN response.

Yes, exactly. If you have a better suggestion, that would be great. 

> i)  If the server certificate cannot be validated,  why will the client trust the resolver information provided by server whose identify cannot be validated ?

That's up to a client's policy for the specific information they receive. Again, this is no different than DHCP. The fact that few DHCP clients actually use DHCP authentication hasn't stopped the world from using it widely.

> The draft does not look ready for adoption.

Given the above, and given that the WG would be able to change any part of the draft it wants, do you still feel that way? Or do you feel that there is no need at all for a resolver to be able to announce its features? 

--Paul Hoffman

v2.23.0 | Report a Bug | By Email