IETF Logo Mail Archive

Re: [DNSOP] tdns, 'hello-dns' progress, feedback requested

Matthew Pounsett <matt@conundrum.com> Fri, 13 April 2018 19:02 UTC

Return-Path: <matt@conundrum.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3586E127698 for <dnsop@ietfa.amsl.com>; Fri, 13 Apr 2018 12:02:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.609
X-Spam-Level:
X-Spam-Status: No, score=-2.609 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=conundrum-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ePJ-5q_DmIMN for <dnsop@ietfa.amsl.com>; Fri, 13 Apr 2018 12:02:34 -0700 (PDT)
Received: from mail-it0-x229.google.com (mail-it0-x229.google.com [IPv6:2607:f8b0:4001:c0b::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 29E6B127601 for <dnsop@ietf.org>; Fri, 13 Apr 2018 12:02:34 -0700 (PDT)
Received: by mail-it0-x229.google.com with SMTP id u62-v6so4435148ita.5 for <dnsop@ietf.org>; Fri, 13 Apr 2018 12:02:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=conundrum-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=ok4k5Kulv0QADLT6EngsX1l5a3iSqUpqkOoO9d2mz3k=; b=qru3RJ7Z3F9xY+hFLZIoSaV4HDrBeeqmLF8YBxCKOPrIo3w4kSP78NRy9NgOp4BnT8 aFvvAKNl4Db9jCuCh6mm4ttuBWd6nrjnehh7cg3WOSUQjNmtwKpYnLyIsRKY9pgXu6Qd cBlOle40ED786CL9Z8bMqMCNC0Ey+cw0ddrWyfDVckV8OqUIg4s2SoACNzckAw1C8MkD Xs0/6p7o11LehTGEVen8ZKabtVHIbl+we+OWjwaXhqu2Ea3Tv+sJOl3CcuscuxHPsWa3 FnUqn3Q3GWvPZHS5REnzTb0J973aH53GOjXDyMz7p5ajebgm/sWzmdHKHgWJoFGHNYcD xcPQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=ok4k5Kulv0QADLT6EngsX1l5a3iSqUpqkOoO9d2mz3k=; b=YJiVel3JMTtwgr7spuru6NTwpVcJpBqwKY8Zz8LPbOP0x22Wvim4Nx6ekT6C8+KTTb kKVYk/1fEsRGYj1vIbyfICycjND6v7klWj8DI3pFQmwiqNIhXZ1jsIs52bqabfZlFcOi bAX1Pm1qQyCUsDxhbycDld7nH1tKIDh+0RSHczfnIdniRD+EX+phnumaM+FnGFudYsFs LyBb+ytrVt+fIgmjA7FdAYCvk8yzFhxSpypmndhBzbj7ff9aEzTOXsoknbgm5FucabUT nyyIQcwLOfTzPzZFkcpqUh1N54CfkJdot3GkYGQQun7bb8YgVyTotqsIswC1Pv7cZpGD jrpw==
X-Gm-Message-State: ALQs6tBTdZWS4sam4IxPpTmqtISgNlfsqdA0W7SFV0/q931rj9DCQULz STrSwqQNHla95P1JezchnoX65VU/p8D1hzsQVmzKmaRy
X-Google-Smtp-Source: AIpwx4/oT5GOxGlVKqjUuZh/NdbCm8xBhTHekRj8iOxIuLNc8jEbnmKfhPC8cwdlN7sYMxcIsAxxAADAFPA5nL7+XsY=
X-Received: by 2002:a24:c301:: with SMTP id s1-v6mr7094546itg.100.1523646153261; Fri, 13 Apr 2018 12:02:33 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.2.148.46 with HTTP; Fri, 13 Apr 2018 12:02:32 -0700 (PDT)
In-Reply-To: <20180413151152.GB4767@server.ds9a.nl>
References: <20180413144707.GA4767@server.ds9a.nl> <623F11C7-6E4D-40F5-8AD1-8F7E92C8C7F9@vpnc.org> <20180413151152.GB4767@server.ds9a.nl>
From: Matthew Pounsett <matt@conundrum.com>
Date: Fri, 13 Apr 2018 15:02:32 -0400
Message-ID: <CAAiTEH_wF7NMpMv0MQ4-VbCZUSYWA7QsivgSoYM2p128EsL4zQ@mail.gmail.com>
To: bert hubert <bert.hubert@powerdns.com>
Cc: dnsop <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ba9e510569bf8327"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/ia-9YDUsvZIMvRtnrI_TMkysX44>
Subject: Re: [DNSOP] tdns, 'hello-dns' progress, feedback requested
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Apr 2018 19:02:36 -0000

On 13 April 2018 at 11:11, bert hubert <bert.hubert@powerdns.com> wrote:

> > >1) chase CNAMEs that point to another zone
> > >2) look for glue outside of the zone
> >
> > 1) What was the historical text that indicated that an authoritative
> server
> > should chase CNAMEs before responding? This worries me.
>
> RFC 1034, 4.3.2, step 3, a. It says to go back to step 1, which means that
> in step 2 we look up the best zone again for the target of the CNAME. I
> have
> not looked if newer RFCs deprecate this or not. So with 'chase' I mean,
> consult other zones it is authoritative for. There might be millions of
> these btw, operated by other people.
>

Wouldn't there be a security concern with doing that?

Let's say you're a DNS hosting company and I get you to host example.com
for me, and delegate it to your servers.  For some good, but obscure reason
I have:
update.example.com IN CNAME update.microsoft.com.

An attacker comes along and asks you to host microsoft.com, which is not
delegated to you.  They have:
update.microsoft.com IN CNAME attack.badguy.com.

If you follow CNAME chains outside the zone (but inside the "authoritative"
zones in your server) then you have just participated in redirecting a
CNAME chain away from where it's supposed to go.  Either recursive servers
will trust your supplied CNAME chain and their users will be attacked, or
they will (rightly) not trust you and go look up update.microsoft.com
themselves, which, in which case you have wasted resources looking it up in
your own.

v2.23.0 | Report a Bug | By Email