IETF Logo Mail Archive

Re: [DNSOP] Closing out issues in draft-ietf-dnsop-resolver-priming

"Joe Abley" <jabley@hopcount.ca> Fri, 16 October 2015 19:06 UTC

Return-Path: <jabley@hopcount.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF2AE1ACE8E for <dnsop@ietfa.amsl.com>; Fri, 16 Oct 2015 12:06:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GxL1Aunfy5l0 for <dnsop@ietfa.amsl.com>; Fri, 16 Oct 2015 12:06:53 -0700 (PDT)
Received: from mail-qk0-x234.google.com (mail-qk0-x234.google.com [IPv6:2607:f8b0:400d:c09::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 118191ACE8B for <dnsop@ietf.org>; Fri, 16 Oct 2015 12:06:53 -0700 (PDT)
Received: by qkap81 with SMTP id p81so58654168qka.2 for <dnsop@ietf.org>; Fri, 16 Oct 2015 12:06:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hopcount.ca; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-type; bh=cZ12vJx/QdedTfvSYzlqnPEcYdsr7pZThBSwdZ5jkA8=; b=ZP7QLarnXK/sJufnKG/EzX8IE7qDLEVPqo1rlBkkynPj7J6OndxCzc43scpb+5cXYs Ld7Xuhy7waFszJc60dQzN60KWO3g0Y09zRPvL5nuvdxx+uwlF68z1LknBI4CBmHZCr16 t4JoRU+TLzLOJfEqLQ8CnJ48ujbsRuiARd/jE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-type; bh=cZ12vJx/QdedTfvSYzlqnPEcYdsr7pZThBSwdZ5jkA8=; b=LePjBJ/32+UJvAy7V1M+4migdpuWMB7YveCAcTMf1D2wDNUr0zIi7qsn8CO53FGXPl iB3q5HrC/jL3HFGBxT1NEi3H2CGPQMW0tajeTfz3RIlC6Voz/XV7RLfKUfofIZfvF7Ba Hw1maD1Ts4FpfqOwA3Cc6gicKT/oO56SZTrWwg5xtZJbrFQhZq2g1ECviqZPlnbdEVF9 +l9A1GMrHv67b2dxFb9IbzYVKqzuVt4kDkv3SRwG5KV7RYjd2uFkiCwxu/qZukgwogc6 neVWQRXZO9jLLD3vlPcZik7N/e0kEIWFgoZNDWjuBcW15OeU2cRf+RVovR+uX/S53SnH GHUA==
X-Gm-Message-State: ALoCoQkBVgMHc4h2G2Ikd4RDiteMh6X/ScbfVtvRoSkb8j5q0+5SHhfVfcyylT4LO5qExVuZkfDX
X-Received: by 10.55.212.77 with SMTP id l74mr20771174qki.19.1445022410732; Fri, 16 Oct 2015 12:06:50 -0700 (PDT)
Received: from [172.19.130.142] (135-23-68-43.cpe.pppoe.ca. [135.23.68.43]) by smtp.gmail.com with ESMTPSA id h60sm2094293qgh.7.2015.10.16.12.06.49 (version=TLSv1 cipher=RC4-SHA bits=128/128); Fri, 16 Oct 2015 12:06:49 -0700 (PDT)
From: Joe Abley <jabley@hopcount.ca>
To: Shane Kerr <shane@time-travellers.org>
Date: Fri, 16 Oct 2015 15:06:50 -0400
Message-ID: <8D54A560-B4A8-457C-8883-7C2B04394C0F@hopcount.ca>
In-Reply-To: <20151016204202.677f3be3@pallas.home.time-travellers.org>
References: <8149BC4D-F11E-4E4F-BBB8-C38D865A4184@vpnc.org> <20151016161831.58bdf78d@pallas.home.time-travellers.org> <56211942.20206@redbarn.org> <CAJE_bqcxjC=zS8tj6tKGX18UeEFm6GHcyRhjC7AFdh3x9-L=vA@mail.gmail.com> <d2f5212cbf9b4f46a5cae9f3af3f1f50@mxph4chrw.fgremc.it> <A7B11A56-A66F-4E13-9675-56344E25C403@vpnc.org> <BCE894DC-01B6-42C4-9589-1C19CA395250@hopcount.ca> <20151016204202.677f3be3@pallas.home.time-travellers.org>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"
X-Mailer: MailMate (1.9.2r5141)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/jKNzdkWcj_RS07k6Bx6BRE_UY6s>
Cc: dnsop WG <dnsop@ietf.org>
Subject: Re: [DNSOP] Closing out issues in draft-ietf-dnsop-resolver-priming
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Oct 2015 19:06:54 -0000


On 16 Oct 2015, at 14:42, Shane Kerr wrote:

> Seems like quite an easy attack at first blush. One could send a
> constant stream of priming answers to resolvers since they would get
> made once a day.

The successful attacks like this that I've seen rely upon being able to 
trigger a particular query from a resolver so that you can bombard it 
with responses in the hope of matching a query id. If there's no viable 
trigger (unless you can exploit a software defect and trigger a restart) 
the attack seems harder.

> While the chance of poisoning any one resolver with such a response is
> low, the impact is catastrophic to a non-validating resolver, as an
> attacker basically owns your view of the Internet at that point. For
> resolvers that do validate, the only issue is information leakage that
> a random party can see all of your root queries (or possibly a DoS).

Agreed, that the impact could be high if an attack is successful. My 
questions are principally about the probability of success, I guess.

>> We're talking principally about a risk to resolvers that prime but 
>> don't
>> validate, right?
>
> This draft also says that you MUST NOT set the DO bit on priming
> queries, so any resolver following this draft isn't validating.
>
> While a resolver could validate the NS RRSET, as you know the
> ROOT-SERVERS.NET domain is not signed, so the A and AAAA records
> (what you really care about) cannot be validated.

Right, and I think that's only a big problem for validators if the key 
assets you are relying upon (the answers that end users are using the 
DNS to fetch) are for qnames like L.ROOT-SERVERS.NET, which outside 
operational troubleshooting seems unlikely to be true.

An end-user looking for answers about ISC.ORG or PAYPAL.COM are going to 
be protected so long as there are signatures all the way down to those 
zones, regardless of what junk they receive from their priming query. 
Protected from junk, that is, not protected from unavailability.

> I know there is discussion about signing the root servers somehow, so
> perhaps a resolver that cares could someday validate the priming
> query... but we should probably remove the MUST NOT text around the DO
> bit then, perhaps replacing it with a SHOULD recommending validation.

The last time I did any thinking about this, presupposing widespread 
DNSSEC deployment by zone maintainers and widespread validation, there 
was no obvious benefit to security to be found in signing the 
ROOT-SERVERS.NET zone or RRSets returned in a priming response. There 
was, however, the potential for greatly enlarged priming responses.

I appreciate that this draft says you MUST NOT set DO=1 on priming 
queries, but the reality is that everybody does.


Joe

v2.23.0 | Report a Bug | By Email