IETF Logo Mail Archive

Re: [DNSOP] [Ext] Working Group Last Call for draft-ietf-dnsop-rfc8109bis

Paul Hoffman <paul.hoffman@icann.org> Wed, 10 January 2024 22:44 UTC

Return-Path: <paul.hoffman@icann.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 94056C14F6FB for <dnsop@ietfa.amsl.com>; Wed, 10 Jan 2024 14:44:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.206
X-Spam-Level:
X-Spam-Status: No, score=-4.206 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QU9nzwKY5cTy for <dnsop@ietfa.amsl.com>; Wed, 10 Jan 2024 14:44:05 -0800 (PST)
Received: from ppa4.dc.icann.org (ppa4.dc.icann.org [192.0.46.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 10159C14F602 for <dnsop@ietf.org>; Wed, 10 Jan 2024 14:44:05 -0800 (PST)
Received: from MBX112-E2-CO-1.pexch112.icann.org (out.mail.icann.org [64.78.33.7]) by ppa4.dc.icann.org (8.17.1.24/8.17.1.24) with ESMTPS id 40AMi1Tb004467 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 10 Jan 2024 14:44:02 -0800
Received: from MBX112-W2-CO-1.pexch112.icann.org (10.226.41.128) by MBX112-W2-CO-1.pexch112.icann.org (10.226.41.128) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.28; Wed, 10 Jan 2024 14:44:02 -0800
Received: from MBX112-W2-CO-1.pexch112.icann.org ([169.254.44.235]) by MBX112-W2-CO-1.pexch112.icann.org ([169.254.44.235]) with mapi id 15.02.1258.028; Wed, 10 Jan 2024 14:44:02 -0800
From: Paul Hoffman <paul.hoffman@icann.org>
To: Roy Arends <roy@dnss.ec>
CC: dnsop <dnsop@ietf.org>
Thread-Topic: [Ext] [DNSOP] Working Group Last Call for draft-ietf-dnsop-rfc8109bis
Thread-Index: AQHaRBaBkUjZHF4KR027izQuflDiGw==
Date: Wed, 10 Jan 2024 22:44:01 +0000
Message-ID: <6F904B7A-8BC0-49E2-8B2D-05A82F136A5C@icann.org>
References: <CADyWQ+FW_9pbQFrOJz7R5BQEdL075wXBc=aZ=mcifqT8fekORg@mail.gmail.com> <3A98DFF3-FEF1-451F-BB17-932E7D6AB986@dnss.ec>
In-Reply-To: <3A98DFF3-FEF1-451F-BB17-932E7D6AB986@dnss.ec>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [192.0.32.234]
x-source-routing-agent: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <50E5486710C22141951B0402526F1222@pexch112.icann.org>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.997,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2024-01-05_08,2024-01-05_01,2023-05-22_02
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/lYPQG4Blyi7EHI_mtiUVQjEVCt8>
Subject: Re: [DNSOP] [Ext] Working Group Last Call for draft-ietf-dnsop-rfc8109bis
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Jan 2024 22:44:09 -0000

On Jan 10, 2024, at 14:05, Roy Arends <roy@dnss.ec> wrote:
> I support this documents.

Thanks!

> Furthermore, here are some comments:
> 
>        2. Description of Priming
> 
>        Priming is described in Sections 5.3.2 and 5.3.3 of [RFC1034]. The
>        scenario used in that description, that of a recursive server that is
>        also authoritative, is no longer as common.
> 
> The term “Priming” is not used in RFC1034. What is used in RFC1034 is the term SBELT ("safety belt” structure), defined in 5.3.2. The reference is more useful when the term SBELT is included.

Good idea; fixed.

> “published”

Already caught in all places, thanks.

>        A machine-in-the-middle attack on the priming query could direct a
>        resolver to a rogue root name server. Note, however, that a
>        validating resolver will not accept responses from rogue root servers
>        if they are different from the real responses because the resolver
>        has a trust anchor for the root and the answers from the root are
>        signed.  Thus, if there is a machine-in-the-middle attack on the
>        priming query, the results for a validating resolver could be a
>        denial of service, or the attacker seeing queries while returning
>        good answers, but not the resolver's accepting the bad responses.
> 
> This is misleading. Not all answers from the root are signed. Some content in the root zone is signed, delegation point NS records are not. This attack will be successful when rogue root-servers change delegation information to unsigned zones. This needs to be more precise.
> 
>        If the "root-servers.net" zone is later signed, or if the root
>        servers are named in a different zone and that zone is signed, having
>        DNSSEC validation for the priming queries might be valuable. The
>        benefits and costs of resolvers validating the responses will depend
>        heavily on the naming scheme used.
> 
> Not necessarily. This attack will be successful when rogue root-servers change delegation information to unsigned zones (see above) and is not dependent on a naming scheme.

Excellent catch: fixed. (Background: more than a few ccTLDs are not signed.)


>        4. Priming Responses
> 
>        A priming query is a normal DNS query. Thus, a root server cannot
>        distinguish a priming query from any other query for the root NS
>        RRset. Thus, the root server's response will also be a normal DNS
>        response.
> 
> Apologies for sounding pedantic, but what is “a normal DNS query” or a “normal DNS response” ? 
> 
> If there is no definition, maybe the following works for you:
> 
> The term “Priming” reflects the intent of the resolver. A root server cannot distinguish a priming query from any other root type NS query. The root server's response will therefore be an ordinary DNS response.

We could replace "normal" with "ordinary", but they sound similar to me.

> 
>        4.2. Completeness of the Response
> 
>        At the time this document is pulished, there are 13 root servers.
> 
> “published"
> 
> There are 13 hostnames, or root server identifiers. "13 root servers" implies that there are 13 physical boxes.

Already fixed from earlier comments.

>        Each has one IPv4 address and one IPv6 address. Not even counting
>        the NS RRset, the combined size of all the A and AAAA RRsets exceeds
>        the original 512-octet payload limit from [RFC1035].
> 
> Remove “Not even counting the NS RRset, ”. The remainder of the sentence says enough.

Ack.

>        In the event of a response where the Additional section omits certain
>        root server address information, re-issuing of the priming query does
>        not help with those root name servers that respond with a fixed order
>        of addresses in the Additional section. Instead, the recursive
>        resolver needs to issue direct queries for A and AAAA RRsets for the
>        remaining names. At the time this document is pulished, these RRsets
> 
> “published”
> 
>        would be authoritatively available from the root name servers.
> 
>        5. Post-Priming Strategies
> 
>        When a resolver has a zone's NS RRset in cache, and it gets a query
>        for a domain in that zone that cannot be answered from its cache, the
>        resolver has to choose which NS to send queries to. (This statement
>        is as true for the root zone as for any other zone in the DNS.) Two
>        common strategies for choosing are "determine the fastest nameserver
> 
> “name server”

Ack.

Thanks!

--Paul Hoffman

v2.23.0 | Report a Bug | By Email