IETF Logo Mail Archive

[DNSOP] Re: Potentially interesting DNSSEC library CVE

Mark Andrews <marka@isc.org> Sat, 27 July 2024 05:26 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 98F75C1840E1 for <dnsop@ietfa.amsl.com>; Fri, 26 Jul 2024 22:26:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.108
X-Spam-Level:
X-Spam-Status: No, score=-7.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isc.org header.b="B04HO8Ms"; dkim=pass (1024-bit key) header.d=isc.org header.b="Q9DI6SSU"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WbP2RpsbL-aR for <dnsop@ietfa.amsl.com>; Fri, 26 Jul 2024 22:25:58 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.2.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E9BA5C1840DC for <dnsop@ietf.org>; Fri, 26 Jul 2024 22:25:53 -0700 (PDT)
Received: from zimbrang.isc.org (zimbrang.isc.org [149.20.2.31]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id C116A3AB271; Sat, 27 Jul 2024 05:25:52 +0000 (UTC)
ARC-Filter: OpenARC Filter v1.0.0 mx.pao1.isc.org C116A3AB271
Authentication-Results: mx.pao1.isc.org; arc=none smtp.remote-ip=149.20.2.31
ARC-Seal: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1722057952; cv=none; b=QRfZpskg0fhnlUOYXCFj4Agn55gMmeFap6dVTv90z5Ku+JezJndBTod7lVDxLt9ApVuUztomSTyspcsOnUZHGLjDKTlQkT0GFI/ubA4Kk0oX4U3Qki88ouru6IsTN6EaliYZ00A4H1GOElO6FcenqMXxruApCh+eGY/fVyFaZxo=
ARC-Message-Signature: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1722057952; c=relaxed/relaxed; bh=zOku2KVbBHMOHA5/hDYOIqhz3bSJpm92LRYXQ5ZGVRY=; h=DKIM-Signature:DKIM-Signature:Mime-Version:Subject:From:Date: Message-Id:To; b=huXxMbSkWNpN1WbM+o2Zy75urlPzB3XF/cL/cSUKlnu09nen5Bjup2S2aOcMhUgUxV1MbqxbXFDu4rgOq+sc0htDfGTYuqiMfv3Ips1/76L0AeF61mbknrVE9r4sQEBBvnFAOxCaDOX86tDnvQJMiZ3pDNqFDFxZGkHz5ZyF3tw=
ARC-Authentication-Results: i=1; mx.pao1.isc.org
DKIM-Filter: OpenDKIM Filter v2.10.3 mx.pao1.isc.org C116A3AB271
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=isc.org; s=ostpay; t=1722057952; bh=QRx25NhRvFCWZRaz7bOMHs7+s57KrCTWf/+P1Azg9M8=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=B04HO8MsjUJlqi+bZtO6OH9M3ywd/Y/68SWs6Z/0EsVyZ638r8yQxkg5IqD4U7hHH yrV48nBQIMmkrTWoKppfTzKZtUEVsTh9nAOscdxTL7yUmVAWBNWhzxe04TweEuh9Au 9pjlYZMfOGf3EkPKdPDqWEdNCdPzkQvCZbzzb3wk=
Received: from zimbrang.isc.org (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTPS id B897BE6E9B3; Sat, 27 Jul 2024 05:25:52 +0000 (UTC)
Received: from localhost (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTP id 8CDE3E6E9B1; Sat, 27 Jul 2024 05:25:52 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.10.3 zimbrang.isc.org 8CDE3E6E9B1
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=05DFB016-56A2-11EB-AEC0-15368D323330; t=1722057952; bh=zOku2KVbBHMOHA5/hDYOIqhz3bSJpm92LRYXQ5ZGVRY=; h=Mime-Version:From:Date:Message-Id:To; b=Q9DI6SSUSilDJAIvi2rhV7x1zz1vNrX/aUx33n90XQld/4dZHGxTqdDz2+EMHEQ3O u4pHYwzYcW2uT3u7kVw1fWiLRoGZ+p5z6SmdiOviqeOBY3qiJdZ8OHDnnbAcqvVwEf cQ17lAGP2BabNOA643lJNceYZZHWcGX8vSNJk8xg=
Received: from zimbrang.isc.org ([127.0.0.1]) by localhost (zimbrang.isc.org [127.0.0.1]) (amavis, port 10026) with ESMTP id cCLivt-E04k3; Sat, 27 Jul 2024 05:25:52 +0000 (UTC)
Received: from smtpclient.apple (unknown [64.141.80.140]) by zimbrang.isc.org (Postfix) with ESMTPSA id 4A725E6E992; Sat, 27 Jul 2024 05:25:52 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.700.6.1.1\))
From: Mark Andrews <marka@isc.org>
In-Reply-To: <a75e064ed50c62587315d42b21eedb60403fc307.camel@aisec.fraunhofer.de>
Date: Fri, 26 Jul 2024 22:25:51 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <A0247CF0-FC33-49E4-967F-EB7AD264467D@isc.org>
References: <m1sWF8d-0000LsC@stereo.hq.phicoh.net> <1070949df20a6ac1f9c2c2dd401d5953bb362bf2.camel@aisec.fraunhofer.de> <m1sWe2O-0000OKC@stereo.hq.phicoh.net> <fc306ade9816e06e19a1e2c9828c1c9ef2f0e2bb.camel@gnu.org> <m1sWxJi-0000MEC@stereo.hq.phicoh.net> <6c70aa6b316f7650d84a52135a6aa24aab147788.camel@gnu.org> <m1sWxlI-0000MGC@stereo.hq.phicoh.net> <7373aae035616f1689a576117579ca054759c84d.camel@gnu.org> <m1sWyDs-0000SdC@stereo.hq.phicoh.net> <a75e064ed50c62587315d42b21eedb60403fc307.camel@aisec.fraunhofer.de>
To: "Bellebaum, Thomas" <thomas.bellebaum@aisec.fraunhofer.de>
X-Mailer: Apple Mail (2.3731.700.6.1.1)
Message-ID-Hash: WTYTV6A4OHGVXYRGY5H5J47LCADRNHXN
X-Message-ID-Hash: WTYTV6A4OHGVXYRGY5H5J47LCADRNHXN
X-MailFrom: marka@isc.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "dnsop@ietf.org" <dnsop@ietf.org>, "pch-dnsop-5@u-1.phicoh.com" <pch-dnsop-5@u-1.phicoh.com>, "schanzen@gnu.org" <schanzen@gnu.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: Potentially interesting DNSSEC library CVE
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/m1tylfyI3JWguZ-mLmgPZv12Vcw>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>


> On 26 Jul 2024, at 04:41, Bellebaum, Thomas <thomas.bellebaum@aisec.fraunhofer.de> wrote:
> 
>> The IETF does not create standards for APIs. So a validating stub resolver is  
>> not really something that can be defined, because it is not a protocol.
> 
> I beg to differ here. It may not be strictly part of the DNS protocol, but then this logic needs to be a part of every single protocol dependent on DNS.
> 
> Consider e.g. IMAP, something which clearly is a network protocol. There is a very convenient RFC 6186, specifying how to use DNS to locate an IMAP service. Even if you would not call this a network protocol, it clearly is within IETF scope (and on Standards Track).
> TL;DR: The TLS-secured IMAP server for localpart@domain.tld is whatever the SRV record at _imaps._tcp.domain.tld points at, and you can proceed sending localpart's password there in an attempt to authenticate.
> 
> It should be clear that there are problems which may arise in this protocol if the used SRV records' targets can be influenced by an attacker. To do some damage control, RFC 6186 thus specifies:
> 
>> In the absence of a secure DNS option, MUAs SHOULD
>   check that the target FQDN returned in the SRV record matches the
>   original service domain that was queried.  If the target FQDN is not
>   in the queried domain, MUAs SHOULD verify with the user that the SRV
>   target FQDN is suitable for use before executing any connections to
>   the host.
> 
> What exactly does "secure" mean here?

DNSSEC signed and validated as secure.

> Which SRV records are to be investigated exactly?

From the example above the ones returned by the query for _imaps._tcp.domain.tld. If the target in the SRV records rdata do not end in the labels domain.tld then ask the user if we should trust this response.  If the target was imap.domain.tld then the IMAP client doesn’t have to ask the user.   There is some risk here as the additional A and AAAA records could be compromised.  Additionally if there is a CNAME returned the target of that need to be below domain.tld or raise a flag.  This applies to the whole CNAME chain.

Now the IMAP client could as the user whenever the DNS response was not signed and validated as secure but the above was a pragmatic response to the slow deployment of DNSSEC.

Remember the IMAP client can use DNSSEC to verify the answers returned.  That is the desired end state for DNSSEC.  Having resolvers verify answers is just protecting the caches from garbage.

> Most protocols do not tell, instead referring to the DNS.
> 
> If effect, this gap between protocols is what leads to problems, and there is no specification that seems to have adequate security considerations addressing these points. Keep in mind, IMAP is only an example here. To ensure the security of network protocols all throughout the IETF (and beyond), there has to be a clear API. Not for applications, but for other protocols.

DNSSEC’s job is to ensure the client can verify the answers it receives are as they where entered.  If the answers are provably not signed you are running on a wing and a prayer.  If you don’t bother to check if they are signed you are running on a wing and a prayer.

> As a related example: HKDF defines an API, which most client libraries do not copy exactly. This is fine, but the clear definition allows e.g. TLS to depend on HKDF, and be a verifiably secure protocol. The same should apply to DNS and its interaction with the wider internet.

People have been told to sign their zones and to verify the answers.  We have millions of resolver out there that are trying to verify as secure every response they get.

> 
> -- Thomas
> _______________________________________________
> DNSOP mailing list -- dnsop@ietf.org
> To unsubscribe send an email to dnsop-leave@ietf.org

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka@isc.org

v2.35.0 | Report a Bug | By Email | System Status