IETF Logo Mail Archive

Re: [DNSOP] Secdir early review of draft-ietf-dnsop-dns-error-reporting-04

Yaron Sheffer <yaronf.ietf@gmail.com> Mon, 10 July 2023 21:19 UTC

Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3AA71C16B5C3; Mon, 10 Jul 2023 14:19:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9twAQlwMA0jA; Mon, 10 Jul 2023 14:18:55 -0700 (PDT)
Received: from mail-oa1-x34.google.com (mail-oa1-x34.google.com [IPv6:2001:4860:4864:20::34]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E35F8C16B5C0; Mon, 10 Jul 2023 14:18:55 -0700 (PDT)
Received: by mail-oa1-x34.google.com with SMTP id 586e51a60fabf-1b3ca17f2a6so4032148fac.0; Mon, 10 Jul 2023 14:18:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1689023935; x=1691615935; h=content-transfer-encoding:mime-version:in-reply-to:references :thread-topic:message-id:cc:to:from:subject:date:user-agent:from:to :cc:subject:date:message-id:reply-to; bh=dProjdk5EF6YJWathCf1L6mLbRCscY+2N4v4gwbqUuw=; b=Rg9DmCnh2uVysUHtBBZEbmQlKjf3PJj87nTYAdJ7fMeb2wGgAWQzXW/s097cnbhlt3 RGXGANf1Uc0iEQMFi5GRc2iae+YZhOAcjMXSr4Y/pwLV5WToHiQihehwtldyOZcoyqL4 IhKqMJHMuZlHEyZXMciau/eazQYAbXPEml4pQeldJhaJms9EddLmV0ujgcXGWPRX0DjK sPBzvbrDDsAUxhpxn9o+lba1l3HmiyWlsXvrkpmjCPdmw8F+q9wzxcbiGW3U13OL5Zoa bYN+p2bev4qmIf3cyQcvOnqVNx/be/z1mPD8TBxTICkga4WAkL3FjqNiDGyWbwt0UlJn xHQA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1689023935; x=1691615935; h=content-transfer-encoding:mime-version:in-reply-to:references :thread-topic:message-id:cc:to:from:subject:date:user-agent :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=dProjdk5EF6YJWathCf1L6mLbRCscY+2N4v4gwbqUuw=; b=inI50f/CwhWw6uAzHPdQ4fhvSWjWnVqdzuVdn0ZuVbkeejlpj3ypatGJjAeY/Zth+E nPEgEPW6hkSn9SsYaTTm2l6aqWA+AwWkVJurvSo/eOby/omxl8N8VTDlYxM++6UDt0v/ Q/BB2XCW4/M+1y+cR29mRkrq4kEFSU04WUFfAqxGWuG0lHjlQDqcnWBs2nybFjMTxJlm AlWCSuY1K7zXfPo6gwaeW6e5pcDhfswa8rfJ2AzUFeptlvl4zgCJZgIGRDL3WR4z/UKD r1zBACI3v/JcUAzpQOQzMQI1XzCW6O0BaIcCgYrtJ4AfcGzWzMMjpoz2gYjUKKwbyRRN g5eg==
X-Gm-Message-State: ABy/qLYCI8z9Yetp+ofoKyXpXTyFQyEyiq7oz24Q3EBcVwzVHUNq5Dzq g2VZSygMXYW7LfHAmq81A07yhuEDoxHg0w==
X-Google-Smtp-Source: APBJJlFKVWwpdAr+ebo9HAZHnHdAm4+q4Ff4N4t4R/wu19P9Yzr2kG9c8YsqySI0lQUgJsQA3km2kA==
X-Received: by 2002:a05:6870:51c6:b0:1b7:4aae:b5df with SMTP id b6-20020a05687051c600b001b74aaeb5dfmr1595949oaj.6.1689023935057; Mon, 10 Jul 2023 14:18:55 -0700 (PDT)
Received: from [192.168.68.104] (IGLD-84-229-146-71.inter.net.il. [84.229.146.71]) by smtp.gmail.com with ESMTPSA id q187-20020a8175c4000000b00577374e8abasm186059ywc.87.2023.07.10.14.18.53 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 10 Jul 2023 14:18:54 -0700 (PDT)
User-Agent: Microsoft-MacOutlook/16.74.23061800
Date: Tue, 11 Jul 2023 00:18:52 +0300
From: Yaron Sheffer <yaronf.ietf@gmail.com>
To: Roy Arends <roy@dnss.ec>
CC: secdir@ietf.org, dnsop@ietf.org, draft-ietf-dnsop-dns-error-reporting.all@ietf.org
Message-ID: <F34A5223-3979-488F-A7B8-8B99AAC70306@gmail.com>
Thread-Topic: [DNSOP] Secdir early review of draft-ietf-dnsop-dns-error-reporting-04
References: <168778224111.55545.3686439850727537911@ietfa.amsl.com> <7EAA688C-8918-41D3-9673-1E4B80839D46@dnss.ec> <B32D7794-DF17-42DE-B690-447DE61835E0@gmail.com> <E5A4405C-5BB9-4BC7-A2EB-A1BAACA49D42@dnss.ec>
In-Reply-To: <E5A4405C-5BB9-4BC7-A2EB-A1BAACA49D42@dnss.ec>
Mime-version: 1.0
Content-type: text/plain; charset="UTF-8"
Content-transfer-encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/ncvsE9hQhRsV7usWUUPHHd-Ag4U>
Subject: Re: [DNSOP] Secdir early review of draft-ietf-dnsop-dns-error-reporting-04
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Jul 2023 21:19:00 -0000

Looks good. Thank you Roy!

	Yaron

On 10/07/2023, 19:45, "Roy Arends" <roy@dnss.ec <mailto:roy@dnss.ec>> wrote:


Hi Yaron,


> On 9 Jul 2023, at 18:27, Yaron Sheffer <yaronf.ietf@gmail.com <mailto:yaronf.ietf@gmail.com>> wrote:
> 
> Hi Roy,
> 
> Please see some responses below, prefixed with YS.
> 
> Thanks,
> Yaron
> 
> On 05/07/2023, 14:31, "Roy Arends" <roy@dnss.ec <mailto:roy@dnss.ec> <mailto:roy@dnss.ec <mailto:roy@dnss.ec>>> wrote:
> 
> 
> Yaron, many thanks for your review. Comments inline:
> 
> 
>> On 26 Jun 2023, at 13:24, Yaron Sheffer via Datatracker <noreply@ietf.org <mailto:noreply@ietf.org> <mailto:noreply@ietf.org <mailto:noreply@ietf.org>>> wrote:
>> 
>> Reviewer: Yaron Sheffer
>> Review result: Has Nits
>> 
>> I am not a DNS expert so these may or may not be real issues. But I would
>> appreciate the authors' clarifications.
>> 
>> - The error reports are unauthenticated. Some possible implications include:
>> (1) Operators may choose to implement automated responses to error reports, and
>> will not consider that the source of the reports is untrusted.
>> (2) An adversary
>> may create massive error report flooding to camouflage an attack. At minimum, I
>> suggest to mention these risks in the security considerations.
> 
> 
> Will do.
> 
> 
>> 
>> - "Authentication significantly increases the burden on the reporting resolver
>> without any benefit to the monitoring agent, authoritative server or reporting
>> resolver." I'm not sure I agree there's no benefit: a known, trusted set of
>> reporting resolvers can provide a higher level of confidence in the error
>> reports, and potentially enable more automated processing of these reports.
>> CDNs may become such trusted resolvers, for example.
> 
> 
> I will tone down the dismissive language and just use the following:
> 
> 
> "Authentication significantly increases the burden on the reporting resolver, however, a known, trusted set of reporting resolvers can provide a higher level of confidence in the error reports, and potentially enable more automated processing of these reports.”
> 
> 
> (I’ve used your text as guidance)
> 
> YS: I'm not sure I understand the proposed text, because the draft does not provide a way (namely, authentication) to establish a "known, trusted set of resolvers". Unless there's a way to authenticate these reports that I'm not familiar with.


In general, resolvers do not cryptographically authenticate themselves to authoritative servers. What remains is to make sure that the source address is not spoofed. One method to make spoofing harder is for the auth-server to reply with a response containing a TC bit and challenge the resolver to re-query (re-send the error report) over TCP. In addition, some of these source addresses may be well known to the monitoring agent.


I’ll add some text around this.


> 
>> - In general, is there value to error reporting in the absence of (aggregated)
>> reporting on success? In other words, when evaluating a stream of errors, isn't
>> it important to measure the percentage of errors as part of the overall number
>> of requests for a particular domain?
> 
> 
> Absolutely. However, I wanted to avoid predicting how the reporting agent is going to implement its analysis and reporting functions.
> 
> YS: understood. It just seems to me that we're not providing the agent with enough input for this analysis. And I guess I was suggesting to add a feature: aggregated (or random, sample based) reporting on *successful* name resolution.


I’m not convinced this feature is a good idea.


> 
>> - This is yet another DNS covert channel. Should we mention it in the Security
>> Considerations?
> 
> 
> Is it though? If it is, isn’t all DNS susceptible to being a covert channel? Isn’t any traffic, not just DNS, susceptible of being another covert channel?
> 
> YS: fair enough.
> 
>> - What is the broader effect of avoiding DNSSEC for the agent domain? Does it
>> interfere with policies (and their automated enforcement) such as "sign
>> everything under .tld"?
> 
> 
> This should be dealt with in the relevant policy area.
> 
> 
>> - More formally, there is no normative language around avoiding DNSSEC. Is it a
>> SHOULD?
> 
> YS: even if you deem DNSSEC policy to be out of scope, the question about normative language still stands. Or at least guidance on when this mitigation is recommended.


Will add.


Thanks Yaron!


Roy

v2.23.0 | Report a Bug | By Email