IETF Logo Mail Archive

Re: [DNSOP] ALT-TLD and (insecure) delgations.

Mark Andrews <marka@isc.org> Wed, 08 February 2017 00:57 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 23BDF129739 for <dnsop@ietfa.amsl.com>; Tue, 7 Feb 2017 16:57:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.902
X-Spam-Level:
X-Spam-Status: No, score=-6.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FCSpNp9-CUf8 for <dnsop@ietfa.amsl.com>; Tue, 7 Feb 2017 16:56:58 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 220B6129771 for <dnsop@ietf.org>; Tue, 7 Feb 2017 16:56:55 -0800 (PST)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id A6108349476; Wed, 8 Feb 2017 00:56:52 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 7EE9F160077; Wed, 8 Feb 2017 00:56:52 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 6EC8E160076; Wed, 8 Feb 2017 00:56:52 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id OQhFnIvbUWpg; Wed, 8 Feb 2017 00:56:52 +0000 (UTC)
Received: from rock.dv.isc.org (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id 6950F160054; Wed, 8 Feb 2017 00:56:51 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id E8281633D93F; Wed, 8 Feb 2017 11:56:46 +1100 (EST)
To: Brian Dickson <brian.peter.dickson@gmail.com>
From: Mark Andrews <marka@isc.org>
References: <CAH1iCiqXohb_7LsQ2EMo8ZB-t20mKq_nUDS8vebhtSXoM13DTg@mail.gmail.com> <20170203210922.7286C618213C@rock.dv.isc.org> <CAH1iCipKwcOsMQY3kjvSZ42LMK37GLD6GP2AVtnWK0c83k-RiA@mail.gmail.com> <20170207040552.8BDCC632F192@rock.dv.isc.org> <3581BE55-B178-4298-8EE8-73FD16B4216D@gmail.com> <D4C0D518-A3ED-4555-93DA-2EA12D82A662@fugue.com> <CAHw9_iK7Vt+ZNw8=E-b+w9gGhwB9fZNqHYp2pqKqT__RgcDttQ@mail.gmail.com> <5CA637EE-C0B6-4E5C-A446-A84431176D0C@fugue.com> <20170207205554.B6974633BE40@rock.dv.isc.org> <18F2EB0D-5BD0-4CC5-B02C-2E5EA0B8CC23@fugue.com> <20170207214846.B66EF633C6C5@rock.dv.isc.org> <CAH1iCip=JKo4-WiMttKDNs3v_8KzP0PTd13KSPtzL6N7pPHWWQ@mail.gmail.com> <20170207234405.99248633D3CA@rock.dv.isc.org> <CAH1iCiq0bAiyZU0SqxWn7vH=GbHdhKn78Zs-1412DhAsFFO8Cw@mail.gmail.com>
In-reply-to: Your message of "Tue, 07 Feb 2017 16:00:09 -0800." <CAH1iCiq0bAiyZU0SqxWn7vH=GbHdhKn78Zs-1412DhAsFFO8Cw@mail.gmail.com>
Date: Wed, 08 Feb 2017 11:56:46 +1100
Message-Id: <20170208005646.E8281633D93F@rock.dv.isc.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/os_UGjURZAQgIm9MQVoUJUlgOZ0>
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>, Ted Lemon <mellon@fugue.com>
Subject: Re: [DNSOP] ALT-TLD and (insecure) delgations.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Feb 2017 00:57:00 -0000

In message <CAH1iCiq0bAiyZU0SqxWn7vH=GbHdhKn78Zs-1412DhAsFFO8Cw@mail.gmail.com>
, Brian Dickson writes:
> --001a1140fee44d9e500547f98cf1
> Content-Type: text/plain; charset=UTF-8
> 
> On Tue, Feb 7, 2017 at 3:44 PM, Mark Andrews <marka@isc.org> wrote:
> 
> >
> > In message <CAH1iCip=JKo4-WiMttKDNs3v_8KzP0PTd13KSPtzL6N7pPHWWQ@
> > mail.gmail.com>
> > , Brian Dickson writes:
> > > --f403045fbba86cf7240547f82103
> > > Content-Type: text/plain; charset=UTF-8
> > >
> > > On Tue, Feb 7, 2017 at 1:48 PM, Mark Andrews <marka@isc.org> wrote:
> > >
> > > >
> > > > In message <18F2EB0D-5BD0-4CC5-B02C-2E5EA0B8CC23@fugue.com>, Ted Lemon
> > > > writes:
> > > > > Hm.   When I look for foo.alt, what I get is NXDOMAIN, not SERVFAIL.
> > > > > When I validate, I get a secure denial of existence.   This is the
> > > > > correct behavior.   Why do you think we would get a SERVFAIL?
> > > >
> > > > Because your testing is incomplete.
> > > >
> > > > Go add a empty zone (SOA and NS records only) for alt to your
> > > > recursive server.  This is what needs to be done to prevent
> > > > privacy leaks.
> > > >
> > > >
> > > Here are some possible alternatives (to having the empty zone be named
> > > "alt.").
> > >
> > > First: make the locally served empty zone be "empty.as112.arpa".
> > >
> > > Or, second method: have the DNAME RDATA be "alt.empty.as112.arpa", and
> > the
> > > locally served zone be the same name.
> >
> > Which does not work.  If you are serving up a local
> >
> >         ALT. SOA ...
> >         ALT. NS ...
> >         ALT. DNAME alt.empty.as112.arpa.
> >
> 
> No, I am saying the following:
> In the root, assume the existence of "ALT. DNAME alt.empty.as112.arpa."

So how do you get the DNAME returned without leaking a qname?
Answer:  You don't with current nameservers.

To prevent leaking you need to have something that regularly asks
for ALT/DNAME so that the answer is in the cache before the first
*.alt name comes along or you special case *.alt, make a DNAME query
for ALT instead of *.alt then resume the original query processing.

That is new code just to avoid a insecure delegation in the root
zone when we know we need a insecure delegation in the root zone
for .homenet.

You also generate bigger answers, run the risk of returning YXDOMAIN
and increase the validation cost.

There is a place for that DNAME in a insecurely delegated ALT zone.
That sinks all the traffic that is not caught by the other mechanism.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org

v2.30.2 | Report a Bug | By Email | System Status