Re: [DNSOP] Fw: New Version Notification for draft-bellis-dns-recursive-discovery-00

Alex Bligh <alex@alex.org.uk> Wed, 21 October 2009 09:50 UTC

Return-Path: <alex@alex.org.uk>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 770583A6A03 for <dnsop@core3.amsl.com>; Wed, 21 Oct 2009 02:50:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.399
X-Spam-Level:
X-Spam-Status: No, score=-1.399 tagged_above=-999 required=5 tests=[AWL=0.600, BAYES_00=-2.599, J_CHICKENPOX_54=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4LIfxDyXynKr for <dnsop@core3.amsl.com>; Wed, 21 Oct 2009 02:50:24 -0700 (PDT)
Received: from mail.avalus.com (mail.avalus.com [217.147.82.63]) by core3.amsl.com (Postfix) with ESMTP id 5D8C13A6A04 for <dnsop@ietf.org>; Wed, 21 Oct 2009 02:50:23 -0700 (PDT)
Received: from [192.168.100.15] (shed [217.147.82.63]) by mail.avalus.com (Postfix) with ESMTPA id 28807C2DAF; Wed, 21 Oct 2009 10:50:30 +0100 (BST)
Date: Wed, 21 Oct 2009 10:50:28 +0100
From: Alex Bligh <alex@alex.org.uk>
To: Florian Weimer <fweimer@bfk.de>
Message-ID: <F7CC8A286D65EAC3E9C1DF8F@Ximines.local>
In-Reply-To: <82fx9dun7r.fsf@mid.bfk.de>
References: <OFA656600E.F5229B3D-ON80257650.005247BF-80257650.00527644@nominet.org.uk> <82skde36c9.fsf@mid.bfk.de> <DE23E9BF50E437E2D5CA65C8@Ximines.local> <82ljj61gle.fsf@mid.bfk.de> <200910202329.n9KNT56j048843@drugs.dv.isc.org> <1F61DD04-14A6-4349-8650-9CF27D27C3BC@hopcount.ca> <200910210145.n9L1j8of033780@drugs.dv.isc.org> <8263a9xnem.fsf@mid.bfk.de> <OFD7B965B7.53CC1C17-ON80257656.0028D85C-80257656.002974DF@nominet.org.uk> <82zl7luov4.fsf@mid.bfk.de> <A0DDFB2F94500799B7F0B37F@Ximines.local> <82fx9dun7r.fsf@mid.bfk.de>
X-Mailer: Mulberry/4.0.8 (Mac OS X)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Cc: Ray.Bellis@nominet.org.uk, dnsop@ietf.org, Joe Abley <jabley@hopcount.ca>, Alex Bligh <alex@alex.org.uk>
Subject: Re: [DNSOP] Fw: New Version Notification for draft-bellis-dns-recursive-discovery-00
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Alex Bligh <alex@alex.org.uk>
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Oct 2009 09:50:25 -0000

Florian,

--On 21 October 2009 09:10:16 +0000 Florian Weimer <fweimer@bfk.de> wrote:

>> --On 21 October 2009 08:34:39 +0000 Florian Weimer <fweimer@bfk.de>
>> wrote:
>>
>>>>> Mark, I din't think this is true given how the proposed protocol
>>>>> works.  For a start, you often cannot fetch the DNSKEY RR for ARPA
>>>>> before running the protocol.
>>>>
>>>> Indeed LOCAL.ARPA would need to be unsigned.
>>>
>>> Not really.  Why would it need to exist in the public tree at all?
>>> All we need is agreement from both ICANN and IETF that LOCAL.ARPA is
>>> reserved and not to be delegated in the official tree.
>>
>> OK, let's try this one again. LOCAL.ARPA is not delegated at all.
>> It is unsigned.
>
> If it is not delegated, it will be signed (as Mark pointed out).
>
>> Necessarily, ARPA. will have no records for LOCAL.ARPA
>
> Then its non-existence will be signed.

Sure, on the .ARPA nameservers, but these will (a) never be
queried when there is a DOMAIN.LOCAL.ARPA-supporting nameserver,
and (b) the signature of its non-existence will not be relevant
to a DO clear query anyway, will it?

Clearly a validating recursive nameserver not supporting
DOMAIN.LOCAL.ARPA may get a signed denial of existence for
LOCAL.ARPA, but that's just fine. LOCAL.ARPA doesn't
exist "there".

>> Moreover the queries into DOMAIN.LOCAL.ARPA are going to be made
>> in an environment where we suspect DNSSEC queries don't work, as
>> there is, ex hypothesi, possible a misbehaving proxy in the way.
>
> Right.  (Otherwise, you wouldn't use class IN for this stuff.)
>
>> So there are two separate security risks: cache poisoning on the
>> recursive server (this needs addressing and I have some ideas),
>> and a theoretical Kaminsky style attack on the individual
>> non-DNSSEC queries to DOMAIN.LOCAL.ARPA.
>
> Don't worry too much about spoofing from off-path attackers.  ISPs
> have plenty of means to prevent it (granted, for IPv4 directly over
> Ethernet, there's no standard way of doing things which conserves
> address space, but that's a different issue).

I'm not actually worried about it, I just explained it for completeness.

> As I've tried to explain, spoofing by the resolver operator itself is
> the relevant issue here.  It breaks the proposed protocol.  Please
> tell me how I can explain this in a better way---perhaps I shouldn't
> say "spoofing" but "DNS rewriting", "NXDOMAIN redirection",
> "Sitefinder", "online help page", or something else, but it's really
> spoofing.

Ah. I think I now understand what you mean. Well yes they can do that, but
they could do it anyway. The resolving server operator can say "please
query this spoofing/sitefinder/whatever" resolver (let's call it
$evilserver) instead. But it has exactly the same effect as if they supply
$evilserver's IP address by DHCP / over PPPoA to the CPE gateway and the
CPE gateway uses that. Indeed the very server which is responding to
LOCAL.ARPA queries may be $evilserver. So all the bad things you describe
can happen at the moment, and this draft won't fix them. We are solely
changing:

      Client Stack -----> Proxy ----> $evilserver
   to
      Client Stack -----------------> $evilserver

and

      Client Stack -----> Proxy ----> $goodserver
   to
      Client Stack -----------------> $goodserver

> Note that this problem will not go away when you bring LOCAL.ARPA or
> DOMAIN.LOCAL.ARPA into existence.  People say "NXDOMAIN redirection"
> but they really mean "arbitrary DNS manipulation".  It doesn't stop at
> NODATA response or the second level of the tree.

Indeed, and it is not intended to. The draft is simply intended to
bypass the CPE proxy. The only way in which it helps with preventing
arbitrary DNS manipulation is that the technology we already have
to stop that (DNSSEC) has implementation issues due to poorly
performing proxies. Bypass them, and DNSSEC becomes easier to deploy,
in which case we have a weapon against DNS manipulation (I appreciate
there are arguments that this weapon is less than perfect, but it
is currently the best weapon we have).

-- 
Alex Bligh