Re: [DNSOP] Fw: New Version Notification for draft-bellis-dns-recursive-discovery-00
Alex Bligh <alex@alex.org.uk> Wed, 21 October 2009 09:50 UTC
Return-Path: <alex@alex.org.uk>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 770583A6A03 for <dnsop@core3.amsl.com>; Wed, 21 Oct 2009 02:50:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.399
X-Spam-Level:
X-Spam-Status: No, score=-1.399 tagged_above=-999 required=5 tests=[AWL=0.600, BAYES_00=-2.599, J_CHICKENPOX_54=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4LIfxDyXynKr for <dnsop@core3.amsl.com>; Wed, 21 Oct 2009 02:50:24 -0700 (PDT)
Received: from mail.avalus.com (mail.avalus.com [217.147.82.63]) by core3.amsl.com (Postfix) with ESMTP id 5D8C13A6A04 for <dnsop@ietf.org>; Wed, 21 Oct 2009 02:50:23 -0700 (PDT)
Received: from [192.168.100.15] (shed [217.147.82.63]) by mail.avalus.com (Postfix) with ESMTPA id 28807C2DAF; Wed, 21 Oct 2009 10:50:30 +0100 (BST)
Date: Wed, 21 Oct 2009 10:50:28 +0100
From: Alex Bligh <alex@alex.org.uk>
To: Florian Weimer <fweimer@bfk.de>
Message-ID: <F7CC8A286D65EAC3E9C1DF8F@Ximines.local>
In-Reply-To: <82fx9dun7r.fsf@mid.bfk.de>
References: <OFA656600E.F5229B3D-ON80257650.005247BF-80257650.00527644@nominet.org.uk> <82skde36c9.fsf@mid.bfk.de> <DE23E9BF50E437E2D5CA65C8@Ximines.local> <82ljj61gle.fsf@mid.bfk.de> <200910202329.n9KNT56j048843@drugs.dv.isc.org> <1F61DD04-14A6-4349-8650-9CF27D27C3BC@hopcount.ca> <200910210145.n9L1j8of033780@drugs.dv.isc.org> <8263a9xnem.fsf@mid.bfk.de> <OFD7B965B7.53CC1C17-ON80257656.0028D85C-80257656.002974DF@nominet.org.uk> <82zl7luov4.fsf@mid.bfk.de> <A0DDFB2F94500799B7F0B37F@Ximines.local> <82fx9dun7r.fsf@mid.bfk.de>
X-Mailer: Mulberry/4.0.8 (Mac OS X)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Cc: Ray.Bellis@nominet.org.uk, dnsop@ietf.org, Joe Abley <jabley@hopcount.ca>, Alex Bligh <alex@alex.org.uk>
Subject: Re: [DNSOP] Fw: New Version Notification for draft-bellis-dns-recursive-discovery-00
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Alex Bligh <alex@alex.org.uk>
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Oct 2009 09:50:25 -0000
Florian, --On 21 October 2009 09:10:16 +0000 Florian Weimer <fweimer@bfk.de> wrote: >> --On 21 October 2009 08:34:39 +0000 Florian Weimer <fweimer@bfk.de> >> wrote: >> >>>>> Mark, I din't think this is true given how the proposed protocol >>>>> works. For a start, you often cannot fetch the DNSKEY RR for ARPA >>>>> before running the protocol. >>>> >>>> Indeed LOCAL.ARPA would need to be unsigned. >>> >>> Not really. Why would it need to exist in the public tree at all? >>> All we need is agreement from both ICANN and IETF that LOCAL.ARPA is >>> reserved and not to be delegated in the official tree. >> >> OK, let's try this one again. LOCAL.ARPA is not delegated at all. >> It is unsigned. > > If it is not delegated, it will be signed (as Mark pointed out). > >> Necessarily, ARPA. will have no records for LOCAL.ARPA > > Then its non-existence will be signed. Sure, on the .ARPA nameservers, but these will (a) never be queried when there is a DOMAIN.LOCAL.ARPA-supporting nameserver, and (b) the signature of its non-existence will not be relevant to a DO clear query anyway, will it? Clearly a validating recursive nameserver not supporting DOMAIN.LOCAL.ARPA may get a signed denial of existence for LOCAL.ARPA, but that's just fine. LOCAL.ARPA doesn't exist "there". >> Moreover the queries into DOMAIN.LOCAL.ARPA are going to be made >> in an environment where we suspect DNSSEC queries don't work, as >> there is, ex hypothesi, possible a misbehaving proxy in the way. > > Right. (Otherwise, you wouldn't use class IN for this stuff.) > >> So there are two separate security risks: cache poisoning on the >> recursive server (this needs addressing and I have some ideas), >> and a theoretical Kaminsky style attack on the individual >> non-DNSSEC queries to DOMAIN.LOCAL.ARPA. > > Don't worry too much about spoofing from off-path attackers. ISPs > have plenty of means to prevent it (granted, for IPv4 directly over > Ethernet, there's no standard way of doing things which conserves > address space, but that's a different issue). I'm not actually worried about it, I just explained it for completeness. > As I've tried to explain, spoofing by the resolver operator itself is > the relevant issue here. It breaks the proposed protocol. Please > tell me how I can explain this in a better way---perhaps I shouldn't > say "spoofing" but "DNS rewriting", "NXDOMAIN redirection", > "Sitefinder", "online help page", or something else, but it's really > spoofing. Ah. I think I now understand what you mean. Well yes they can do that, but they could do it anyway. The resolving server operator can say "please query this spoofing/sitefinder/whatever" resolver (let's call it $evilserver) instead. But it has exactly the same effect as if they supply $evilserver's IP address by DHCP / over PPPoA to the CPE gateway and the CPE gateway uses that. Indeed the very server which is responding to LOCAL.ARPA queries may be $evilserver. So all the bad things you describe can happen at the moment, and this draft won't fix them. We are solely changing: Client Stack -----> Proxy ----> $evilserver to Client Stack -----------------> $evilserver and Client Stack -----> Proxy ----> $goodserver to Client Stack -----------------> $goodserver > Note that this problem will not go away when you bring LOCAL.ARPA or > DOMAIN.LOCAL.ARPA into existence. People say "NXDOMAIN redirection" > but they really mean "arbitrary DNS manipulation". It doesn't stop at > NODATA response or the second level of the tree. Indeed, and it is not intended to. The draft is simply intended to bypass the CPE proxy. The only way in which it helps with preventing arbitrary DNS manipulation is that the technology we already have to stop that (DNSSEC) has implementation issues due to poorly performing proxies. Bypass them, and DNSSEC becomes easier to deploy, in which case we have a weapon against DNS manipulation (I appreciate there are arguments that this weapon is less than perfect, but it is currently the best weapon we have). -- Alex Bligh
- [DNSOP] Fw: New Version Notification for draft-be… Ray.Bellis
- Re: [DNSOP] Fw: New Version Notification fordraft… George Barwood
- Re: [DNSOP] Fw: New Version Notification fordraft… Ray.Bellis
- Re: [DNSOP] Fw: New Version Notification for draf… Florian Weimer
- Re: [DNSOP] Fw: New Version Notification for draf… Ray.Bellis
- Re: [DNSOP] Fw: New Version Notification for draf… Alex Bligh
- Re: [DNSOP] Fw: New Version Notification for draf… Florian Weimer
- Re: [DNSOP] Fw: New Version Notification for draf… Mark Andrews
- Re: [DNSOP] Fw: New Version Notification for draf… Joe Abley
- Re: [DNSOP] Fw: New Version Notification for draf… bmanning
- Re: [DNSOP] Fw: New Version Notification for draf… Mark Andrews
- Re: [DNSOP] Fw: New Version Notification for draf… Florian Weimer
- Re: [DNSOP] Fw: New Version Notification for draf… Ray.Bellis
- Re: [DNSOP] Fw: New Version Notification for draf… Florian Weimer
- Re: [DNSOP] Fw: New Version Notification for draf… Alex Bligh
- Re: [DNSOP] Fw: New Version Notification for draf… Florian Weimer
- Re: [DNSOP] Fw: New Version Notification for draf… Alex Bligh
- Re: [DNSOP] Fw: New Version Notification for draf… Florian Weimer
- Re: [DNSOP] Fw: New Version Notification for draf… Alex Bligh
- Re: [DNSOP] Fw: New Version Notification for draf… Ray.Bellis
- Re: [DNSOP] Fw: New Version Notification for draf… Alex Bligh
- Re: [DNSOP] Fw: New Version Notification for draf… David Conrad
- Re: [DNSOP] Fw: New Version Notification for draf… Joe Abley
- Re: [DNSOP] Fw: New Version Notification for draf… bmanning