IETF Logo Mail Archive

Re: [DNSOP] A draft about the Name:Wreck problem draft-dashevskyi-dnsrr-antipatterns

Mark Andrews <marka@isc.org> Thu, 15 April 2021 21:46 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D3B7D3A3148 for <dnsop@ietfa.amsl.com>; Thu, 15 Apr 2021 14:46:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.119
X-Spam-Level:
X-Spam-Status: No, score=-2.119 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isc.org header.b=jxRbgf+k; dkim=pass (1024-bit key) header.d=isc.org header.b=FnXnnoFB
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X2kQFKlNpuFw for <dnsop@ietfa.amsl.com>; Thu, 15 Apr 2021 14:46:42 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 48CE73A230E for <dnsop@ietf.org>; Thu, 15 Apr 2021 14:46:41 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id A0FE13AB000; Thu, 15 Apr 2021 21:46:39 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=isc.org; s=ostpay; t=1618523199; bh=ydgT1I1jkB0OHysSSAyks4qAn4nBXqLgZQ62/b2ahbI=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=jxRbgf+kF16d/TUpAUFWw92H3kzpCFfq04mbrGfHUgzcPa6oRw0T3IA5vHVjSB8wY jMat745KEplZ4uRcR2wHHa8EDTFI5heuaKTZsbS1hENN3O6j//QIFuBxq4qxdcNOsd T1fBYJYc0vfZfk/J8HkQmhVhSJpC9IOyiV+SC8NI=
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 40FF716008D; Thu, 15 Apr 2021 21:46:39 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id D1BB416008B; Thu, 15 Apr 2021 21:46:38 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.9.2 zmx1.isc.org D1BB416008B
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=05DFB016-56A2-11EB-AEC0-15368D323330; t=1618523198; bh=S/JeO8aZ7dQV8VrOtuvRpHsSi0L5Rg01VEuh9wL0zwA=; h=Content-Type:Mime-Version:Subject:From:Date: Content-Transfer-Encoding:Message-Id:To; b=FnXnnoFBa2IzhWBWsgiUlct+SGiua0XcIDgScRLX1MZlnNvG28t2UkC5GKfJ5zm9A hflsvaJk/+QywsffwpfdHOhhWiHnMuNsiBVcCfl+A7pRlxR8jLbGNNpBjfGRrtc15y 1Xvpm9nV+ZnvbYqtFYQiTG5qcecATYLhRvaj4XLA=
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 8Uha5QBpyI-0; Thu, 15 Apr 2021 21:46:38 +0000 (UTC)
Received: from [172.30.42.67] (n49-177-132-25.bla3.nsw.optusnet.com.au [49.177.132.25]) by zmx1.isc.org (Postfix) with ESMTPSA id 00BBD16006D; Thu, 15 Apr 2021 21:46:37 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.7\))
From: Mark Andrews <marka@isc.org>
In-Reply-To: <20210415185212.utlqlc2erz4cf7gf@family.redbarn.org>
Date: Fri, 16 Apr 2021 07:46:35 +1000
Cc: dnsop@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <90FB6BF0-9C44-49D0-B165-31037F8D9906@isc.org>
References: <20210414133641.A18B572E0509@ary.qy> <59df7967-2fef-371a-4d34-4c8efec74ca0@dotat.at> <628E22EC-3395-45AB-9FD8-2405A92682BA@isc.org> <49f57263-c68c-eb2a-a7b7-7b3028dacbc8@huitema.net> <20210415072803.2qumw3f7h5g7n2hp@family.redbarn.org> <A1683ACA-AA64-41EC-8E51-BB657C3297BD@isc.org> <20210415185212.utlqlc2erz4cf7gf@family.redbarn.org>
To: Paul Vixie <paul@redbarn.org>
X-Mailer: Apple Mail (2.3445.9.7)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/rEbH_BgwmrWKURcGkicQ26XO7us>
Subject: Re: [DNSOP] A draft about the Name:Wreck problem draft-dashevskyi-dnsrr-antipatterns
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Apr 2021 21:46:48 -0000


> On 16 Apr 2021, at 04:52, Paul Vixie <paul@redbarn.org> wrote:
> 
> On Thu, Apr 15, 2021 at 05:46:29PM +1000, Mark Andrews wrote:
>>> On 15 Apr 2021, at 17:28, Paul Vixie <paul@redbarn.org> wrote:
>>> so, freebsd was unfairly maligned in the forescout report on this event;
>>> the bug was in their dhcp client, not their dns or "tcp/ip stack", and
>>> had been fixed 20 years late but still six months ago.
> 
>> The freebsd code still isn't correct "if (0xc0 & len) {" !=
>> "if ((0xc0 & len) == 0xc0) {"
>> which is the correct test for a compression pointer.
> 
> this certainly is not correct, but doesn't seem related to the forescout
> report.

While not identical is it related to this section of the report where reserved values are used incorrectly.  Below are being used to compute the label length incorrectly.  FreeBSD will use them to compute the compression pointer.  Neither behaviour is correct and impacts on future attempts to use those values for something else.  We have had bit string labels and proposals for local compression pointers.

"Another typical mistake with compression pointers that we have seen in the past (e.g., uIP and PicoTCP in AMNESIA:33) is to check only that either of the two most significant bits of a label length is 0b1. In this case, label lengths such as 0x80 and 0x40 will also be considered valid compression pointers. This violates RFC1035 (high bit combinations 10 and 01 are reserved for special use and must not be present in a domain name), and while this is not a vulnerability per se, it may be beneficial to attackers. For example, an intrusion detection system that has a rule for detecting invalid compression offsets may not flag specific malformed packets because 0x80 is not a compression pointer, but some vulnerable implementations treat this value as such."

>> The frustrating part is that it could have all been done safely with
>> libresolv rather than reinventing the wheel.  The pain had already
>> been taken with libresolv.
> 
> as you know, this was discussed internally at the time. when dhclient
> took its copy of libresolv, these bugs were still present. i muchly
> regret not releasing libresolv independent of BIND so that projects
> who needed the code could add it as a dependency not a copy. "oops."
> 
> -- 
> Paul Vixie

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email