IETF Logo Mail Archive

Re: [DNSOP] ALT-TLD and (insecure) delgations.

Mark Andrews <marka@isc.org> Tue, 07 February 2017 23:21 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 25CCE129641 for <dnsop@ietfa.amsl.com>; Tue, 7 Feb 2017 15:21:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.901
X-Spam-Level:
X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tynvtIWZ7usU for <dnsop@ietfa.amsl.com>; Tue, 7 Feb 2017 15:21:16 -0800 (PST)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [199.6.1.65]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 93DA81294E7 for <dnsop@ietf.org>; Tue, 7 Feb 2017 15:21:16 -0800 (PST)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.ams1.isc.org (Postfix) with ESMTPS id 4A6391FCAE6; Tue, 7 Feb 2017 23:21:11 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id EF8C9160054; Tue, 7 Feb 2017 23:21:09 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id DA964160076; Tue, 7 Feb 2017 23:21:09 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id FpA_88iYYvXa; Tue, 7 Feb 2017 23:21:09 +0000 (UTC)
Received: from rock.dv.isc.org (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id F3C1E160054; Tue, 7 Feb 2017 23:21:08 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 06A14633CEE5; Wed, 8 Feb 2017 10:21:05 +1100 (EST)
To: Brian Dickson <brian.peter.dickson@gmail.com>
From: Mark Andrews <marka@isc.org>
References: <CAH1iCiqXohb_7LsQ2EMo8ZB-t20mKq_nUDS8vebhtSXoM13DTg@mail.gmail.com> <20170203210922.7286C618213C@rock.dv.isc.org> <CAH1iCipKwcOsMQY3kjvSZ42LMK37GLD6GP2AVtnWK0c83k-RiA@mail.gmail.com> <20170207040552.8BDCC632F192@rock.dv.isc.org> <3581BE55-B178-4298-8EE8-73FD16B4216D@gmail.com> <D4C0D518-A3ED-4555-93DA-2EA12D82A662@fugue.com> <CAHw9_iK7Vt+ZNw8=E-b+w9gGhwB9fZNqHYp2pqKqT__RgcDttQ@mail.gmail.com> <5CA637EE-C0B6-4E5C-A446-A84431176D0C@fugue.com> <20170207205554.B6974633BE40@rock.dv.isc.org> <18F2EB0D-5BD0-4CC5-B02C-2E5EA0B8CC23@fugue.com> <20170207214846.B66EF633C6C5@rock.dv.isc.org> <CAH1iCiomwsNU-aTBSbDjnEka5M+mwwsOoLL5mNQrMe+swtkbiw@mail.gmail.com>
In-reply-to: Your message of "Tue, 07 Feb 2017 13:53:39 -0800." <CAH1iCiomwsNU-aTBSbDjnEka5M+mwwsOoLL5mNQrMe+swtkbiw@mail.gmail.com>
Date: Wed, 08 Feb 2017 10:21:04 +1100
Message-Id: <20170207232105.06A14633CEE5@rock.dv.isc.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/rXdRzSnaipzmpVk54sa_-1pUn0s>
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>, Ted Lemon <mellon@fugue.com>
Subject: Re: [DNSOP] ALT-TLD and (insecure) delgations.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Feb 2017 23:21:18 -0000

In message <CAH1iCiomwsNU-aTBSbDjnEka5M+mwwsOoLL5mNQrMe+swtkbiw@mail.gmail.com>
, Brian Dickson writes:
> On Tue, Feb 7, 2017 at 1:48 PM, Mark Andrews <marka@isc.org> wrote:
> 
> >
> > In message <18F2EB0D-5BD0-4CC5-B02C-2E5EA0B8CC23@fugue.com>, Ted Lemon
> > writes:
> > > Hm.   When I look for foo.alt, what I get is NXDOMAIN, not SERVFAIL.
> > > When I validate, I get a secure denial of existence.   This is the
> > > correct behavior.   Why do you think we would get a SERVFAIL?
> >
> > Because your testing is incomplete.
> >
> > Go add a empty zone (SOA and NS records only) for alt to your
> > recursive server.  This is what needs to be done to prevent
> > privacy leaks.
> >
> > Configure another recursive server to forward its queries to this
> > server and enable validation.
> >
> >
> I believe this is an erroneous configuration.
> 
> You need to have the recursive server (the first one) forward to another
> server for the empty zone, otherwise that zone's contents do not end up in
> the recursive server's cache.

No you don't.  The DS query for ALT needs to be answered from the
root zone.  This can still be done with default empty zones in play.
The below is for 10.in-addr.arpa as I can't be bothered with
configuring a ALT zone but it shows that it works with shipping
code.  I run lots of experimental code but not in this area.

% dig ds 10.in-addr.arpa +dnssec
;; BADCOOKIE, retrying.

; <<>> DiG 9.12.0-pre-alpha+hotspot+add-prefetch+marka <<>> ds 10.in-addr.arpa +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2471
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: ba4fd3e10ed3b4972daf8a53589a50ba29889ab19d1a982d (good)
;; QUESTION SECTION:
;10.in-addr.arpa.		IN	DS

;; AUTHORITY SECTION:
10.in-addr.arpa.	3594	IN	RRSIG	NSEC 8 3 3600 20170226113733 20170205111120 4341 in-addr.arpa. im4xV0dDtx/ccyflDHOwta5h5hLslomiR4JRHynxSE0Tlm4DenVQ2t7B hwWVGE1eoNuVsagkDiYnRykkQX4bQCChsqKKWTVL57f3onXBmiTWXgWI Ruqzo3Oxa3jlbQ2dgO9bF/xpFrJ3/F7BTyoifA7h33dH1Ef1u2OW3p5p kfvR90s=
10.in-addr.arpa.	3594	IN	NSEC	100.in-addr.arpa. NS RRSIG NSEC
in-addr.arpa.		3594	IN	SOA	b.in-addr-servers.arpa. nstld.iana.org. 2016110943 1800 900 604800 3600
in-addr.arpa.		3594	IN	RRSIG	SOA 8 2 3600 20170301070658 20170207211120 4341 in-addr.arpa. JPiSzCVosbzqFnGmIY+WpANm7Si3cTrSFnTfl5ODB7YfyyzRb0TYsA1o nqpmUw5fQyWHY0nClNfqMEW2V529wT+FoG38SlQBNePtuZSjl3k3WIps snl/3HCY6ZFEaMvq+VmLm/9JQP9Nl2+o3n3qKUErZMxHjeJOmBq4O7E9 j0RUGAE=

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Feb 08 09:56:58 EST 2017
;; MSG SIZE  rcvd: 528

[rock:~/git/bind9] marka% dig soa 10.in-addr.arpa +dnssec
;; BADCOOKIE, retrying.

; <<>> DiG 9.12.0-pre-alpha+hotspot+add-prefetch+marka <<>> soa 10.in-addr.arpa +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7409
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: ef3c1c716b970b68d635c9d6589a50cceaa7428cb432d7df (good)
;; QUESTION SECTION:
;10.in-addr.arpa.		IN	SOA

;; ANSWER SECTION:
10.in-addr.arpa.	86400	IN	SOA	10.IN-ADDR.ARPA. . 0 28800 7200 604800 86400

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Feb 08 09:57:16 EST 2017
;; MSG SIZE  rcvd: 122

[rock:~/git/bind9] marka% 

Now if I ask with a non recursive query for DS I get the answer
from the empty zone.

[rock:~/git/bind9] marka% dig ds 10.in-addr.arpa +dnssec +norec
;; BADCOOKIE, retrying.

; <<>> DiG 9.12.0-pre-alpha+hotspot+add-prefetch+marka <<>> ds 10.in-addr.arpa +dnssec +norec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32952
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: 330bcb4d5f583a7463a60035589a52444193e9f918ef9905 (good)
;; QUESTION SECTION:
;10.in-addr.arpa.		IN	DS

;; AUTHORITY SECTION:
10.IN-ADDR.ARPA.	86400	IN	SOA	10.IN-ADDR.ARPA. . 0 28800 7200 604800 86400

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Feb 08 10:03:32 EST 2017
;; MSG SIZE  rcvd: 122

[rock:~/git/bind9] marka% 

Now if I add a second validating server forwarding to this server
I will only see the first two responses.  There are lots of corner
cases with DNSSEC which this demonstrates but any server that
supports DNSSEC will do.

This difference in answers is similar to asking with recursive and
non recursive queries for the NS records at a delegation point
towards a parent server which supports recursion for the client.
You get answers from the child (answer) or parent zone (referral)
depending on the state of the RD bit.

Mark

> Once you have that, the other recursive server (added and forwarding to the
> first recursive) only gets back the non-leak results.
> 
> Since the first server is always forwarding to the empty zone, it never
> queries the root, and never gets the authenticated denial of existence.

Brian.  Go do the experiment with VALIDATION ON.

You can have heaps of different configurations if you are not
validating.

Once you have validation being performed then there is only one way
to do this that doesn't leak names beyond ALT itself.  You can't
prevent ALT being leaked if there is a validating client.

Mark

> Brian
>
> > Now ask for foo.alt from this second server.
> >
> > Mark
> > --
> > Mark Andrews, ISC
> > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org
> >
> 
> --001a113fece2e8a7ce0547f7c7b3
> Content-Type: text/html; charset=UTF-8
> Content-Transfer-Encoding: quoted-printable
> 
> <div dir=3D"ltr"><br><div class=3D"gmail_extra"><br><div class=3D"gmail_quo=
> te">On Tue, Feb 7, 2017 at 1:48 PM, Mark Andrews <span dir=3D"ltr">&lt;<a h=
> ref=3D"mailto:marka@isc.org" target=3D"_blank">marka@isc.org</a>&gt;</span>=
>  wrote:<br><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;bor=
> der-left:1px #ccc solid;padding-left:1ex"><div class=3D"HOEnZb"><div class=
> =3D"h5"><br>
> In message &lt;<a href=3D"mailto:18F2EB0D-5BD0-4CC5-B02C-2E5EA0B8CC23@fugue=
> .com">18F2EB0D-5BD0-4CC5-B02C-<wbr>2E5EA0B8CC23@fugue.com</a>&gt;, Ted Lemo=
> n writes:<br>
> &gt; Hm.=C2=A0 =C2=A0When I look for foo.alt, what I get is NXDOMAIN, not S=
> ERVFAIL.<br>
> &gt; When I validate, I get a secure denial of existence.=C2=A0 =C2=A0This =
> is the<br>
> &gt; correct behavior.=C2=A0 =C2=A0Why do you think we would get a SERVFAIL=
> ?<br>
> <br>
> </div></div>Because your testing is incomplete.<br>
> <br>
> Go add a empty zone (SOA and NS records only) for alt to your<br>
> recursive server.=C2=A0 This is what needs to be done to prevent<br>
> privacy leaks.<br>
> <br>
> Configure another recursive server to forward its queries to this<br>
> server and enable validation.<br>
> <br></blockquote><div><br></div><div>I believe this is an erroneous configu=
> ration.</div><div><br></div><div>You need to have the recursive server (the=
>  first one) forward to another server for the empty zone, otherwise that zo=
> ne&#39;s contents do not end up in the recursive server&#39;s cache.</div><=
> div><br></div><div>Once you have that, the other recursive server (added an=
> d forwarding to the first recursive) only gets back the non-leak results.</=
> div><div><br></div><div>Since the first server is always forwarding to the =
> empty zone, it never queries the root, and never gets the authenticated den=
> ial of existence.</div><div><br></div><div>Brian</div><div>=C2=A0</div><blo=
> ckquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #c=
> cc solid;padding-left:1ex">
> Now ask for foo.alt from this second server.<br>
> <div class=3D"HOEnZb"><div class=3D"h5"><br>
> Mark<br>
> --<br>
> Mark Andrews, ISC<br>
> 1 Seymour St., Dundas Valley, NSW 2117, Australia<br>
> PHONE: <a href=3D"tel:%2B61%202%209871%204742" value=3D"+61298714742">+61 2=
>  9871 4742</a>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
> =A0INTERNET: <a href=3D"mailto:marka@isc.org">marka@isc.org</a><br>
> </div></div></blockquote></div><br></div></div>
> 
> --001a113fece2e8a7ce0547f7c7b3--
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org

v2.30.2 | Report a Bug | By Email | System Status