Re: [DNSOP] Secdir last call review of draft-ietf-dnsop-extended-error-14
Eric Orth <ericorth@google.com> Thu, 16 April 2020 17:26 UTC
Return-Path: <ericorth@google.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 41C8B3A07F4 for <dnsop@ietfa.amsl.com>; Thu, 16 Apr 2020 10:26:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.599
X-Spam-Level:
X-Spam-Status: No, score=-17.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tnFh5UwQtlaM for <dnsop@ietfa.amsl.com>; Thu, 16 Apr 2020 10:26:20 -0700 (PDT)
Received: from mail-wr1-x430.google.com (mail-wr1-x430.google.com [IPv6:2a00:1450:4864:20::430]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 534513A07F5 for <dnsop@ietf.org>; Thu, 16 Apr 2020 10:26:20 -0700 (PDT)
Received: by mail-wr1-x430.google.com with SMTP id k1so5822702wrx.4 for <dnsop@ietf.org>; Thu, 16 Apr 2020 10:26:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=/USPAG+riYl8/Qjinr5IkUA60oWmJmkcFHD8osZeWA0=; b=ajmSmxxqrzcl+D8o+uIk9n83E4s90TvYcnihvyMEMBXZDe9dlFWQMuQvfbwVR4RvzT zB31ipMTxU4GBuqghPbdbDxMAuAK12KJxQZr5q9cYr2xmm7TiJV5ztja2i0miqzi7kuV cRKr5465vF99trNLdURZZ3wwWOohw/2Osnc3XU5fjJ0TCy6F6l9U92kcwCrlLLn3BE/F JAFLaXENBNCQExD2jGXIg0KVRpbx3GMEW88oyi2ZbH1e84tBQYY8Q8KUojSmxhq+I08F JDJ8s3BrcIIX/xuIGHxdDXNjOFbRO9i4yzpLRkXz8Q+of+drLV0GwE9kZY41eCu/Q2VD thqA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/USPAG+riYl8/Qjinr5IkUA60oWmJmkcFHD8osZeWA0=; b=LNAP/sJRstFPtnVbda4yCtTBBiEDq5uitARwDcwn+yts87abkr+7ow63UuOIy6FboE VkC5JSbc/OO77GeOQPLtURSUc24gfEOKiK1UYzpY0NuKwzMnnAyE/wUJ76xbU++Pj28H 0j7fCO5oUXTFPufvCIIIZ1t2OqATMGcZ2cCK5R63WsTyCl/OyUm3OvxX12nbEHuD9hv4 Ndx16fQUF27TLFc9uU4GkguoyHuuiYo3TUGG/jQLxRoxmwcrVhLnA01wUyQnVeQjbJFN PG7KaPRwITB3kTfESGSx7BOIHEubqljS1IxvzHC6bQi5oC7+kzKSq8j+TVWL/zgHi+Cu Xxyg==
X-Gm-Message-State: AGi0PuYjVx0gwJzq9gA3i4kgWFqDDVPYepjXzl+uiuJUuFM97Hjk2rrL /N55+WT/ShAIQuRCZskKYxm3axNH/tYP35jzKMQ6DA==
X-Google-Smtp-Source: APiQypLjQz9A8l8gvwmDlKXeuQ6EBiblXl5sAgN8ilmEYJpv/Z9PhmDlUCRrEwYV7cfrJDxZcvgp9Yg9F0+cGxO+DDQ=
X-Received: by 2002:a05:6000:162c:: with SMTP id v12mr37887143wrb.313.1587057978280; Thu, 16 Apr 2020 10:26:18 -0700 (PDT)
MIME-Version: 1.0
References: <158566679527.28397.11447221654478370153@ietfa.amsl.com> <yblv9m1u27a.fsf@w7.hardakers.net>
In-Reply-To: <yblv9m1u27a.fsf@w7.hardakers.net>
From: Eric Orth <ericorth@google.com>
Date: Thu, 16 Apr 2020 13:26:07 -0400
Message-ID: <CAMOjQcH9pmiJtzGOH9yArHxq55UURyQU_CNamR+KHNiovH6oww@mail.gmail.com>
To: Wes Hardaker <wjhns1@hardakers.net>
Cc: Catherine Meadows <catherine.meadows@nrl.navy.mil>, last-call@ietf.org, dnsop <dnsop@ietf.org>, draft-ietf-dnsop-extended-error.all@ietf.org, secdir@ietf.org
Content-Type: multipart/alternative; boundary="00000000000008fe0505a36bbbae"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/sxGkEn0SGofTQ_hVlqWkg0ME5_Q>
Subject: Re: [DNSOP] Secdir last call review of draft-ietf-dnsop-extended-error-14
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Apr 2020 17:26:24 -0000
On Tue, Apr 14, 2020 at 6:35 PM Wes Hardaker <wjhns1@hardakers.net> wrote: > Catherine Meadows via Datatracker <noreply@ietf.org> writes: > > > Reviewer: Catherine Meadows > > Review result: Has Issues > > Hi Catherine, > > Thanks for the review of the dnsop-extended-error draft. [and sorry > for the delay in sending this] > > > The Security Considerations section mentions some valid points, but it > > is not made clear how they apply to extended DNS error messages (as > > opposed to DNS error messages in general). It first makes the > > non-obvious point that a significant number of clients, when receiving > > a failure message about a DNS validation issue from a validated > > resolver, will seek out an unvalidated server instead. It is not > > clear to me though whether you think that extending the types of DNS > > error messages available (thus giving more information to the client) > > would help address this problem. You should say something about this. > > Secondly, it discusses the security implications of the fact that DNS > > error messages are unauthenticated. > > > > In addition, in the paragraph about the security implications of DNS > error > > messages being unauthenticated, you should say whether or not extending > the > > types of DNS error messages would improve the situation, make it > worse, have > > no effect, or is unclear. > > You're right that we don't specify what to do in the security > considerations section, though we do earlier in the document. > Specifically it says (at least): > > Applications MUST continue to follow requirements from applicable > specifications on how to process RCODEs no matter what EDE values > are also received. > > So maybe adding the following sentence to the security section addresses > your issue? > > EDE content should be treated only as diagnostic information for > network operators and MUST NOT alter DNS protocol processing. > I have similar objections to this as the similar language that was in the draft before it was changed to the "MUST continue to follow" language referenced above. Anything similar to "MUST NOT alter ... processing" is vague over what constitutes an alteration to the processing. I think everybody would agree that you should be able to log EDEs, so it must be unambiguous that doing so is allowed. Lots of discretionary room for implementers (especially stub implementers) to do various things with an EDE while still following the specs on the important handling of the RCODE as the primary error code. > > We could add a note as well about the scope of the document, though I > think it can be derived from the above sentence: > > EDE content is not attempting to address the lack security in DNS > error messages. > > -- > Wes Hardaker > USC/ISI > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop >
- [DNSOP] Secdir last call review of draft-ietf-dns… Catherine Meadows via Datatracker
- Re: [DNSOP] Secdir last call review of draft-ietf… Wes Hardaker
- Re: [DNSOP] [Last-Call] Secdir last call review o… Petr Špaček
- Re: [DNSOP] Secdir last call review of draft-ietf… Eric Orth
- Re: [DNSOP] Secdir last call review of draft-ietf… Wes Hardaker
- Re: [DNSOP] Secdir last call review of draft-ietf… Wes Hardaker