IETF Logo Mail Archive

[DNSOP] Re: Potentially interesting DNSSEC library CVE

Martin Schanzenbach <schanzen@gnu.org> Thu, 25 July 2024 12:27 UTC

Return-Path: <schanzen@gnu.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF2BFC1840C2 for <dnsop@ietfa.amsl.com>; Thu, 25 Jul 2024 05:27:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.24
X-Spam-Level:
X-Spam-Status: No, score=-1.24 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_SOFTFAIL=0.665, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JqgFYEum4xqS for <dnsop@ietfa.amsl.com>; Thu, 25 Jul 2024 05:27:16 -0700 (PDT)
Received: from mout02.posteo.de (mout02.posteo.de [185.67.36.142]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A9A65C169429 for <dnsop@ietf.org>; Thu, 25 Jul 2024 05:27:15 -0700 (PDT)
Received: from submission (posteo.de [185.67.36.169]) by mout02.posteo.de (Postfix) with ESMTPS id E46C2240103 for <dnsop@ietf.org>; Thu, 25 Jul 2024 14:27:12 +0200 (CEST)
Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4WV9B81kbSz9rxD; Thu, 25 Jul 2024 14:27:11 +0200 (CEST)
Message-ID: <6c70aa6b316f7650d84a52135a6aa24aab147788.camel@gnu.org>
From: Martin Schanzenbach <schanzen@gnu.org>
To: Philip Homburg <pch-dnsop-5@u-1.phicoh.com>, dnsop@ietf.org
Date: Thu, 25 Jul 2024 12:27:11 +0000
In-Reply-To: <m1sWxJi-0000MEC@stereo.hq.phicoh.net>
References: <m1sWF8d-0000LsC@stereo.hq.phicoh.net> <1070949df20a6ac1f9c2c2dd401d5953bb362bf2.camel@aisec.fraunhofer.de> <m1sWe2O-0000OKC@stereo.hq.phicoh.net> <fc306ade9816e06e19a1e2c9828c1c9ef2f0e2bb.camel@gnu.org> <m1sWxJi-0000MEC@stereo.hq.phicoh.net>
Autocrypt: addr=schanzen@gnu.org; prefer-encrypt=mutual; keydata=mQINBFZlTN8BEADIXdWebdUepgP8YkULGh2EClt/q2Nkh5QB+V88ZtWVdEfz6ELbKeKE/ 39yllXso20H56OfWGgcU2SF6EKdT+FDir5pDxM+RQiIjrYHLMj9MG87LBcW65PHny6hmXtrfrWISX q7x2Si5G9pMz33jp5Dsx/IMTbTPbdK09b34S9aqIjTkpQ4yqByi07nkRcYgSOzx1Dr/7oatKn5/tT RQm9CQ2pqcYYD5Rqg1jcNpKRUWFX/m+LRd3iQ6ZF/F2W9hR6BYWRUi3eJOFYX/ngWrSj3q3c3zQgP y7R/4weZRT/WYjwccHyvLHbw3YFVLDgM2RAu2q765+3iWrH4RvYxS0eMDan7uK6q3+83KB83ofnH8 IEt6PWK3tmmQJ1vYbQDSqeLxiptPlOgoQuaJCCAFJaBIwamLZJq0BPmncDzZ3bGksROgV31qqFYsd KfyUnKQZZpEVsdpOz1oMK0RSlqW2j759C8E4DrsqCBoBm63lZPQsYp94s4gT5W2D3vfPqF3dOht6n ByGVYvwh3ildcBtKcU8vctlms+izbb0p94pviM10/vIuuAzerB4Pb8qMN8+KuSfIUtTWprD/D0NAP RBpc7Uiv8sSufldNhN+A4GdkkXe409+AWGusKMlZO9fP3BYf+J3jDxlbRoVoEyl67dioT0QbFdhOq Qt1EjJH9XT77QARAQABtC1NYXJ0aW4gU2NoYW56ZW5iYWNoIDxtc2NoYW56ZW5iYWNoQHBvc3Rlby 5kZT6JAlEEEwEIADsCGwMFCwkIBwIGFQgJCgsCBBYCAwECHgECF4ACGQEWIQQ9EQY8EPmNFL0k0Uc LCZjvhvWbagUCY470egAKCRALCZjvhvWbaopMEACfIHV7sgIv5bhrooTh+k9hpVjzIjomiy4HeVTK aZb6ZATHsa///YiWKrYM2OjO3u7+tQ73c9xW4EOIL3Fy/XE237k0urdU+urQkCcDvJAimoZn0c07T eRflqswco3lp/uyUhCb6UH4f7Os/HqMsLQCZFFutsvvU++bTiWJNBpoP8ntbqG2ZYhs2asFTWOBLH +BqyfiCfwsj4Rz/HyrOZC5DcXp591JZu8zaOF3zyu/uhODE6PNY08+gdN8s1/CmENp5oi7ir4EmHE h+VnVYVXe1zEk52jHNaKuHIb1l9q3xbJ8JczKDiOCe6ahRlmhSwdO0OTHyhrQWnGnG0hPscagTpTP hjooMVVnKtB4AEE2qVm5WAEA6EuYfgyp4+MuS1KWfgNGCHIbNyZ7Rc9D4fVtHl/ZUrF/k7KVEQ+HS y7WW9X2oDRtYuS6tvbNFnao3nq+EtZ8kzuSdt1yBtv0SeXNqj/ZrgI+gzz96U4D0lbVXCB7MpEsve O15fszATVN7rYJXY4Yjl2B64Z3bwNTFuIJjvih+nUp0Ls56GAcCvqCi1JLxOVu9ZR8lGSKKjl/RPl FcVyHzE7AiMTgKN6VdoCCsVNgMSBoGz9qg5Jey1lsrmTaNAUG28hJuAiNn4ZlQCsIz/XaMuIWb04/ xkgpLHpiT1smzUYOS9QxPEbtvsV3VbQpTWFydGluIFNjaGFuemVuYmFjaCA8c2NoYW56ZW5AZ251b mV0Lm9yZz6JAk4EEwEIADgCGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AWIQQ9EQY8EPmNFL0k0U cLCZjvhvWbagUCY470egAKCRALCZjvhvWbaskiEACc/tMSZBbVh5Bv9clLZvk1fsXn2J6HjOc0SE0 AImCaoYM0K3IGACj3HZckBZG6ZrX9z0PXtuoWKHR8QDcfeWCcp/pIWZQyzwZDQsuCCK1DT7MW4B3i vHeqLODR/7saZ2xnpbq35l/41BPb539wZuTph2LDZh9SRl6Yzgma9WdJNBF4EBXpodrVshrQ0WuOr WrIY4sPzlUPT25nayHgeCH6FKPhAV0t23GYPy0gq0kXXUJC1mVYai+6w4haJ+Y3p7MDgscdnd0BJ/ ijyOSH/lIumV8E+T1KgwLkGIKfPYzdNU+zi/g74RIXucuLPkl/Hs2mMj+l1Rtje0zPMy7jEmfp47X bFAF8Mo2/ME2HipiEV1kzf9mWSVEcEJE4lK+bg+K2S0hrBcqudF4PizxUnQ9FW+YJLJwkoVripk3H F0TFUu6IMHe60aF+Mlnc8MlgIvArRIKOFWvIk9wbCgziIDrp+WqFikAGtHfcjtJIM1OW0MSZ4rKWN QQWe4LFAIhQfys4iqjI9HNrUu6wqHjElotFTLdwyOfVJFnZmAjNwPR87E+N1RR1Lsl7NlajRyalfX A9ilXqhHKyzcTkFc7yl4dvu8w5+ptoBpF/UrUQa+W0auxcPxYmFFfymaK5z/NVS5U0/YUea5UuaUj eJseVMrkqTY+etXv4e/54Qhfaan6QV7QmTWFydGluIFNjaGFuemVuYmFjaCA8c2NoYW56ZW5AZ251 Lm9yZz6JAk4EEwEIADgCGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AWIQQ9EQY8EPmNFL0k0UcLC ZjvhvWbagUCY470egAKCRALCZjvhvWbaheYD/9ajvG1PENl/kuOE1g3HjN8vqbzbl06iFeJSl9Zr1 j18D4qeXMODbk0wFZZ8/pnqDJxUdcwvI/RviJuMKS0k+aUE3v4pIHGU6U3YxqSr3Cfk+JgGmpzP8C bZWLh9Zs5T2UWf57/nmyk0aiK4VF+bb9OYTxRu7lR+l0/psQqRUTm6XSDoqHsQ7EGZapxEy+KiiS2 4iCmLjGicpT05S08xGTIhZpd2B25BES3LVfe6rJfR9mJvCNoSSPKAvyvlu0l30DH7wBRS36dokalA K4tYcDF3ceHSdafzLgya3GvJppTW65zlq+rtwWwOj07dYR1RiMt6x68Mr+JvH9robPwLZ8TPOmxcG iEgNEWxunr81KLjRNckjEyF90oGdCGzckgmKx/rSgb8y3Lk7ivvohjoNydUYX7JGPWnyR9q+Nk7EV /fzT87bT//5I+86ECzIK/D0hL0gXhJa0cm7rQkn/OOzS4KEI/4pOmgNts7zfEm1VEB3f+VXpgRN/o /ikWfLsdu1K7PgdPYvF39V8Nl8AZKGzd5zUy1r3AMt0Lb3iBvsCsmry82b4Vj+CLvv9YvqyukBgPm P3N7XL12om6+VrGxnX1a/6KA1RU6UBSnzEg3L5addzeGrqT4hokLFBkizwBy0K62M+sCzVDWcwYQE juB7e/yimk3AVhbHl7lTb5ncNWzLQqTWFydGluIFNjaGFuemVuYmFjaCA8bWFydGluQHNjaGFuemV uYmEuY2g+iQJRBBMBCAA7AhsDBQsJCAcCAiICBhUKCQgLAgQWAgMBAh4HAheAFiEEPREGPBD5jRS9 JNFHCwmY74b1m2oFAmOO9HoACgkQCwmY74b1m2rvwQ/+J+tQZnN9L5AAeP35QV5aMmEJGiYUlMlKp hpivs0wR58an7umZWnbDyam3nx2N0rX7mpzYFD26ix0F7cHV5LGICqf2uA3Ek4IKNrlwNdPe5bzGi mnAlzZpqEjJRee0vnrEMJFh8QpBgGKrIQLgbVX9+FIZ7NqJTC9Bylm9D5015iPja6adtghH2D18EF 8Rs8cwofjwTToUUh6i/2/JU/EiOifqGzY/075+EMXDAYbm9k1yPt6uddfzLfiMwMxBh41M2Ua5KQm bESAiPUxOWRKEAo4uWCjrOlub/Mo9Zg04oMOg4HKuKbb81srmWJgX9UINw58ugucYHuGMph5MxNsk F47M9ZQV5ZvYl/7S2n9zx1sYlCQdElzxZcdZuzXjFrll3NtcX9cO1qt/ulxaEbkZIrdYw0HyTcRcn BaO3RQP6w2K8JjbcTHbWFGENrbZ70ISY2qgu6LHgWGbOO/391mm6/rI1pVc8VprxMAz9C+T3KuxGH /gK26ALV8roxi3en7wIGLRcybxY9fmrnj4YahHyMCWEg7MATN4BIUXDQy+u7vdBmLn+iv6KBFszo8 9KwBfzd08Rqb+N77z9BgkrJp9etRSlqqh0D4YtzWXmBnxSShU/xQac/qMdIDVYFK9HypIcD0rHJgg sEaq/0g3ECnVLR/IFpBrKIPNjA7U+d2W9g=
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="=-dmtU0kwIx7sEqMJrqGDt"
MIME-Version: 1.0
Message-ID-Hash: JXZNO7F2XBUVVFKXG5WHJ5YTTZFIXE6O
X-Message-ID-Hash: JXZNO7F2XBUVVFKXG5WHJ5YTTZFIXE6O
X-MailFrom: schanzen@gnu.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: Potentially interesting DNSSEC library CVE
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/t_KoL_yGZgnxsI8tfNW2lh_y3OQ>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>


On Thu, 2024-07-25 at 14:11 +0200, Philip Homburg wrote:
> > I think this is the core issue behind the CVE and the filed bug.
> > Who is the "ultimate user"? And where is this expectation
> > formulated
> > exactly? I would believe that most applications using DNS libraries
> > such as dnsjava do not expect that they have to sift through CNAMEs
> > in the replies and filter according to their initial query.  So is
> > dnsjava in your opinion the "ultimate user" that is expected to
> > filter? If yes, "ultimate user" is an odd description because
> > dnsjava is a resolver implementation, whereas "ultimate user" to
> > me means application using a resolver (library/implementation).
> 
> The typical model is that of a library that implements a DNS stub
> resolver
> function. This library is expected to offer a function that takes a
> QNAME,
> QCLASS, and QTYPE as arguments and returns a set of resource records
> or an
> error.
> 
> If dnsjava implements the function of a stub resolver, then yes,
> dnsjava would
> be expected to sift through the CNAMEs. A stub resolvers speaks the
> DNS
> protocol and this is just how the protocol works.
> 
> 

As hinted to in the CVE description, Thomas asked here where this
behaviour is defined exactly and did not receive a response that fits
this issue:
https://mailarchive.ietf.org/arch/msg/dnsop/X7ul3Updo4XP0EYdExuZ6pkp-Gk/

Yes, of course a stub resolver will have to sift through the CNAMEs
(especially if DNSSEC validation is supposed to be done).
But where is the filtering between QNAME and received answers
explicitly defined, exactly?

> Obviously, you are free to define a new protocol that runs between a
> stub resolver and a recursive resolver. However, just compaining
> about the
> current situation is not going to change much.
> 

I am not complaining. I am pointing out that there is a root cause for
this CVE/bug and it may not be simple oversight. It very well may be a
gap in specification or missing security considerations that could hit
any future implementer of (stub) resolvers.

BR

> 
> _______________________________________________
> DNSOP mailing list -- dnsop@ietf.org
> To unsubscribe send an email to dnsop-leave@ietf.org

v2.39.1 | Report a Bug | By Email | System Status