Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4EE38C1CAE9A for ; Thu, 25 Jul 2024 05:49:39 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.24 X-Spam-Level: X-Spam-Status: No, score=-1.24 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_SOFTFAIL=0.665, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I_155zxVK_ok for ; Thu, 25 Jul 2024 05:49:35 -0700 (PDT) Received: from mout01.posteo.de (mout01.posteo.de [185.67.36.141]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3A65DC18DBA6 for ; Thu, 25 Jul 2024 05:49:35 -0700 (PDT) Received: from submission (posteo.de [185.67.36.169]) by mout01.posteo.de (Postfix) with ESMTPS id 0C3C8240027 for ; Thu, 25 Jul 2024 14:49:33 +0200 (CEST) Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4WV9gw4KDKz6tsB; Thu, 25 Jul 2024 14:49:32 +0200 (CEST) Message-ID: <7373aae035616f1689a576117579ca054759c84d.camel@gnu.org> From: Martin Schanzenbach To: Philip Homburg , dnsop@ietf.org Date: Thu, 25 Jul 2024 12:49:31 +0000 In-Reply-To: References: <1070949df20a6ac1f9c2c2dd401d5953bb362bf2.camel@aisec.fraunhofer.de> <6c70aa6b316f7650d84a52135a6aa24aab147788.camel@gnu.org> Autocrypt: addr=schanzen@gnu.org; prefer-encrypt=mutual; keydata=mQINBFZlTN8BEADIXdWebdUepgP8YkULGh2EClt/q2Nkh5QB+V88ZtWVdEfz6ELbKeKE/ 39yllXso20H56OfWGgcU2SF6EKdT+FDir5pDxM+RQiIjrYHLMj9MG87LBcW65PHny6hmXtrfrWISX q7x2Si5G9pMz33jp5Dsx/IMTbTPbdK09b34S9aqIjTkpQ4yqByi07nkRcYgSOzx1Dr/7oatKn5/tT RQm9CQ2pqcYYD5Rqg1jcNpKRUWFX/m+LRd3iQ6ZF/F2W9hR6BYWRUi3eJOFYX/ngWrSj3q3c3zQgP y7R/4weZRT/WYjwccHyvLHbw3YFVLDgM2RAu2q765+3iWrH4RvYxS0eMDan7uK6q3+83KB83ofnH8 IEt6PWK3tmmQJ1vYbQDSqeLxiptPlOgoQuaJCCAFJaBIwamLZJq0BPmncDzZ3bGksROgV31qqFYsd KfyUnKQZZpEVsdpOz1oMK0RSlqW2j759C8E4DrsqCBoBm63lZPQsYp94s4gT5W2D3vfPqF3dOht6n ByGVYvwh3ildcBtKcU8vctlms+izbb0p94pviM10/vIuuAzerB4Pb8qMN8+KuSfIUtTWprD/D0NAP RBpc7Uiv8sSufldNhN+A4GdkkXe409+AWGusKMlZO9fP3BYf+J3jDxlbRoVoEyl67dioT0QbFdhOq Qt1EjJH9XT77QARAQABtC1NYXJ0aW4gU2NoYW56ZW5iYWNoIDxtc2NoYW56ZW5iYWNoQHBvc3Rlby 5kZT6JAlEEEwEIADsCGwMFCwkIBwIGFQgJCgsCBBYCAwECHgECF4ACGQEWIQQ9EQY8EPmNFL0k0Uc LCZjvhvWbagUCY470egAKCRALCZjvhvWbaopMEACfIHV7sgIv5bhrooTh+k9hpVjzIjomiy4HeVTK aZb6ZATHsa///YiWKrYM2OjO3u7+tQ73c9xW4EOIL3Fy/XE237k0urdU+urQkCcDvJAimoZn0c07T eRflqswco3lp/uyUhCb6UH4f7Os/HqMsLQCZFFutsvvU++bTiWJNBpoP8ntbqG2ZYhs2asFTWOBLH +BqyfiCfwsj4Rz/HyrOZC5DcXp591JZu8zaOF3zyu/uhODE6PNY08+gdN8s1/CmENp5oi7ir4EmHE h+VnVYVXe1zEk52jHNaKuHIb1l9q3xbJ8JczKDiOCe6ahRlmhSwdO0OTHyhrQWnGnG0hPscagTpTP hjooMVVnKtB4AEE2qVm5WAEA6EuYfgyp4+MuS1KWfgNGCHIbNyZ7Rc9D4fVtHl/ZUrF/k7KVEQ+HS y7WW9X2oDRtYuS6tvbNFnao3nq+EtZ8kzuSdt1yBtv0SeXNqj/ZrgI+gzz96U4D0lbVXCB7MpEsve O15fszATVN7rYJXY4Yjl2B64Z3bwNTFuIJjvih+nUp0Ls56GAcCvqCi1JLxOVu9ZR8lGSKKjl/RPl FcVyHzE7AiMTgKN6VdoCCsVNgMSBoGz9qg5Jey1lsrmTaNAUG28hJuAiNn4ZlQCsIz/XaMuIWb04/ xkgpLHpiT1smzUYOS9QxPEbtvsV3VbQpTWFydGluIFNjaGFuemVuYmFjaCA8c2NoYW56ZW5AZ251b mV0Lm9yZz6JAk4EEwEIADgCGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AWIQQ9EQY8EPmNFL0k0U cLCZjvhvWbagUCY470egAKCRALCZjvhvWbaskiEACc/tMSZBbVh5Bv9clLZvk1fsXn2J6HjOc0SE0 AImCaoYM0K3IGACj3HZckBZG6ZrX9z0PXtuoWKHR8QDcfeWCcp/pIWZQyzwZDQsuCCK1DT7MW4B3i vHeqLODR/7saZ2xnpbq35l/41BPb539wZuTph2LDZh9SRl6Yzgma9WdJNBF4EBXpodrVshrQ0WuOr WrIY4sPzlUPT25nayHgeCH6FKPhAV0t23GYPy0gq0kXXUJC1mVYai+6w4haJ+Y3p7MDgscdnd0BJ/ ijyOSH/lIumV8E+T1KgwLkGIKfPYzdNU+zi/g74RIXucuLPkl/Hs2mMj+l1Rtje0zPMy7jEmfp47X bFAF8Mo2/ME2HipiEV1kzf9mWSVEcEJE4lK+bg+K2S0hrBcqudF4PizxUnQ9FW+YJLJwkoVripk3H F0TFUu6IMHe60aF+Mlnc8MlgIvArRIKOFWvIk9wbCgziIDrp+WqFikAGtHfcjtJIM1OW0MSZ4rKWN QQWe4LFAIhQfys4iqjI9HNrUu6wqHjElotFTLdwyOfVJFnZmAjNwPR87E+N1RR1Lsl7NlajRyalfX A9ilXqhHKyzcTkFc7yl4dvu8w5+ptoBpF/UrUQa+W0auxcPxYmFFfymaK5z/NVS5U0/YUea5UuaUj eJseVMrkqTY+etXv4e/54Qhfaan6QV7QmTWFydGluIFNjaGFuemVuYmFjaCA8c2NoYW56ZW5AZ251 Lm9yZz6JAk4EEwEIADgCGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AWIQQ9EQY8EPmNFL0k0UcLC ZjvhvWbagUCY470egAKCRALCZjvhvWbaheYD/9ajvG1PENl/kuOE1g3HjN8vqbzbl06iFeJSl9Zr1 j18D4qeXMODbk0wFZZ8/pnqDJxUdcwvI/RviJuMKS0k+aUE3v4pIHGU6U3YxqSr3Cfk+JgGmpzP8C bZWLh9Zs5T2UWf57/nmyk0aiK4VF+bb9OYTxRu7lR+l0/psQqRUTm6XSDoqHsQ7EGZapxEy+KiiS2 4iCmLjGicpT05S08xGTIhZpd2B25BES3LVfe6rJfR9mJvCNoSSPKAvyvlu0l30DH7wBRS36dokalA K4tYcDF3ceHSdafzLgya3GvJppTW65zlq+rtwWwOj07dYR1RiMt6x68Mr+JvH9robPwLZ8TPOmxcG iEgNEWxunr81KLjRNckjEyF90oGdCGzckgmKx/rSgb8y3Lk7ivvohjoNydUYX7JGPWnyR9q+Nk7EV /fzT87bT//5I+86ECzIK/D0hL0gXhJa0cm7rQkn/OOzS4KEI/4pOmgNts7zfEm1VEB3f+VXpgRN/o /ikWfLsdu1K7PgdPYvF39V8Nl8AZKGzd5zUy1r3AMt0Lb3iBvsCsmry82b4Vj+CLvv9YvqyukBgPm P3N7XL12om6+VrGxnX1a/6KA1RU6UBSnzEg3L5addzeGrqT4hokLFBkizwBy0K62M+sCzVDWcwYQE juB7e/yimk3AVhbHl7lTb5ncNWzLQqTWFydGluIFNjaGFuemVuYmFjaCA8bWFydGluQHNjaGFuemV uYmEuY2g+iQJRBBMBCAA7AhsDBQsJCAcCAiICBhUKCQgLAgQWAgMBAh4HAheAFiEEPREGPBD5jRS9 JNFHCwmY74b1m2oFAmOO9HoACgkQCwmY74b1m2rvwQ/+J+tQZnN9L5AAeP35QV5aMmEJGiYUlMlKp hpivs0wR58an7umZWnbDyam3nx2N0rX7mpzYFD26ix0F7cHV5LGICqf2uA3Ek4IKNrlwNdPe5bzGi mnAlzZpqEjJRee0vnrEMJFh8QpBgGKrIQLgbVX9+FIZ7NqJTC9Bylm9D5015iPja6adtghH2D18EF 8Rs8cwofjwTToUUh6i/2/JU/EiOifqGzY/075+EMXDAYbm9k1yPt6uddfzLfiMwMxBh41M2Ua5KQm bESAiPUxOWRKEAo4uWCjrOlub/Mo9Zg04oMOg4HKuKbb81srmWJgX9UINw58ugucYHuGMph5MxNsk F47M9ZQV5ZvYl/7S2n9zx1sYlCQdElzxZcdZuzXjFrll3NtcX9cO1qt/ulxaEbkZIrdYw0HyTcRcn BaO3RQP6w2K8JjbcTHbWFGENrbZ70ISY2qgu6LHgWGbOO/391mm6/rI1pVc8VprxMAz9C+T3KuxGH /gK26ALV8roxi3en7wIGLRcybxY9fmrnj4YahHyMCWEg7MATN4BIUXDQy+u7vdBmLn+iv6KBFszo8 9KwBfzd08Rqb+N77z9BgkrJp9etRSlqqh0D4YtzWXmBnxSShU/xQac/qMdIDVYFK9HypIcD0rHJgg sEaq/0g3ECnVLR/IFpBrKIPNjA7U+d2W9g= Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="=-5zhnM30JPqNOZmLL1Mf1" MIME-Version: 1.0 Message-ID-Hash: QL6E6AE4AALXMDPIUIRRLW27JPB7SFY2 X-Message-ID-Hash: QL6E6AE4AALXMDPIUIRRLW27JPB7SFY2 X-MailFrom: schanzen@gnu.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.9rc4 Precedence: list Subject: =?utf-8?q?=5BDNSOP=5D_Re=3A_Potentially_interesting_DNSSEC_library_CVE?= List-Id: IETF DNSOP WG mailing list Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --=-5zhnM30JPqNOZmLL1Mf1 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Thu, 2024-07-25 at 14:39 +0200, Philip Homburg wrote: > > As hinted to in the CVE description, Thomas asked here where this > > behaviour is defined exactly and did not receive a response that > > fits this issue: > > https://mailarchive.ietf.org/arch/msg/dnsop/X7ul3Updo4XP0EYdExuZ6pkp-Gk= / > >=20 > > Yes, of course a stub resolver will have to sift through the CNAMEs > > (especially if DNSSEC validation is supposed to be done).=C2=A0 But > > where is the filtering between QNAME and received answers > > explicitly > > defined, exactly? >=20 > By and large, the IETF defines network protocols. The IETF is not > good > a defining APIs for network functions. And it is not part of its core > mission. >=20 > So what happens after a stub resolver receives a response is mostly > undefined. Low level C APIs were done in the past by the IEEE (POSIX) > and more > recent by the Open Group. >=20 > For example RFC 3493 is not an IETF standard, but the functions > described, > such as getaddrinfo, are part of the Single Unix Specification. >=20 > > I am pointing out that there is a root cause > > for this CVE/bug and it may not be simple oversight. It very well > > may be a gap in specification or missing security considerations > > that could hit any future implementer of (stub) resolvers. >=20 > The gap is that there is no good standards organisation for APIs > related to > internet protocols. That is unfortunate. It is not clear to me who > would > have enough cloud to create one. Are you trying to say that the behaviour of a validating stub resolver is not in scope of the work on DNS(SEC)? Because I was pretty sure it is. See Thomas' post before on how separating validation from result filtering (following the CNAME-chain) would be tricky to do outside of the validating stub resolver (or only with significant overhead and re- validation) for any implementation. BR --=-5zhnM30JPqNOZmLL1Mf1 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- iQJFBAABCAAvFiEEPREGPBD5jRS9JNFHCwmY74b1m2oFAmaiSdsRHHNjaGFuemVu QGdudS5vcmcACgkQCwmY74b1m2o65Q//dKqpzKc5C14J7yo59wLZ04ho8OJ9o6Gd of0r64KhMpnmcY3tYyGMOmQxs1KkW5X6nWOGimxU8tRLNXuO9uCcCSEa1Swhm9RZ OynDze68G9YvbJz+nQ9sS5DKfgjpgtvUGpJBKVxwpBzLiKWbw/E+btJdb2/EUJyG HCljW8kLMyOaWbDm1vsoqZx4wxLwSUEeSIuvGMQ9kpW2OisMJ1rDb38REZq6KILU 3gMzakmmPn784UvXW+KlNR8JEt92Xw0XOdFtobPUvrY3PDTmcQ/FmU0q43tXfIZ9 1THN6ZSWj2fC+kmHwCee0AQu/5Qj/gwB1h9pTdzQve25Oa2+Pv0qGF9p6U34mOL3 ALErykNg3fsPsCFujOVNM6waoaxTOl0gBpXW5wf02yvKKt1SHCi4CnxnMDv59ez/ r/cIC3/1yV0CFCdWBXgLy9DZ18zcZRyTCkh9jHPN0e6WxPsLBuvN+FnPzLBhmraG F7YZuTsBpxdQOuchdmNaEJToOm7Lm6ZVkhlWGIyeVZOpOI2RTQwnWb7xlpcNJuzJ i3xc2dH0osBrBbGreg2EZvReWdNX9qM9lNZifzCmxaUbMlMEZu0SwjBvTmC5rVVO pRs4R3zuxQiJBNP1QqRvQEInVWVQQwMvsFferPXMRjBsSsEa1GREcrazAl5MQBcF JDoo1XoURnc= =9Cjb -----END PGP SIGNATURE----- --=-5zhnM30JPqNOZmLL1Mf1--