IETF Logo Mail Archive

[DNSOP] Re: Potentially interesting DNSSEC library CVE

"Bellebaum, Thomas" <thomas.bellebaum@aisec.fraunhofer.de> Fri, 26 July 2024 11:41 UTC

Return-Path: <thomas.bellebaum@aisec.fraunhofer.de>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 96ED0C1CAF41 for <dnsop@ietfa.amsl.com>; Fri, 26 Jul 2024 04:41:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.007
X-Spam-Level:
X-Spam-Status: No, score=-2.007 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aisec.fraunhofer.de header.b="JA46EzXs"; dkim=pass (1024-bit key) header.d=fraunhofer.onmicrosoft.com header.b="PTO++XK3"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m18oJDS1U2rB for <dnsop@ietfa.amsl.com>; Fri, 26 Jul 2024 04:41:25 -0700 (PDT)
Received: from mail-edgeka24.fraunhofer.de (mail-edgeka24.fraunhofer.de [IPv6:2a03:db80:4420:b000::25:24]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3DF19C1D6FB8 for <dnsop@ietf.org>; Fri, 26 Jul 2024 04:41:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=aisec.fraunhofer.de; i=@aisec.fraunhofer.de; q=dns/txt; s=emailbd1; t=1721994084; x=1753530084; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=esRty0RBUYlOOgtaYP6cm7ODM4CKtR3ftWuBXcVmwrs=; b=JA46EzXsHTO7EFp3MVeWVzqCwAw0NICWLPGxBQU0z7d4UrjSgT4/5ugj JVy2DIKsuEmDsqfoSs4vizs0Jvqw2QBVqyMvMEyGIn9Wt+XrNpo86Qfom xHHmTl3HetBdCkqKbIiEd4uu/xirBJyKlyHLWyVxh/SKImj19GBPePa2S auxJNS4rvT8QTarg+PE0w6XAcUsdjxEBQHQ99J/kV/1Vt1BqKepwYFL2J KAbAIzTNTSLpkk9YIr3fPDAADA+5UitX/677Lucw+BkNG83+8K3OM+AI4 U05xD0++d3lbiS8kaFoDd5P9GTC1IGK6GGtnRULtTItuqBeI3TpcSiK8O A==;
X-CSE-ConnectionGUID: cMwS4ujpTXa0ViOxnGEndw==
X-CSE-MsgGUID: VLS4didsQwOqiV6xVtv2bQ==
Authentication-Results: mail-edgeka24.fraunhofer.de; dkim=pass (signature verified) header.i=@fraunhofer.onmicrosoft.com
X-IPAS-Result: A2HXBgD2iqNm/22jZsBagliCRHoCLoE2hFaRbQOBE4EqAZongSyBJQMuKAgHAQEBAQEBAQEBBAMBATQQBAEBAwEDQ4Q8Aok7JzUIDgECAQMBAQEBAwIDAQEBAQEBAQEBBQEBBgEBAQEBAQYHAoEdhS9GDYQFBXQwAgEBAQEBAQEBAQEBAR0CDyYMKgEfAQQBIx0BATcBBAsCAQgwEgICAi8lAgQBDROCc4IwAw4SERQGrRyBMoEBggwBAQaCZtg+GII9BwkJAYE+gVeCGIEFg0kBgVcGgwaFcIIMQ4EVNYI9OD6CSoFhaIMLgmmPGoMqhDaDdgODNxYmgTSMGlSBFwNZIRMBVRMXCwkCBRCJYAqCfQIFIQQlgUkmgSSCd4E1gR0CglqBawxhhESDMmKBD4E+gV8BSYEYgV8wGyQLgjSBBToVgTJsHUADC209NQYOG59qLoERgUCDPzkwQ1oEO0U0IAE6AQQHFQkVkn+ycAMEA4IzgWKGWoMvgguVPzOFW5FvknSYbSKNWJVMhSECBAIEBQIPCIFpA4IRcYM2CUkZD5IbM8wZeAI5AgcLAQEDCYhwJAmBTwEB
IronPort-PHdr: A9a23:eGjQDRPlTD5J7c+PwJEl6nZVDBdPi9zP1nM99M9+2PpHJ7649tH5P EWFuKs+xFScR4jf4uJJh63MvqTpSWEMsvPj+HxXfoZFShkFjssbhUonBsuEAlf8N/nkc2oxG 8ERHEQw5Hy/PENJH9ykIlPIq2C07TkcFw+6MgxwJ+/vHZXVgdjy3Oe3qPixKwUdqiC6ZOFeJ Qm7/z7MvMsbipcwD6sq0RLGrz5pV7Z9wmV0KFSP2irt/sri2b9G3mFutug69slGA5W/Wp99Y KxTDD0gPG1w38DtuRTZZCek5nYXUTZz8FJCA13PxjGlRbb+9Rb87NR/xne0AdDcb7EvYCr43 45lCzXNoxtdKw8cq37Zh5RR2fE+wlqr8iRD5M2XUKLOHqBYeIfzIY9LaWMQA/9jWw5CL4SZa 9MNBdVRHswArYKto1FTjyGDIifxJuzemzJY11P6+4Nrz9gROhvY4T4NBIJSr3X+gNnPaqEvF tizzqXDkGjKStYV6Qv0zKnNIjULiM3RV5R/WtP+6mY9CCDG31KAuanKGxCK3cZQsFC97eg6D buth1EitBNTpmbs5JZyhbfxvI0kkAvp+SNHxsEFJfuyUxsoKc7hEYFXsTmdLZczWM45XmV07 T4z0aZV0XbaVC0DyZBiyhLQZv+OKdTO7AjqSeCRJjl1njRpdeH3ixWz9B24w/bnHomv0VlMp zZYiNSEqH0X1hLS58TGAvtw90usw3COgijd8OhZJ0Azm6fBbZknx787jJ0ItkrfWCTxnS3L
X-Talos-CUID: 9a23:QLIUuWAqZLlp6jD6EyJC63VIB8I9Tk3UlEnRBF++JktvRKLAHA==
X-Talos-MUID: 9a23:OE7O8AV/DNsOb8Hq/AHIv21uNctz2ruJEUEzz4U4p9fePxUlbg==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="6.09,238,1716242400"; d="p7s'346?scan'346,208,346";a="14749588"
Received: from mail-mtabi109.fraunhofer.de ([192.102.163.109]) by mail-edgeka24.fraunhofer.de with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 26 Jul 2024 13:41:19 +0200
X-CSE-ConnectionGUID: PsKv5Z22T1S0Tq7KnG+0ZA==
X-CSE-MsgGUID: 8Uo1ioFjRgGfhnBA05J8YA==
IronPort-SDR: 66a38b5f_tRysvvNQ1OLkEup1kr+p2s6cE4brw2m80F2/cQW4moV7bMp JQcqGvNSmWv/Mxz4RATsjyXXt+LV5kUnBz9I44A==
X-IPAS-Result: A0A1BgA+iqNm/3+zYZlaHQEBAQEJARIBBQUBSRyBGAYBCwGBcVIHPjUwLoEIhFWDTAOFLYZQgiEDOAFam1KBLIElA1YPAQMBAQEBAQQDAQFEBAEBhQYCiTgCJzYHDgECAQECAQEBAQMCAwEBAQEBAQEBAQUBAQUBAQECAQEGBYEOE4V1DYZeAQEBAgESER0BARQjAQQLAgEIMBICAgIvBx4CBAENExSCX4IwAw4SEQICAqBJAYFAAosigTKBAYIMAQEGBASCXtg+GII9BwkJAYE+AYFWghiBBYNJAYFXBoMGhXCCDEOBFTWCPTg+hCtogwuCaY8agyqENoN2A4M3FiaBNIwaVIEXA1khEwFVExcLCQIFEIlgCoJ9AgUhBCWBSSaBJIJ3gTWBHQKCWoFrDGGERIMyYoEPgT6BXwFJgRiBXzAbJAuCNIEFOhWBMmwdQAMLbT01Bg4bn2ougRGEfzkwQ1oEO0U0IAE6AQQHFQkVkn+ycAMEA4IzgWKGWoMvl0ozl0qSdJhtIqMkhSECBAIEBQIPAQEGgW4BNIFZcYM2TwMZD44hg3rMTEUzOwIHCwEBAwmIcCQJgU0BAQ
IronPort-PHdr: A9a23:tmxpSBeaGn5kgDbtHUeU0mWZlGM+49/LVj580XJao6wbK/fr9sH4J 0Wa/vVk1gKXDs3QvuhJj+PGvqynQ2EE6IaMvCNnEtRAAhEfgNgQnwsuDdTDDkv+LfXwaDc9E tgEX1hgrDmgZFNYHMv1e1rI+Di89zcPHBX4OwdvY+PzH4/ZlcOs0O6uvpbUZlYt5nK9NJ1oK xDkgQzNu5stnIFgJ60tmD7EuWBBdOkT5E86DlWVgxv6+oKM7YZuoQFxnt9kycNaSqT9efYIC JljSRk2OGA84sLm8CLOSweC/FIweWUbmRkbZmqN5hGvVL3R7TDbua1A3nOkP9OoY4wpcxaj9 J51Ei/BhmQtEhUFqn3mr5dvgq8DgUfywn43ydvsXKbWd8pdJYmHW9U+azYdD+pYBnF4MI+eb KYIKu5ZP+xn/6rX/1kF/R+0WCuWOcTBlx1Hty77zfwW38IPQB367Cc6Ae88nW+E8Mr0Hosea 76z8e7wyzfPZK4L0BLYq7j0ezQApKGpd5tMLMD3xmI2OCDqnEqzqt3iLyOw+cAurGO5sulYc +Ct0TZ+qQ1Opye95MNyyauY2I0r8mrLxH8i7YozG9v/eE5da8XxQ9NA8iCAMI1uRdk+Bntlo zs+1ugesIWgL0Diqbwizh/bLvmbeqKpu0qyEuiLKCp+hHVrdaj5ixvhuUSjy+ipTsCvyx4Kt StKlNDQq2oAnwLe8MmJS/Zxvw+h1D+D2hqV67RsL1o9iKzbLJAs2Pg3kJ8Sul7EBSj4hAP9i 6r+Sw==
IronPort-Data: A9a23:FLzmYaif7bw6Zy/6ety675pzX161tRUKZh0ujC45NGQN5FlHY01je htvWjyEPK7fMGb0edx/b97kphsP7cfdzNY3HVE6pHg9FS1jpJueD7x1DKtf0wB+jiHnZBg6h ynLQoCYdKjYdleF+1HwdOGn9SQhvU2xbuKUIPbePSxsThNTRi4kiBZy88Y0mYcAbeKRWmthg vus5ZWOULOZ82QsaD5MtPjd8EoHUMna4Vv0gHRuPZing3eDzxH5PLpHTYmtIn3xRJVjH+LSb 47r0LGj82rFyAwmA9Wjn6yTWhVirmn6ZFXmZtJ+AsBOszAazsAA+v9T2Mk0NS+7vw60c+VZk 72hg3AQpTABZcUgkMxFO/VR/roX0aduoNcrKlDn2SCfItGvn3bEm51T4E8K0YIwwv1UHzx8r 6YkcQtVUgncpOSZg+qJY7w57igjBJGD0II3oXR81XfUHf0mB57ZSrjM5dhW0S12is0m8fT2P pdCL2swKk2fMlsWYAh/5JEWxI9EglHjczpdoUnTr6cz52XZxRF0+LHsK9fePNKQTNhTnkGWq 3iA82mR7hQya4DFlWLaqhpAgMefoCSiWYU8Foe32fBqhne6njExWCw/AA7TTf6RzxTWt8hkA 0AS4S02hak/6ELtScPyNzWgq37BshgHXMIVTsUnrVjL0qrV6AGZQGMDS1Zpc9cmvckkSDoC2 VmU2dTzClRSXKa9EC/Gs+bL6GrtaG1MdzBEeypCRk0L+dD+poE0gB/VCNpueEKosuDI9fjL6 2nihAAwnbwOi84M2aihu1fBhjOnvJ/SSQApoA7QWwqYAslRPeZJvqTxsQaBv8VTZp2UVEeAt 3Uiks2TprJGR5KUmSDHBK1HELi17rzXeHfRkHx+LakHrj6Nwn+EeZwPwTdcIEwyDN0IVwW0a 2DuuCRQxqRpAl2UUYFNbbmcMf8alZrbKYy9V9T/TMZ/XZxqRQrWoABsfRGx2k7uomgNkIY+G 8+SXpewPEY/FJVi8iG8aNkc4I8V2hkR63vYH6756xGVwIuuWmOcZuYAAmuvc9IW0aKgiyfW+ uZ5KMGl5Uh+Uur/Wyzp6oQ8E1E7HUYnIbvclsV4J/KyEi9nFlo+CvTX/6gTRox9k4lRlcbK5 nuYWHIE+GHghHbCFxqGWkpjZJzrQ5x7i3AxZg4oAnqFxFkhZtyJwJoEVp5qY4QiyvNv/cR0Q 9YBZc+EJPZFERbD2jYFaKjCvJ5QTwuqiS2OLhiaTmAGJbA4fDPw+/jgYgfL3wsNBHDutcIB/ puR5jmCSp8HHwlfHMLabcy09GyIvF8fpflTWnXZKdwCaWTu94lXcxbKtMEVGP1VCxv/xWq97 T20UDM4vujGprEn/ObZ3Z6kq5ibKMogP054MVSC05OIG3j0wm6Rz7VEct60RhHGdWat+Kydd eRflP79F/scnWd1iYl3Epc17KQE4NG1/r9R31llLkrbdGaUKLNsHSCv7PZLpJ9y46Jrvym2V n3S/dMAC7GCOZ7mImUwPysgVPyIjtsPqwnR7NM0AUT03zB297y5SndvPwGApSheDbltOqYn/ LsRg9EX4AmBlRYaCNaKoSRK/WCqLHZbcaEYmrwFIY3s0CwH90pjZMHCNyrI/52/UdVAHU00K DuyhqCZpbB9xFLHQkUjB0r2wutRqpQfii9klGZYCQyypePEofsr0Dl60zc9FF1Vxyoa9dNDA DFgMkktKJie+zttutN4YFmtPAN8HzycxF36zgoYtW/eTnTwbFf3Ek8GBb+v8nwaokVmRRoK2 JGDyW3gbyTmQ9Gp4As2RnxeiqLCSf5fy1T8vf6JTuW/IokCQDv6g6WRS3IChDn5DOgQ2kDWh +lY09xhSK/8NCVK+vUwINSe2Js2TzSBFn1zcc989YxYGFPsWSyA9gWPD2uTecp9AePA3mHlK s5pJ+NJDw+f0gTXpB8lJKc8GZ1Gt99328gjI5TFfXUntZmbpRpX6KPgzDD03jIXco8/gPQDJ ZP0XBPcNG6p3F9/uXLH9etAMUqGOeg0XhX2hr2Jwb9YBqA4kb9edG8p2eGJpFSTCgxs+iyUs C7lZ6P7y+9Dy5xmr7DzE5dsVhmFFtfuaNumqAyDkcxCTdfqA/f8swk4rlrGPQMPGZAzX99xt 6qGsf+p/UfjkYs1bVvkmMi6J/EU3fmxYetZDJumZj0S1y6PQ9Tl7BY/6ni1Y84B2s9U4s68A RC0co2sfNoSQM1Q32BRdzMYKRsGFqDrde31kEtRdRhX5sQ1imQr9O+ayEI=
IronPort-HdrOrdr: A9a23:UhVAH66SYt7kBr3SwwPXwBjXdLJyesId70hD6qkoc20yTiSZ// rBoB1p726MtN9xYgBdpTnuAtjjfZqxz/JICMwqTNCftWrdyRSVxeNZnO7fKlTbckWUnINgPO VbAsxD4bbLbGSS+PyKgzVQZOxB/DDoys+VbKzlvgxQpElRGttdxjY8LgqdD01xQxMuP+tAKH Oz3Ls7mwad
X-Talos-CUID: 9a23:Uhqoj23x6QKvFtN5BN9cU7xfItsGbCDvli3senTgNX82a7u6Cgei0fYx
X-Talos-MUID: 9a23:L4JVTwqFoGgT03FOY6Mez2FfM55p5IqsMk8in5UAkeDcaA4gCh7I2Q==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="6.09,238,1716242400"; d="p7s'346?scan'346,208,346";a="7424070"
Received: from 153-97-179-127.vm.c.fraunhofer.de (HELO smtp.exch.fraunhofer.de) ([153.97.179.127]) by mail-mtaBI109.fraunhofer.de with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 26 Jul 2024 13:41:19 +0200
Received: from XCH-HYBRID-04.ads.fraunhofer.de (10.225.9.46) by XCH-HYBRID-03.ads.fraunhofer.de (10.225.9.57) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.11; Fri, 26 Jul 2024 13:41:19 +0200
Received: from FR5P281CU006.outbound.protection.outlook.com (40.93.78.49) by XCH-HYBRID-04.ads.fraunhofer.de (10.225.9.46) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.11 via Frontend Transport; Fri, 26 Jul 2024 13:41:19 +0200
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=a8AK6SYIgNK9TxGOv/ml5ezQY5P5ATM4dqXyUPzpWiD2vz/g7fS/EZWBLTLBJw21vcdh1EEYOWILtCkEzdKzqrmky5z/EzZD2fqe+e8iEls+sZM23wTWRMigMzH3oiS9dT7eVJD7A7B9hB9iDALbIHzpA2rKmvNWUZIA/+6ekOYXMAfMKe5wMNlXByg1XD3jAjzkqCxhF53pH0e2oR2DGWCJzeycvRirrZO3k9JRQ0Jv4EZx1lsB82f10pHXL8JitIDiFhByc7sE4wx3o2IqWFQCoYPi3No48ouEPWcf1DZ26JcORwQVIUxA4NWfupvXnmfzuV5+7meXYEI6PE3viw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=bBH7sIg/Un2Vjv6FTuBJisQv2XAf+BMCT2tYM3wfe0I=; b=Zje0lv9fk6C+0EVUDcT3qaBN7qMQ/YuOilAgqF8tIvZtPgO20ytUCYQjQJauxvNZkz2CKTGkE725+t2uNdB+1coZmdwXIJMouRs/6tZKRbHoWs0u5gdcP9f2ImD6xYc4W+RWYdQ0qoxN97FuP/ufRu46DaTfiMscPk0aubAVg2O6d8C8YxNjDTcZwTMVRHzuGLKqTZ2MXGMrt0cETGBcjpKCakHw1jJEt1hIrvPN6sY/oTytQdNmiHXuzDGkvDU2sjOWNoYk+vOgueoWWLg+3zNE6fSJcLdKytiE5Qh3pkq1Zb/wl8lCMWNT9SCqlKYiqOIVMxXCrMnZAP2Wf66SXg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=aisec.fraunhofer.de; dmarc=pass action=none header.from=aisec.fraunhofer.de; dkim=pass header.d=aisec.fraunhofer.de; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fraunhofer.onmicrosoft.com; s=selector2-fraunhofer-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=bBH7sIg/Un2Vjv6FTuBJisQv2XAf+BMCT2tYM3wfe0I=; b=PTO++XK3B2NnLF449Da95QZdJkEoMl0jbW8KB0jc8lb5JRUOF5JgY9ex9DdNF9tTXCrvUZEs84wiBDdR6nU/Pnjdc55aMM+XTaLIm8MBAT5bNgCqGKGzwKk9oxxMGLKwcJ5kPNjj201jdWmwzJl6+J96gVPRgY23EdnVn/XhNbs=
Received: from BE1P281MB3137.DEUP281.PROD.OUTLOOK.COM (2603:10a6:b10:6f::12) by FR0P281MB2847.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:57::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7784.29; Fri, 26 Jul 2024 11:41:18 +0000
Received: from BE1P281MB3137.DEUP281.PROD.OUTLOOK.COM ([fe80::35d2:460f:4be3:4cd1]) by BE1P281MB3137.DEUP281.PROD.OUTLOOK.COM ([fe80::35d2:460f:4be3:4cd1%5]) with mapi id 15.20.7784.020; Fri, 26 Jul 2024 11:41:18 +0000
From: "Bellebaum, Thomas" <thomas.bellebaum@aisec.fraunhofer.de>
To: "dnsop@ietf.org" <dnsop@ietf.org>, "pch-dnsop-5@u-1.phicoh.com" <pch-dnsop-5@u-1.phicoh.com>
Thread-Topic: [DNSOP] Re: Potentially interesting DNSSEC library CVE
Thread-Index: AQHa3eeW9kxYTOmrtUmhkRyXxnC6erIHXBbigAAEDICAAAPm5YAAAliAgAAF7AyAAXlXAA==
Date: Fri, 26 Jul 2024 11:41:17 +0000
Message-ID: <a75e064ed50c62587315d42b21eedb60403fc307.camel@aisec.fraunhofer.de>
References: <m1sWF8d-0000LsC@stereo.hq.phicoh.net> <1070949df20a6ac1f9c2c2dd401d5953bb362bf2.camel@aisec.fraunhofer.de> <m1sWe2O-0000OKC@stereo.hq.phicoh.net> <fc306ade9816e06e19a1e2c9828c1c9ef2f0e2bb.camel@gnu.org> <m1sWxJi-0000MEC@stereo.hq.phicoh.net> <6c70aa6b316f7650d84a52135a6aa24aab147788.camel@gnu.org> <m1sWxlI-0000MGC@stereo.hq.phicoh.net> <7373aae035616f1689a576117579ca054759c84d.camel@gnu.org> <m1sWyDs-0000SdC@stereo.hq.phicoh.net>
In-Reply-To: <m1sWyDs-0000SdC@stereo.hq.phicoh.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BE1P281MB3137:EE_|FR0P281MB2847:EE_
x-ms-office365-filtering-correlation-id: 3de8e6f0-6171-492a-d183-08dcad67dcef
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|1800799024|366016|376014|38070700018;
x-microsoft-antispam-message-info: +myhM2vS/sH35RlUeyJZECdHoKgkgM/eiP6vH3AFt2vQ3uF8CxQ1xIBQWEr/VI9MMU1/ysqH94Jx3UYuUfGfVf7uVWOYTWbVfoIPQRaONmHbLov4KtFTaIr7bNplbN2Rag4QXLsfpPpXyYJ00DJiOOHIG/euyNRiq6CzH5kQGgSvH23cgNeM9Pn5CKdbrZjwUuYftUp7a3HMSXkS+h5WLEqHC3J89z6/oi8dbcAa6YKnis0tvLKrqh4+2+c3lQG4vyvpM1yxXii/v6KyBS4mvWxGU+vcz33ogh2Alg5SA0J7ifQGmK0dSih3pnrk19Cd5dhhZXw34s2kF8j+cqpC9wfgRNlucP92dUAeBQdKULCSMqLrss0vZwV7piw9S94FQrJVPxAdJm/GqI7Lr0qRpDa2FmgqQLjj70AwIJWlribtSYPhrJ5cgnXkhsHCE7zQ11gnHSBCtOPVvu4EN9xE141cFb/bu52cnhFolnnDxbgCsZW7UU8D0udCc5AgjhuF7QeHCrGMaYf0rIskYYYIxYfc2kqZpJ1L8/nvn+I9//V7MQ1fgwYpGW3pt8YzqAKFdqSDpssC4Dwvw7oddNo/1JMymEAvUHhI5rzZHUxd5k8e/AYosHLlVZ0mP4V+WIfMtauhEGtw10If4jfXY45R01KpDV96I85bafNg2L+AfCOKYsiOGm0MrAjawY8N8ifWkhE8jQox+ENQU9irXeufq/zVmpcMtGMRgX0azhOdFzcPMQ/sIVSUXqKsRzlGNp5BWnA8WIHVLnW3Tk7a/57sw9WWg5nfUxMdxzugNARO817SFpnbsVM+7Isj35Rsa4UgyWukC6H5KED+bArAakkCGglP4uKodnjS62T1WlRA9wyTALuhoRpDhBrr3Kx/kxZvZjqR5WADj4HNv6wnP3IOGgFEfWUy6t6Uc9bTfWDZhaStEB15mGvnpssN6+v4FCOJRELyXVAyLI/r6u5p5hnHZFaMPDTteFrpuGiuDqr3K14iXkT1ee7d4QLYefvYRKqUy8poSbp09XtTO7EVrqhOHpJtAcdwPCmHhi+XtpaS8LWTNuX6hjYYsPRThUeFElKsIjgSUHJSZbWNmlSe/aA20Hb3XcGrP5WQFvR3Fcu2/NZzdizQx75YPa9oTJDzS0zSBRbZRn07rNd8yl5V1sB5XD3aeDP+ypqB70JJcdSN2U1jz9v4vbgKIs6jOPTpuqvyxfyTg7BjoUS8KOqm4jC6mTd+QJWGATY/7WpTDq2Z+bx0V/LWL7pB9LSWjVkgbSVcXshmxhAWwlJl465c/8MSoFAqCzOkJ4Bs2W4p8sbbBxHI7ZwW8CJiljUUzKsr7x8SGkWtvG0j/kfDzF0SdJe1PhbM/+EitSw4eOjCR1TWPv0b2p0wMjRu+PsHBJGQyyq0gCl7/VZwCAOaf07AOnZqKg==
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BE1P281MB3137.DEUP281.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(366016)(376014)(38070700018);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: oncnDb9pMtfMBA2ELu8bvNXdefnIejAq3MwzmSGUrWsLKchf3xpTSgAAfFbkzK2ZOMV0jXrva4jgTrMml1ilBLrayNlMEpimOafCR4gv3+fGIkhqh8gC/Xl2WsIjg9CmU0AaBhzh2jjBQaTdStAKGFo3yXEw7UcnxpSF9LZbs7Iats0kxP35OESdF+nlzMgWo+vmT1VnsfKc7pFXnCHhNVJBNjOiObBtK55rokIfCCggNBwaUcZo4VlAZIJWeifiBBxv/UdSittP4tWCM9pVvidhDkyTzKjs2WPVJOrbE0+p4YXS2bRvP5avn+GuUTWzjqCUF8oxNUPK+dtCMevEp2XXCCaPcg9tzMl0wgsiuJNPXCncNwv6gNqt2KBD0IZv8uswMqWNTY4xVN8r08uXqzoqlJFw0szzd3SP3e/bRlDkUD0dXSn11r8MnEwv1SvgUwcciycRXQKGlpsnYmkRWeOhEjH8uvvNschS188rtT4DLjGfR6OeFwUfZS/Z/gqrE3o275+DqndxeL2mgQ8CQNDtzteP+QwaxumwWvNz/fFyLD7QY55O5m3x4H+jvl4NPyTwL/XdxsLyTKjoztRMqKMLxfY1Hu9MBxzfRd+2jx630tv3w/KQoBY0YH6W+qTTYqacFlNmqFgmwLHCs7O5kQhY36h9NFgDjSnnaip8tRDAqpDWUr7VVsXbJddDdk/VcknG/0J8zAFgwsuk2CIFyNJGB2vxlmnNAwfiYDt2JN9OCwk8WGMr8pBf37Tw5q9Vu32BgTacwtXl2ubxWgO0XMU9vnjslnYVqbyWh50M4RZpM1fKP2R45XYfrb9+tZherdP/ZYD4Tx/RRwD6RvIUWCcosaoNhN4leL5Yg7n2k84bJWpogkKZ103aPmfxS1otOrgtFBui4i22cwRSWleEu4pUwh+x8XJs8DRKTVpzQS8jLFuNMCqoF3PaNScG0hNFktJOy9BhXwL3HW+UIqrgHcOh9DNc9jRf+TSjPKZNC/o3w+Mz3uxCyLqSz9fuaU9BmX4rAomr7D916avwEJMBGDGNj6mEj66bycoTbDOT19oasS2orS8GU+JNFY3C/uZdBn0QFVYoO1yPknVdpTpg+dcP3hpam9w04UhqM852QvLIq/BMjbPJjCDMTBKlbba1GevrFGct8zPbQsQo/ZmvT0ZwYqOuzaYjVhlv8mmAlZ77zaFKohrPK/tSxJ3W37WE55yCys5vKJygbsxXZFZK1NuSQ9JYQ7ptvbZ2cl045/BJSF+5lkPn977x4qwUUQ7018TObH4Pj0+NuUHLuzvzeazfbVdioknBXBJZPoAxzcrQjxtF1AyfDV5ZHzarPwKtrxDJG3v7e5UB8sUcx5pLpDGo5PsvdTUUAkO12IiIgB0I7gGiClB8XwP+t+g+v/RT/pxDJ5pDztPF0Qlq67qXpYiy7598IZhoaQujfRKU0vFb8BjUcVGxwi1erEEs1NiwHElUDmh+dXme+7CEGtz12GHeyJXiPP21tms/yJGhsP2XfKLDWPLZArwrARQK3jMCuxmQsNDhxIoc+U9f8rkMBqBZL7Ks30oYgOHZcencQ9B9fqpY+RhxFEIfT6xy6IOyfJApsxG+AOILe8ZJm7M0XxsUVSA3foL+tZbmkzvHb7c=
Content-Type: multipart/signed; micalg="sha-256"; protocol="application/pkcs7-signature"; boundary="=-vJvef7fmERoMa2uzQLVM"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BE1P281MB3137.DEUP281.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 3de8e6f0-6171-492a-d183-08dcad67dcef
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Jul 2024 11:41:17.9424 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f930300c-c97d-4019-be03-add650a171c4
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: hqeSfVDof90X+atMF/na4cIGPjCI1lHczCL1lhkCVNec4ytlwcw+vVxsEtHECYNVKQZ5tRbUxc5w+OEVxlOJLAWMFG0hEoXroPa/2oomtbRb5jZWlIRhNnyRuyNYwYP2
X-MS-Exchange-Transport-CrossTenantHeadersStamped: FR0P281MB2847
X-OriginatorOrg: aisec.fraunhofer.de
Message-ID-Hash: W6VJBQQRS4V7TEM5L3EXOL6643NBWCQU
X-Message-ID-Hash: W6VJBQQRS4V7TEM5L3EXOL6643NBWCQU
X-MailFrom: thomas.bellebaum@aisec.fraunhofer.de
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "schanzen@gnu.org" <schanzen@gnu.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: Potentially interesting DNSSEC library CVE
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/zcSSBvdE4n1-GdtoN-NE9gRhv-w>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

> The IETF does not create standards for APIs. So a validating stub resolver is  
> not really something that can be defined, because it is not a protocol.

I beg to differ here. It may not be strictly part of the DNS protocol, but then this logic needs to be a part of every single protocol dependent on DNS.

Consider e.g. IMAP, something which clearly is a network protocol. There is a very convenient RFC 6186, specifying how to use DNS to locate an IMAP service. Even if you would not call this a network protocol, it clearly is within IETF scope (and on Standards Track).
TL;DR: The TLS-secured IMAP server for localpart@domain.tld is whatever the SRV record at _imaps._tcp.domain.tld points at, and you can proceed sending localpart's password there in an attempt to authenticate.

It should be clear that there are problems which may arise in this protocol if the used SRV records' targets can be influenced by an attacker. To do some damage control, RFC 6186 thus specifies:

> In the absence of a secure DNS option, MUAs SHOULD
   check that the target FQDN returned in the SRV record matches the
   original service domain that was queried.  If the target FQDN is not
   in the queried domain, MUAs SHOULD verify with the user that the SRV
   target FQDN is suitable for use before executing any connections to
   the host.

What exactly does "secure" mean here? Which SRV records are to be investigated exactly? Most protocols do not tell, instead referring to the DNS.

If effect, this gap between protocols is what leads to problems, and there is no specification that seems to have adequate security considerations addressing these points. Keep in mind, IMAP is only an example here. To ensure the security of network protocols all throughout the IETF (and beyond), there has to be a clear API. Not for applications, but for other protocols.

As a related example: HKDF defines an API, which most client libraries do not copy exactly. This is fine, but the clear definition allows e.g. TLS to depend on HKDF, and be a verifiably secure protocol. The same should apply to DNS and its interaction with the wider internet.

-- Thomas

v2.39.1 | Report a Bug | By Email | System Status