Re: [Doh] more generally on resolver-associated-doh.arpa and resolver-associated-doh.arpa
Stephen Farrell <stephen.farrell@cs.tcd.ie> Tue, 26 March 2019 13:35 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id E755D120160
for <doh@ietfa.amsl.com>; Tue, 26 Mar 2019 06:35:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001,
URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key)
header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id AtRHDG00ckiW for <doh@ietfa.amsl.com>;
Tue, 26 Mar 2019 06:35:20 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6])
(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id BBF691203D3
for <doh@ietf.org>; Tue, 26 Mar 2019 06:35:08 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1])
by mercury.scss.tcd.ie (Postfix) with ESMTP id 3B975BEFE;
Tue, 26 Mar 2019 13:35:04 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1])
by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id NnBRHtYKzj4t; Tue, 26 Mar 2019 13:35:02 +0000 (GMT)
Received: from [31.133.128.194] (dhcp-80c2.meeting.ietf.org [31.133.128.194])
by mercury.scss.tcd.ie (Postfix) with ESMTPSA id A0E96BEFA;
Tue, 26 Mar 2019 13:35:01 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail;
t=1553607302; bh=HoVVEmJWQupqnRkzILbL8ZqPWLZfnnvJnpdFTOaShTc=;
h=Subject:To:References:From:Date:In-Reply-To:From;
b=Yh93eCZaz1IQANooOgdC0GxLjicNUwpd6xdn97UEKIT3+O2ORPoFuxqRIXJRgHeyg
fgRMK1xIUhnVY1ZtDeO6K1stSJaFnvXHPP2qjxdXTGDXXheNB0JHQbjJDvoTM/NoOS
R+jNbmIeXVziJXNTNqhJBLaaf5VhhppkPTnqp59k=
To: Joe Abley <jabley@hopcount.ca>, DoH WG <doh@ietf.org>
References: <E064E7E9-0E00-4B3E-8841-59EB40B4EEDD@hopcount.ca>
<4D942FED-E2F3-4A78-A1C5-3F72E013BF69@hopcount.ca>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=5BB5A6EA5765D2C5863CAE275AB2FAF17B172BEA; url=
Autocrypt: addr=stephen.farrell@cs.tcd.ie; prefer-encrypt=mutual; keydata=
mQINBFo9UDIBEADUH4ZPcUnX5WWRWO4kEkHea5Y5eEvZjSwe/YA+G0nrTuOU9nemCP5PMvmh
5Cg8gBTyWyN4Z2+O25p9Tja5zUb+vPMWYvOtokRrp46yhFZOmiS5b6kTq0IqYzsEv5HI58S+
QtaFq978CRa4xH9Gi9u4yzUmT03QNIGDXE37honcAM4MOEtEgvw4fVhVWJuyy3w//0F2tzKr
EMjmL5VGuD/Q9+G/7abuXiYNNd9ZFjv4625AUWwy+pAh4EKzS1FE7BOZp9daMu9MUQmDqtZU
bUv0Q+DnQAB/4tNncejJPz0p2z3MWCp5iSwHiQvytYgatMp34a50l6CWqa13n6vY8VcPlIqO
Vz+7L+WiVfxLbeVqBwV+4uL9to9zLF9IyUvl94lCxpscR2kgRgpM6A5LylRDkR6E0oudFnJg
b097ZaNyuY1ETghVB5Uir1GCYChs8NUNumTHXiOkuzk+Gs4DAHx/a78YxBolKHi+esLH8r2k
4LyM2lp5FmBKjG7cGcpBGmWavACYEa7rwAadg4uBx9SHMV5i33vDXQUZcmW0vslQ2Is02NMK
7uB7E7HlVE1IM1zNkVTYYGkKreU8DVQu8qNOtPVE/CdaCJ/pbXoYeHz2B1Nvbl9tlyWxn5Xi
HzFPJleXc0ksb9SkJokAfwTSZzTxeQPER8la5lsEEPbU/cDTcwARAQABtDJTdGVwaGVuIEZh
cnJlbGwgKDIwMTcpIDxzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllPokCQAQTAQgAKgIbAwUJ
CZQmAAULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAUCWj6jdwIZAQAKCRBasvrxexcr6o7QD/9m
x9DPJetmW794RXmNTrbTJ44zc/tJbcLdRBh0KBn9OW/EaAqjDmgNJeCMyJTKr1ywaps8HGUN
hLEVkc14NUpgi4/Zkrbi3DmTp25OHj6wXBS5qVMyVynTMEIjOfeFFyxG+48od+Xn7qg6LT7G
rHeNf+z/r0v9+8eZ1Ip63kshQDGhhpmRMKu4Ws9ZvTW2ACXkkTFaSGYJj3yIP4R6IgwBYGMz
DXFX6nS4LA1s3pcPNxOgrvCyb60AiJZTLcOk/rRrpZtXB1XQc23ZZmrlTkl2HaThL6w3YKdi
Ti1NbuMeOxZqtXcUshII45sANm4HuWNTiRh93Bn5bN6ddjgsaXEZBKUBuUaPBl7gQiQJcAlS
3MmGgVS4ZoX8+VaPGpXdQVFyBMRFlOKOC5XJESt7wY0RE2C8PFm+5eywSO/P1fkl9whkMgml
3OEuIQiP2ehRt/HVLMHkoM9CPQ7t6UwdrXrvX+vBZykav8x9U9M6KTgfsXytxUl6Vx5lPMLi
2/Jrsz6Mzh/IVZa3xjhq1OLFSI/tT2ji4FkJDQbO+yYUDhcuqfakDmtWLMxecZsY6O58A/95
8Qni6Xeq+Nh7zJ7wNcQOMoDGj+24di2TX1cKLzdDMWFaWzlNP5dB5VMwS9Wqj1Z6TzKjGjru
q8soqohwb2CK9B3wzFg0Bs1iBI+2RuFnxLkCDQRaPVAyARAA+g3R0HzGr/Dl34Y07XqGqzq5
SU0nXIu9u8Ynsxj7gR5qb3HgUWYEWrHW2jHOByXnvkffucf5yzwrsvw8Q8iI8CFHiTYHPpey
4yPVn6R0w/FOMcY70eTIu/k6EEFDlDbs09DtKcrsT9bmN0XoRxITlXwWTufYqUnmS+YkAuk+
TLCtUin7OdaS2uU6Ata3PLQSeM2ZsUQMmYmHPwB9rmf+q2I005AJ9Q1SPQ2KNg/8xOGxo13S
VuaSqYRQdpV93RuCOzg4vuXtR+gP0KQrus/P2ZCEPvU9cXF/2MIhXgOz207lv3iE2zGyNXld
/n8spvWk+0bH5Zqd9Wcba/rGcBhmX9NKKDARZqjkv/zVEP1X97w1HsNYeUFNcg2lk9zQKb4v
l1jx/Uz8ukzH2QNhU4R39dbF/4AwWuSVkGW6bTxHJqGs6YimbfdQqxTzmqFwz3JP0OtXX5q/
6D4pHwcmJwEiDNzsBLl6skPSQ0Xyq3pua/qAP8MVm+YxCxJQITqZ8qjDLzoe7s9X6FLLC/DA
L9kxl5saVSfDbuI3usH/emdtn0NA9/M7nfgih92zD92sl1yQXHT6BDa8xW1j+RU4P+E0wyd7
zgB2UeYgrp2IIcfG+xX2uFG5MJQ/nYfBoiALb0+dQHNHDtFnNGY3Oe8z1M9c5aDG3/s29QbJ
+w7hEKKo9YMAEQEAAYkCJQQYAQgADwUCWj1QMgIbDAUJCZQmAAAKCRBasvrxexcr6qwvD/9b
Rek3kfN8Q+jGrKl8qwY8HC5s4mhdDJZI/JP2FImf5J2+d5/e8UJ4fcsT79E0/FqX3Z9wZr6h
sofPqLh1/YzDsYkZDHTYSGrlWGP/I5kXwUmFnBZHzM3WGrL3S7ZmCYMdudhykxXXjq7M6Do1
oxM8JofrXGtwBTLv5wfvvygJouVCVe87Ge7mCeY5vey1eUi4zSSF1zPpR6gg64w2g4TXM5qt
SwkZVOv1g475LsGlYWRuJV8TA67yp1zJI7HkNqCo8KyHX0DPOh9c+Sd9ZX4aqKfqH9HIpnCL
AYEgj7vofeix7gM3kQQmwynqq32bQGQBrKJEYp2vfeO30VsVx4dzuuiC5lyjUccVmw5D72J0
FlGrfEm0kw6D1qwyBg0SAMqamKN6XDdjhNAtXIaoA2UMZK/vZGGUKbqTgDdk0fnzOyb2zvXK
CiPFKqIPAqKaDHg0JHdGI3KpQdRNLLzgx083EqEc6IAwWA6jSz+6lZDV6XDgF0lYqAYIkg3+
6OUXUv6plMlwSHquiOc/MQXHfgUP5//Ra5JuiuyCj954FD+MBKIj8eWROfnzyEnBplVHGSDI
ZLzL3pvV14dcsoajdeIH45i8DxnVm64BvEFHtLNlnliMrLOrk4shfmWyUqNlzilXN2BTFVFH
4MrnagFdcFnWYp1JPh96ZKjiqBwMv/H0kw==
Message-ID: <6e72bf38-16b8-6c4f-b842-f3fd64c02e37@cs.tcd.ie>
Date: Tue, 26 Mar 2019 13:34:59 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
Thunderbird/60.5.1
MIME-Version: 1.0
In-Reply-To: <4D942FED-E2F3-4A78-A1C5-3F72E013BF69@hopcount.ca>
Content-Type: multipart/signed; micalg=pgp-sha512;
protocol="application/pgp-signature";
boundary="ZTxeMZowhiAkJba8vYxCCtQPb5mNo8xQL"
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/YYOOqxnG6PhrR_fnVgvhNJ3mNVY>
Subject: Re: [Doh] more generally on resolver-associated-doh.arpa and
resolver-associated-doh.arpa
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>,
<mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>,
<mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Mar 2019 13:35:24 -0000
On 26/03/2019 13:25, Joe Abley wrote: > Hi again, > > I think my concerns about the "DoH Servers from DNS" mechanism are > wider than those about the blackhole suggestion that I mentioned > earlier. > > The "DoH Servers from DNS" mechanism in general involves the > retrieval of security-critical information for an end-user's > application environment from the DNS in a way that necessarily > precludes integrity protection by DNSSEC. A polluted cache, a > compromised upstream forwarder or resolver, a man in the middle or > just the accidental inheritance of a non-malicious upstream policy > can divert all end-user resolver traffic to an unexpected location > where the response policy is unknown.\ > > This is worse than DNSChanger or attacks on local DHCP infrastructure > to divert resolver traffic since it has the potential to affect > larger communities of end-users without the hurdle of local network > or end-host compromise. > > Any network that doesn't provision these domains on their local > resolvers is hence vulnerable. If that is likely (and I'd suspect, but don't know, that it may be) then there's also a privacy leak - devices will make these requests at boot time and/or application start time. That may or may not be worse than the status-quo ante though, so is hard to evaluate. That said, a more localised mechanism (if one exists) could be better in both respects. S > If successful the impact of such an > attack would be difficult to assess by the network operator since of > course the query traffic is at that point obscured, being carried as > DoH. > > Architecturally, I think this mechanism is vulnerable by default, > which is a poor security posture. It's a challenge to detect the > attack and it's also challenging to defend against (e.g. in the case > that an end-user doesn't start the discovery from a local resolver). > > > Joe > > On 26 Mar 2019, at 12:17, Joe Abley <jabley@hopcount.ca> wrote: > >> Hi all, >> >> There was a suggestion at the microphone this morning in the Grand >> Ballroom that the resolver-associated-doh.arpa and >> resolver-associated-doh.arpa domains be "blackholed". The draft >> currently specifies that these MUST NOT be delegated from ARPA. >> >> The microphone queue was already cut off before I could ask more >> about what this means, but I think it's worth reminding the wg what >> blackhole generally means in this context of DNS names in and near >> ARPA, and how it can be implemented, since I think there is a >> security concern. >> >> RFC 7534 provides two mechanisms to blackhole DNS traffic: one uses >> DNAME (see RFC 7535) and the other uses a zone cut. The DNAME >> approach is technically compatible with the MUST NOT in the draft >> (since it's technically not a delegation but rather a redirection) >> but the direct delegation mechanism is not. >> >> In both cases, however, blackholing these domains would point their >> DNS resolution away from the authoritative servers that serve ARPA >> towards a loosely-coordinated set of AS112 servers. >> >> Anybody can operate an AS112 server; in fact, operators have in the >> past been actively encouraged to operate AS112 servers without any >> requirement for coordination. This has been considered a reasonable >> approach so long as the query data being sent to AS112 servers is >> recognised to be junk that only leaks by accident; since it's >> generally private network PTR query traffic the potential for >> exploitation by bad actors (malicious AS112 node operators) is >> arguably low. >> >> However, in the case of these doh resolver domains, there is the >> potential for a bad actor to respond with an unauthorised list of >> DoH URIs and steal the resolver traffic of a large array of >> end-users whose local (or configured) resolvers don't implement the >> mechanisms described in this draft. This would be a bit like DNS >> changer, but without the need to infect individual end-hosts.. >> >> I think this a problem. >> >> I think (in contrast to the thought at the microphone) if we >> mention blackholing at all it ought to be of the form "don't ever >> do this because it would be bad for the following reasons". >> >> >> Joe > > > > _______________________________________________ Doh mailing list > Doh@ietf.org https://www.ietf.org/mailman/listinfo/doh >
- [Doh] on blackholing resolver-associated-doh.arpa… Joe Abley
- [Doh] more generally on resolver-associated-doh.a… Joe Abley
- Re: [Doh] more generally on resolver-associated-d… Stephen Farrell
- Re: [Doh] on blackholing resolver-associated-doh.… Ted Hardie
- Re: [Doh] on blackholing resolver-associated-doh.… Matthew Pounsett
- Re: [Doh] on blackholing resolver-associated-doh.… Joe Abley
- Re: [Doh] on blackholing resolver-associated-doh.… Ted Hardie