[Doh] on blackholing resolver-associated-doh.arpa and resolver-associated-doh.arpa

Joe Abley <jabley@hopcount.ca> Tue, 26 March 2019 11:18 UTC

Return-Path: <jabley@hopcount.ca>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 6B6481202C6 for <doh@ietfa.amsl.com>; Tue, 26 Mar 2019 04:18:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=hopcount.ca
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id rferNb99baoV for <doh@ietfa.amsl.com>; Tue, 26 Mar 2019 04:18:01 -0700 (PDT)
Received: from mail-wm1-x32b.google.com (mail-wm1-x32b.google.com [IPv6:2a00:1450:4864:20::32b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DB3571202A4 for <doh@ietf.org>; Tue, 26 Mar 2019 04:18:00 -0700 (PDT)
Received: by mail-wm1-x32b.google.com with SMTP id 4so12169405wmf.1 for <doh@ietf.org>; Tue, 26 Mar 2019 04:18:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hopcount.ca; s=google; h=from:mime-version:subject:message-id:date:to; bh=fs+KVq4bVajZwr66mzFDduMsdJ5JtomLGiyIky6WNNM=; b=cw2PScTXnMcSRIrQfsL3vf5VX82nRkM1A4gCFOTpFXrmzAIgJzVHdW38VSKcoOhdRF xO3Cro15Zzi+jBepxv/DXLmbRRngYpI4M9bfYZAUWSuWYfFK5yldSBtnnSTE5BUt8BQO X6w06eQzcsCf4M7xjP0j+HHMV+kVJDSTrmDYA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:mime-version:subject:message-id:date:to; bh=fs+KVq4bVajZwr66mzFDduMsdJ5JtomLGiyIky6WNNM=; b=YbhgNbZgWxDboGR/PHubaGuDOT+OUIhOOIfjkH1sRTVGXwDQac01h4oY+4OKZRL7y4 dzQCtfao+6+rilRaGR1ddxzOIcuL9v3MHEw2mKhnxa0rNvuFS7sp6+91pY/N2bIgFyFr 9H1xrUQYDnOa1+dQ7+rbkI/jhegeNXoOGBKmOX8We1AGeDX14MRB64BxQ0cOTLO/uDT/ d4Eg8FDrAbmw8J+Hm4A22f8VEU7C71ZQd1gmuuaL7LrvA1OmPoR6M9R+Nt3aNB/UWMdK F3qJM4ZtpTAMYebdG9gYKJw8gGiC3q/5lGlNrDH4CiuhI+l/ZL8jED/xv4yR4oZ26Kbb setQ==
X-Gm-Message-State: APjAAAVfnak2mZXyciI/+TFmsINkIvnREdz5rM135YFhPuAPBDtrA6ff TOik7CkFP3Z8r5amcP7B+e1bU0D9eHxFcQ==
X-Google-Smtp-Source: APXvYqy1at9Gy7vHM77Dr7UE6h/kSrt2uo9jxWZf2a1OEbKnzmddlTScplti0LexKPMoA37N94ht4A==
X-Received: by 2002:a1c:7901:: with SMTP id l1mr2516801wme.144.1553599078820; Tue, 26 Mar 2019 04:17:58 -0700 (PDT)
Received: from ?IPv6:2001:67c:1232:144:41ad:44eb:a301:b245? ([2001:67c:1232:144:41ad:44eb:a301:b245]) by smtp.gmail.com with ESMTPSA id y3sm18880990wrh.18.2019. for <doh@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 26 Mar 2019 04:17:57 -0700 (PDT)
From: Joe Abley <jabley@hopcount.ca>
Content-Type: multipart/signed; boundary="Apple-Mail=_FC50C2CA-801C-4167-A1AA-8C1A08E53FF5"; protocol="application/pgp-signature"; micalg=pgp-sha1
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
Message-Id: <E064E7E9-0E00-4B3E-8841-59EB40B4EEDD@hopcount.ca>
Date: Tue, 26 Mar 2019 12:17:56 +0100
To: DoH WG <doh@ietf.org>
X-Mailer: Apple Mail (2.3445.102.3)
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/abrFOPparUmhiEoUSZrJOII7s_M>
Subject: [Doh] on blackholing resolver-associated-doh.arpa and resolver-associated-doh.arpa
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Mar 2019 11:18:04 -0000

Hi all,

There was a suggestion at the microphone this morning in the Grand Ballroom that the resolver-associated-doh.arpa and resolver-associated-doh.arpa domains be "blackholed". The draft currently specifies that these MUST NOT be delegated from ARPA.

The microphone queue was already cut off before I could ask more about what this means, but I think it's worth reminding the wg what blackhole generally means in this context of DNS names in and near ARPA, and how it can be implemented, since I think there is a security concern.

RFC 7534 provides two mechanisms to blackhole DNS traffic: one uses DNAME (see RFC 7535) and the other uses a zone cut. The DNAME approach is technically compatible with the MUST NOT in the draft (since it's technically not a delegation but rather a redirection) but the direct delegation mechanism is not.

In both cases, however, blackholing these domains would point their DNS resolution away from the authoritative servers that serve ARPA towards a loosely-coordinated set of AS112 servers.

Anybody can operate an AS112 server; in fact, operators have in the past been actively encouraged to operate AS112 servers without any requirement for coordination. This has been considered a reasonable approach so long as the query data being sent to AS112 servers is recognised to be junk that only leaks by accident; since it's generally private network PTR query traffic the potential for exploitation by bad actors (malicious AS112 node operators) is arguably low.

However, in the case of these doh resolver domains, there is the potential for a bad actor to respond with an unauthorised list of DoH URIs and steal the resolver traffic of a large array of end-users whose local (or configured) resolvers don't implement the mechanisms described in this draft. This would be a bit like DNS changer, but without the need to infect individual end-hosts..

I think this a problem.

I think (in contrast to the thought at the microphone) if we mention blackholing at all it ought to be of the form "don't ever do this because it would be bad for the following reasons".