[secdir] Re: Secdir early review of draft-ietf-dnsop-compact-denial-of-existence-04
Shumon Huque <shuque@gmail.com> Wed, 31 July 2024 02:13 UTC
Return-Path: <shuque@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E612BC1840C2; Tue, 30 Jul 2024 19:13:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4-QwQIvdhqHd; Tue, 30 Jul 2024 19:13:37 -0700 (PDT)
Received: from mail-io1-xd35.google.com (mail-io1-xd35.google.com [IPv6:2607:f8b0:4864:20::d35]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 65634C151543; Tue, 30 Jul 2024 19:13:34 -0700 (PDT)
Received: by mail-io1-xd35.google.com with SMTP id ca18e2360f4ac-81f9339e541so132458539f.3; Tue, 30 Jul 2024 19:13:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1722392013; x=1722996813; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=P5+F/kkqUQMaZgXIOs6VlXooyCOvoQbEIjdQM6dw36k=; b=bcleBPo6SqKt1iI9ZEpfU7BJHDgU/0gE7Q/9wbp7Y+jhrOlAoiINr5yGLe4fuDl7o1 YWPu4s4efSQ4XjWaTft0hQ0zEFTUmVaPP6QMV2tkuMPaNBgoVo64pZ3+GieUXOnGV7DU 6Dv/duM9FK0PRJiKJKB4FMVQpXEiWVWU6uio3sE1Hoj/kMvgz2bSyZEU/z+xH3ttf0K4 gdJsTDGGKrYlZWCVjGjXcjKsMpIO3l7TjCeDazbbFsD10cGvcEIX5y5JjFgtAO2o5L94 09vdZIdt4GZOfCsoI8tjva+PGwwNah1BXWfuNk9hIZeF3f98u6D3NLNOv8Vn2b5TVn6U r9qQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1722392013; x=1722996813; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=P5+F/kkqUQMaZgXIOs6VlXooyCOvoQbEIjdQM6dw36k=; b=oiZu72CgR0lhRkr6DvVG2yIuXeW7M3Wmo/p/J4q5w/nLQeirS8oI9wgqwOIo6sTR7z a4lggRIT9SIOkIGRzp6LHKEEzxShydbkFTg9t2LSu+CDEYIkbmxUPLpkhChWRs0Typ6m LLkojKokrsQdTUJXZ7kLjA2RHxRzTQx5vsCsU8RRJ4XRFzh2kE36Q1xrlXupVyLc8Wpa D7OIhq4dHD6/ce63Ckm/NltFAvJjbSGOd3ZWrlcbqKm3ZR2jXMSkRB+INegplQtJ/t05 2hZ8cUreYuOaxbRY6yX/MkXwB+A3YsCyghibB6wvpTjQw4vmOyRXHEVZClpQqu3Cugk4 3KRw==
X-Forwarded-Encrypted: i=1; AJvYcCUYJr2gmbL01bANgpVHeEySzWAYpNSu4RwX79HvoDvMSPJuORD8KMzsd+HjGzGBck0go1xZBeU5Fe8EmMri+srBJazWNfbRFpY59DJq3SO6MAyKGapb4AHWIEcq9fXyGd1kcV79pGkFraQnqH2lNejJS8aaP0YW0ltI
X-Gm-Message-State: AOJu0Yxvbl+m6mcKbJqw9itfFPRIVnRke4g5OTTPTuY76KWBy0h2VlJZ FeBg9x+Mo/GzcdoBNs0ySRm7BTaYjkTO+EPJDMUttriPZFJz1N4ILa5V6BdAYyRz7bpB5Za/GCw qjzIyvRXgXHl1CdbGcZxl61LmpZrYMA==
X-Google-Smtp-Source: AGHT+IHuoZtHdYcM0yrO/MyXIp1qSzHY7UNmd5M0f8XR9RsinWd3pNvy8PNaIKyArD4HKdJlXigagxw+DZYUGriSevE=
X-Received: by 2002:a05:6602:26c1:b0:807:f0fb:1192 with SMTP id ca18e2360f4ac-81f95ac3386mr2056374639f.1.1722392013498; Tue, 30 Jul 2024 19:13:33 -0700 (PDT)
MIME-Version: 1.0
References: <172238346320.1988233.11549951810315868557@dt-datatracker-659f84ff76-9wqgv>
In-Reply-To: <172238346320.1988233.11549951810315868557@dt-datatracker-659f84ff76-9wqgv>
From: Shumon Huque <shuque@gmail.com>
Date: Tue, 30 Jul 2024 22:13:22 -0400
Message-ID: <CAHPuVdUexV6B2DY+ma02pmYxYFNfXB_4d-WDKS1_Vz2oCV4SHA@mail.gmail.com>
To: Brian Weis <bew.stds@gmail.com>
Content-Type: multipart/alternative; boundary="00000000000020f043061e81a45c"
Message-ID-Hash: IXCJCNH5RELPE2BJMCH5DYMD6XTI6VOJ
X-Message-ID-Hash: IXCJCNH5RELPE2BJMCH5DYMD6XTI6VOJ
X-MailFrom: shuque@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-secdir.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: secdir@ietf.org, dnsop@ietf.org, draft-ietf-dnsop-compact-denial-of-existence.all@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [secdir] Re: Secdir early review of draft-ietf-dnsop-compact-denial-of-existence-04
List-Id: Security Area Directorate <secdir.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/bDR9kX2AcfVbTB1GRpypKy3lXZ4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Owner: <mailto:secdir-owner@ietf.org>
List-Post: <mailto:secdir@ietf.org>
List-Subscribe: <mailto:secdir-join@ietf.org>
List-Unsubscribe: <mailto:secdir-leave@ietf.org>
On Tue, Jul 30, 2024 at 7:51 PM Brian Weis via Datatracker <noreply@ietf.org> wrote: > Reviewer: Brian Weis > Review result: Has Nits > Thank you for your review Brian. [... Good summary deleted for brevity ...] > Security Considerations also mentions that some security tools rely > on particular return codes to detect non-existent domain names, and > their current method may be impacted by this change. This is > unfortunate, but I suspect that there was no clean way to accommodate > those semantics in this design. It is noted that if security tools > support this new method that they will be relying on signed data > rather than the unsigned header to obtain the same information. > Yes, that is correct. > Also, the document describes an optional header flag which a resolver > that returns a different status. This seems to be intended to aid > security tools, but perhaps if they’ve updated their tool to send > a new header flag they would also be able to update it to accept > the main method described in this document. Is theres another > practical reason for this optional feature? Or are the semantics > of a resolver understanding both the old and new main methods just > complicated and this makes it easier for them? > The NXDOMAIN response code restoration methods are optional, because we expect that not all resolver implementers will want to make accommodations for this method (although some do plan to). Impacted security tools could indeed be updated to recognize the NXNAME signal, but there is some skepticism that this will happen quickly because of inertia, unwillingness to do deeper packet inspection, or because they are often written by folks without detailed familiarity with the DNS protocol. The rcode restoration capability will help them, and their users may decide to use resolvers that implement this feature. In other words, the spec is providing the capability, and we'll let customer demand help sort out where it might get deployed. > I’m a little confused by this statement in Section 4 (Response Code > Restoration): “For non-existent names, implementations should try > wherever possible, to preserve the response code value of 3 (NXDOMAIN). > This is generally possible for non-DNSSEC enabled queries, > namely those which do not set the DNSSEC_OK EDNS flag (DO bit).” I > believe this is describing a case where the response does not include > DNSSEC. Based on the name of the document that it was concerned > only with a DNSSEC response, so it’s not clear to me why this > suggestion needs to be made. > Yes, your observation is correct. However, there was strong consensus in the working group that this document explicitly state that non DNSSEC enabled queries for non-existent names return the expected NXDOMAIN response code (there are implementations of this protocol in the field for example that return NODATA today for non-DNSSEC responses too). One general suggestion is that it might be helpful for the RFC Editor > if there was an explicit note somewhere warning them that Section 6.2 > contains an (RFC TBD) self-reference that they’ll need to resolve. > If we wanted to get rid of the self-reference we could also only state the name of the protocol and omit the RFC#. Shumon.
- [secdir] Secdir early review of draft-ietf-dnsop-… Brian Weis via Datatracker
- [secdir] Re: Secdir early review of draft-ietf-dn… Shumon Huque
- [secdir] Re: Secdir early review of draft-ietf-dn… Brian Weis