Re: [Tsv-art] [DNSOP] [Last-Call] Tsvart telechat review of draft-ietf-dnsop-dns-error-reporting-07
Mark Andrews <marka@isc.org> Wed, 14 February 2024 23:27 UTC
Return-Path: <marka@isc.org>
X-Original-To: tsv-art@ietfa.amsl.com
Delivered-To: tsv-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DAC3BC15108C; Wed, 14 Feb 2024 15:27:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.408
X-Spam-Level:
X-Spam-Status: No, score=-4.408 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isc.org header.b="DkEhQidK"; dkim=pass (1024-bit key) header.d=isc.org header.b="AY2tkieQ"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Rzj69Y2NInMq; Wed, 14 Feb 2024 15:27:28 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.2.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 585E0C15108B; Wed, 14 Feb 2024 15:27:27 -0800 (PST)
Received: from zimbrang.isc.org (zimbrang.isc.org [149.20.2.31]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id F22323AB11C; Wed, 14 Feb 2024 23:27:26 +0000 (UTC)
ARC-Filter: OpenARC Filter v1.0.0 mx.pao1.isc.org F22323AB11C
Authentication-Results: mx.pao1.isc.org; arc=none smtp.remote-ip=149.20.2.31
ARC-Seal: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1707953247; cv=none; b=QI7RZNffMQKbhvwOqkyO3A0PjpuBUfkAZHhBNVAvSwLm86jK1efHh7f81MdhjpOgaW20SgEOtTCvAaSpLQGPQx4gu587za4lQuJWTS1+uJuptYc1ter/VTHM6HKVhvimQzNcEA/YBN0LZ9vscLG8bBeVrPRF9cI1f2yvxBK59H8=
ARC-Message-Signature: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1707953247; c=relaxed/relaxed; bh=X11LMdiFYILR7k0cGFgKJY01Xcm9UdbxLOt+ViFwn7Y=; h=DKIM-Signature:DKIM-Signature:Mime-Version:Subject:From:Date: Message-Id:To; b=W223oo7E8KLBFVqEiEFCz6nvbZXRpkTmUw8H0J9LxjEMUiuh6ubNww2uIMvIZHghRleSF0r17wJ/Smgij8k8GUmh3jjDx9x9djQf1GOHmHJqz5cUI4zhSadKjq3JNT3doNV9EWdPkNGJqz5kXMlLXQilt0OpXfteXrzq6HMunUs=
ARC-Authentication-Results: i=1; mx.pao1.isc.org
DKIM-Filter: OpenDKIM Filter v2.10.3 mx.pao1.isc.org F22323AB11C
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=isc.org; s=ostpay; t=1707953247; bh=4pe+EcHUHI3p/8qKFMcJ2bWp2osb4/O9nhlaOjzTFfs=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=DkEhQidK6Psr1ZxSrSlEyMiLxtW9bpl04TP1xTcdUW2Ec6tO9/suWI8i6D70P+UVd Auw4ampyn0zZMmgf1yc66cK4SzSRoa3Y+VujMD71i+vsSNHlX/saUcQS+vmJHtKEbV 6vcpUfrZ0lBcLVltgoVnenrdAwpGA/kU+x1W/dHo=
Received: from zimbrang.isc.org (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTPS id E8D1CF691FE; Wed, 14 Feb 2024 23:27:26 +0000 (UTC)
Received: from localhost (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTP id BFA27F69228; Wed, 14 Feb 2024 23:27:26 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.10.3 zimbrang.isc.org BFA27F69228
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=05DFB016-56A2-11EB-AEC0-15368D323330; t=1707953246; bh=X11LMdiFYILR7k0cGFgKJY01Xcm9UdbxLOt+ViFwn7Y=; h=Mime-Version:From:Date:Message-Id:To; b=AY2tkieQAecE2Qi86vzE0C5NFh1vTSkNxh7wfPMB3PZyiWIMO7DIvIg7mFctlJuIv bOTk1o3EYQmR2lGM0FiIhu8Z1POBKo9iuepxEVQY8m9luwSTAW618uwjykqFhz8GzU X22F0o+xSN29lM542URkoxbYxPCMHmw+AeuPSsPQ=
Received: from zimbrang.isc.org ([127.0.0.1]) by localhost (zimbrang.isc.org [127.0.0.1]) (amavis, port 10026) with ESMTP id Xnnn-NaJ2udC; Wed, 14 Feb 2024 23:27:26 +0000 (UTC)
Received: from smtpclient.apple (n49-187-27-239.bla1.nsw.optusnet.com.au [49.187.27.239]) by zimbrang.isc.org (Postfix) with ESMTPSA id 1C2A6F691FE; Wed, 14 Feb 2024 23:27:24 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.700.6.1.1\))
From: Mark Andrews <marka@isc.org>
In-Reply-To: <c64fea26-8863-013a-4574-68ca9de912ba@nohats.ca>
Date: Thu, 15 Feb 2024 10:27:12 +1100
Cc: Roy Arends <roy@dnss.ec>, Gorry Fairhurst <gorry@erg.abdn.ac.uk>, tsv-art@ietf.org, dnsop <dnsop@ietf.org>, draft-ietf-dnsop-dns-error-reporting.all@ietf.org, last-call@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <B7189887-05F2-42F6-BC55-9CA506BC2892@isc.org>
References: <170195243214.35471.15139593366465856989@ietfa.amsl.com> <73358628-DFCD-4048-A3D7-FFA2BCF3573D@dnss.ec> <8558549e-6967-1f5b-df6b-23c2785d2ba6@nohats.ca> <5F8E9601-0839-4DAA-A524-A322133187B1@dnss.ec> <c64fea26-8863-013a-4574-68ca9de912ba@nohats.ca>
To: Paul Wouters <paul@nohats.ca>
X-Mailer: Apple Mail (2.3731.700.6.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsv-art/6-4e9SuZF2UmrNICNhyhjpkNfnY>
Subject: Re: [Tsv-art] [DNSOP] [Last-Call] Tsvart telechat review of draft-ietf-dnsop-dns-error-reporting-07
X-BeenThere: tsv-art@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Transport Area Review Team <tsv-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsv-art/>
List-Post: <mailto:tsv-art@ietf.org>
List-Help: <mailto:tsv-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Feb 2024 23:27:33 -0000
> On 15 Feb 2024, at 03:03, Paul Wouters <paul@nohats.ca> wrote: > > On Wed, 14 Feb 2024, Roy Arends wrote: > >>>> It is recommended that the client (the resolver) sets the DNS COOKIE. The benefit of using cookies is for the client. It is to make sure that the response is genuine. >>> Does it? Not for an on-path attacker that sees the COOKIE in the clear. >>> So what attack does this really counter? >> >> Ah, no, apologies, it doesn’t. (I’ll blame this on my DNSSEC muscle memory). I should know better. I’ll try again: >> >> There is text in the document that specifies what the monitoring agent should do if cookies are not used: >> >> Section 6.3: >> >> The monitoring agent SHOULD respond to queries received over UDP that >> have no DNS COOKIE set with a response that has the truncation bit >> (TC bit) set to challenge the resolver to re-query over TCP. > > So it is not the benefit of the client/resolver, but the benefit of the > monitoring agent getting some more confidence the report is not spoofed. > Maybe make that more explicit in the text? > >>> This sounds more like an attempt for a mechanism for the monitoring agent >>> to determine that the incoming report is not send from a spoofed address, >>> but it wouldn't work like that. Setting the TC would work, provided the >>> client comes back. Or if the monitoring agent would demand a COOKIE >>> before answering (even if the answer is not the actual data the resolver >>> wants anyway). If the monitoring agent requests a COOKIE, it would force >>> the resolver to resend with the COOKIE, proving it is not just a spoofed >>> packet. But that would always result in double the load to the >>> monitoring agent. >> >> A cookie may be set due to an earlier transaction, no? > > Which earlier transaction? If "er.otherdomain.example" is > used for receiving only failure reports? I guess NS queries for > "otherdomain.example" could trigger those. I am not sure what the current > practise of DNS COOKIES is. Do responders only request it when they see > their answer would be bigger than the question, or will they always > ask for it? Can it be enabled per-domain, so you enable it "always" > only for the error reporting zone? > > I can also see the case where resolvers might not want to invest in TCP > connections for error reporting, and might decide to not report errors at > all in such cases. So I am not sure the DNS COOKIES and/or TC strategy is > the right one, unless it would only trigger after receiving repetitive > reports. But if the reports are repetitive, no need to tell clients to > come back with TCP, since you presumable already know the error they > are wanting to report. I feel I am missing some guidance here. > > Perhaps this can be further explored in an Operational Considerations > section? You can respond with BADCOOKIE if there isn’t a server cookie. Still much cheaper than TCP. named’s 'require-server-cookie yes;’ does this. All nameservers that implement DNSCOOKIE should handle this as part of their recursive query handling. ``` % dig +showbadcookie +qr soa . ; <<>> DiG 9.19.20-dev <<>> +showbadcookie +qr soa . ;; global options: +cmd ;; Sending: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48594 ;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: 287badf367f9a396 ;; QUESTION SECTION: ;. IN SOA ;; QUERY SIZE: 40 ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: BADCOOKIE, id: 48594 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: 287badf367f9a3960100000065cd4b21b108c8b316f0d5cc (good) ;; QUESTION SECTION: ;. IN SOA ;; Query time: 2 msec ;; SERVER: ::1#53(::1) (UDP) ;; WHEN: Thu Feb 15 10:22:09 AEDT 2024 ;; MSG SIZE rcvd: 56 ;; BADCOOKIE, retrying. ;; Sending: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47057 ;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: 287badf367f9a3960100000065cd4b21b108c8b316f0d5cc ;; QUESTION SECTION: ;. IN SOA ;; QUERY SIZE: 56 ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47057 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: 287badf367f9a3960100000065cd4b21b108c8b316f0d5cc (good) ;; QUESTION SECTION: ;. IN SOA ;; ANSWER SECTION: . 426 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2024021302 1800 900 604800 86400 ;; Query time: 0 msec ;; SERVER: ::1#53(::1) (UDP) ;; WHEN: Thu Feb 15 10:22:09 AEDT 2024 ;; MSG SIZE rcvd: 131 % ``` > Paul > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
- [Tsv-art] Tsvart telechat review of draft-ietf-dn… Gorry Fairhurst via Datatracker
- Re: [Tsv-art] [DNSOP] Tsvart telechat review of d… Roy Arends
- Re: [Tsv-art] [Last-Call] [DNSOP] Tsvart telechat… Paul Wouters
- Re: [Tsv-art] [Last-Call] [DNSOP] Tsvart telechat… Roy Arends
- Re: [Tsv-art] [Last-Call] [DNSOP] Tsvart telechat… Paul Wouters
- Re: [Tsv-art] [DNSOP] [Last-Call] Tsvart telechat… Mark Andrews
- Re: [Tsv-art] [DNSOP] [Last-Call] Tsvart telechat… Mark Andrews