IETF Logo Mail Archive

Re: [Tsv-art] [DNSOP] [Last-Call] Tsvart telechat review of draft-ietf-dnsop-dns-error-reporting-07

Mark Andrews <marka@isc.org> Thu, 15 February 2024 00:01 UTC

Return-Path: <marka@isc.org>
X-Original-To: tsv-art@ietfa.amsl.com
Delivered-To: tsv-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D4C6C151082; Wed, 14 Feb 2024 16:01:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.108
X-Spam-Level:
X-Spam-Status: No, score=-7.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isc.org header.b="rPO3bOFe"; dkim=pass (1024-bit key) header.d=isc.org header.b="KTo3fE1Q"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yMfyJIgHvAfP; Wed, 14 Feb 2024 16:01:26 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.2.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A1402C15107E; Wed, 14 Feb 2024 16:01:24 -0800 (PST)
Received: from zimbrang.isc.org (zimbrang.isc.org [149.20.2.31]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id DFE9E3AB1B5; Thu, 15 Feb 2024 00:01:23 +0000 (UTC)
ARC-Filter: OpenARC Filter v1.0.0 mx.pao1.isc.org DFE9E3AB1B5
Authentication-Results: mx.pao1.isc.org; arc=none smtp.remote-ip=149.20.2.31
ARC-Seal: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1707955283; cv=none; b=T0SU5LQ45hDeicI2ZY8eqQvmJzeYGmhGlEulCYxuwpGoUg9diuCFPN3PdipKcMPvj4zey9fcbMEWXZrm2DOncq5Uw590l7Atcic2yuzeTAyTsDuixMECUN2z4YX2WLeRtd2gvXP62Y4/NLpDmK9EiCfOl5Yq4elZTAQh7BOfmck=
ARC-Message-Signature: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1707955283; c=relaxed/relaxed; bh=J1k4KPWvM2KPP5V/IadnaQT4pcqoZ4ejxi4ObI6DXnI=; h=DKIM-Signature:DKIM-Signature:Mime-Version:Subject:From:Date: Message-Id:To; b=pLPV+TOTu1/NSw1KJ0BMm/JzO0bEyVMxR6ViGRPP7KM/GY7fBFxamw1zgeMXqegTk9EzcwXRAVZir/7JYZdgd+bFmZW0Z3CbeKZHsY6jfMlFcifcbK5/YZt/yrhr8sTZJRWVcs0UP3m8QNUBTDWmhehnZPR6lzg70nMywfVYCUE=
ARC-Authentication-Results: i=1; mx.pao1.isc.org
DKIM-Filter: OpenDKIM Filter v2.10.3 mx.pao1.isc.org DFE9E3AB1B5
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=isc.org; s=ostpay; t=1707955283; bh=IvjN8pAe/te6I1Wr563PegyysG7nC1PF8gsDTm0RnNY=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=rPO3bOFeLKdG6k50mut6q18q7sOhPV4gzVG1xfk1B+M04W7Os5DSMWgDJrSn8h5aU DhoN+CvAfvJlndV60JI2yWDtgU+e6FI9tqKMuBOjPwN7W83jPD0OcRnNOpkPzMz7vU i7gkl30wriWaSL31c4y2d6zq/Mnop8wrkFGKu8S4=
Received: from zimbrang.isc.org (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTPS id DA052F69270; Thu, 15 Feb 2024 00:01:23 +0000 (UTC)
Received: from localhost (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTP id B7999F69285; Thu, 15 Feb 2024 00:01:23 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.10.3 zimbrang.isc.org B7999F69285
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=05DFB016-56A2-11EB-AEC0-15368D323330; t=1707955283; bh=J1k4KPWvM2KPP5V/IadnaQT4pcqoZ4ejxi4ObI6DXnI=; h=Mime-Version:From:Date:Message-Id:To; b=KTo3fE1QftRH0UxVbR5m/0P3QhNwFn8Mc7kAEnzjU1RrT6LBJADGIye2cTjGoc8Q7 CdLa+q0Cg6juUkOrsXLBcw1dJEmGqEerwyqYYvTChYDIf2lp1pL27AqaxQA0SO/+AG NQhaRy3pJWCKS4cklhdZn3FGUb3Fl7DinYd9OmFY=
Received: from zimbrang.isc.org ([127.0.0.1]) by localhost (zimbrang.isc.org [127.0.0.1]) (amavis, port 10026) with ESMTP id iYi94R0pMe_a; Thu, 15 Feb 2024 00:01:23 +0000 (UTC)
Received: from smtpclient.apple (n49-187-27-239.bla1.nsw.optusnet.com.au [49.187.27.239]) by zimbrang.isc.org (Postfix) with ESMTPSA id 3F3CEF69270; Thu, 15 Feb 2024 00:01:22 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.700.6.1.1\))
From: Mark Andrews <marka@isc.org>
In-Reply-To: <B7189887-05F2-42F6-BC55-9CA506BC2892@isc.org>
Date: Thu, 15 Feb 2024 11:01:09 +1100
Cc: Roy Arends <roy@dnss.ec>, Gorry Fairhurst <gorry@erg.abdn.ac.uk>, tsv-art@ietf.org, dnsop <dnsop@ietf.org>, draft-ietf-dnsop-dns-error-reporting.all@ietf.org, last-call@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <A3058262-FFE6-4AA9-A9BC-5933829282AF@isc.org>
References: <170195243214.35471.15139593366465856989@ietfa.amsl.com> <73358628-DFCD-4048-A3D7-FFA2BCF3573D@dnss.ec> <8558549e-6967-1f5b-df6b-23c2785d2ba6@nohats.ca> <5F8E9601-0839-4DAA-A524-A322133187B1@dnss.ec> <c64fea26-8863-013a-4574-68ca9de912ba@nohats.ca> <B7189887-05F2-42F6-BC55-9CA506BC2892@isc.org>
To: Paul Wouters <paul@nohats.ca>
X-Mailer: Apple Mail (2.3731.700.6.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsv-art/AJL2VLJPxhGtpqDHx5yWZ62kfUU>
Subject: Re: [Tsv-art] [DNSOP] [Last-Call] Tsvart telechat review of draft-ietf-dnsop-dns-error-reporting-07
X-BeenThere: tsv-art@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Transport Area Review Team <tsv-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsv-art/>
List-Post: <mailto:tsv-art@ietf.org>
List-Help: <mailto:tsv-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Feb 2024 00:01:30 -0000

The RRL code also sends BADCOOKIE if there isn’t a server cookie instead
of setting TC=1.

> On 15 Feb 2024, at 10:27, Mark Andrews <marka@isc.org> wrote:
> 
> 
> 
>> On 15 Feb 2024, at 03:03, Paul Wouters <paul@nohats.ca> wrote:
>> 
>> On Wed, 14 Feb 2024, Roy Arends wrote:
>> 
>>>>> It is recommended that the client (the resolver) sets the DNS COOKIE. The benefit of using cookies is for the client. It is to make sure that the response is genuine.
>>>> Does it? Not for an on-path attacker that sees the COOKIE in the clear.
>>>> So what attack does this really counter?
>>> 
>>> Ah, no, apologies, it doesn’t. (I’ll blame this on my DNSSEC muscle memory). I should know better. I’ll try again:
>>> 
>>> There is text in the document that specifies what the monitoring agent should do if cookies are not used:
>>> 
>>> Section 6.3:
>>> 
>>> The monitoring agent SHOULD respond to queries received over UDP that
>>> have no DNS COOKIE set with a response that has the truncation bit
>>> (TC bit) set to challenge the resolver to re-query over TCP.
>> 
>> So it is not the benefit of the client/resolver, but the benefit of the
>> monitoring agent getting some more confidence the report is not spoofed.
>> Maybe make that more explicit in the text?
>> 
>>>> This sounds more like an attempt for a mechanism for the monitoring agent
>>>> to determine that the incoming report is not send from a spoofed address,
>>>> but it wouldn't work like that. Setting the TC would work, provided the
>>>> client comes back. Or if the monitoring agent would demand a COOKIE
>>>> before answering (even if the answer is not the actual data the resolver
>>>> wants anyway). If the monitoring agent requests a COOKIE, it would force
>>>> the resolver to resend with the COOKIE, proving it is not just a spoofed
>>>> packet. But that would always result in double the load to the
>>>> monitoring agent.
>>> 
>>> A cookie may be set due to an earlier transaction, no?
>> 
>> Which earlier transaction? If "er.otherdomain.example" is
>> used for receiving only failure reports? I guess NS queries for
>> "otherdomain.example" could trigger those. I am not sure what the current
>> practise of DNS COOKIES is. Do responders only request it when they see
>> their answer would be bigger than the question, or will they always
>> ask for it? Can it be enabled per-domain, so you enable it "always"
>> only for the error reporting zone?
>> 
>> I can also see the case where resolvers might not want to invest in TCP
>> connections for error reporting, and might decide to not report errors at
>> all in such cases. So I am not sure the DNS COOKIES and/or TC strategy is
>> the right one, unless it would only trigger after receiving repetitive
>> reports. But if the reports are repetitive, no need to tell clients to
>> come back with TCP, since you presumable already know the error they
>> are wanting to report. I feel I am missing some guidance here.
>> 
>> Perhaps this can be further explored in an Operational Considerations
>> section?
> 
> You can respond with BADCOOKIE if there isn’t a server cookie.  Still much
> cheaper than TCP.  named’s 'require-server-cookie yes;’ does this.  All
> nameservers that implement DNSCOOKIE should handle this as part of their
> recursive query handling.
> 
> 
> ```
> % dig +showbadcookie +qr soa .
> 
> ; <<>> DiG 9.19.20-dev <<>> +showbadcookie +qr soa .
> ;; global options: +cmd
> ;; Sending:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48594
> ;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1232
> ; COOKIE: 287badf367f9a396
> ;; QUESTION SECTION:
> ;. IN SOA
> 
> ;; QUERY SIZE: 40
> 
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: BADCOOKIE, id: 48594
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1232
> ; COOKIE: 287badf367f9a3960100000065cd4b21b108c8b316f0d5cc (good)
> ;; QUESTION SECTION:
> ;. IN SOA
> 
> ;; Query time: 2 msec
> ;; SERVER: ::1#53(::1) (UDP)
> ;; WHEN: Thu Feb 15 10:22:09 AEDT 2024
> ;; MSG SIZE  rcvd: 56
> 
> ;; BADCOOKIE, retrying.
> ;; Sending:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47057
> ;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1232
> ; COOKIE: 287badf367f9a3960100000065cd4b21b108c8b316f0d5cc
> ;; QUESTION SECTION:
> ;. IN SOA
> 
> ;; QUERY SIZE: 56
> 
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47057
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1232
> ; COOKIE: 287badf367f9a3960100000065cd4b21b108c8b316f0d5cc (good)
> ;; QUESTION SECTION:
> ;. IN SOA
> 
> ;; ANSWER SECTION:
> . 426 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2024021302 1800 900 604800 86400
> 
> ;; Query time: 0 msec
> ;; SERVER: ::1#53(::1) (UDP)
> ;; WHEN: Thu Feb 15 10:22:09 AEDT 2024
> ;; MSG SIZE  rcvd: 131
> 
> % 
> ```
> 
>> Paul
>> 
>> _______________________________________________
>> DNSOP mailing list
>> DNSOP@ietf.org
>> https://www.ietf.org/mailman/listinfo/dnsop
> 
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742              INTERNET: marka@isc.org
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop


-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email