Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

[Florian Weimer]

* Olafur Gudmundsson:

 On Mar 18, 2015, at 11:55 AM, Paul Vixie p...@redbarn.org wrote:
 
 we need a document that says If you don't want to answer ANY,
 here's how to do it interoperably. we don't need to say you
 should not answer ANY, but we do need to say if you want to query
 for ANY, here's what might happen. that, sir, is a killing. we are
 killing ANY. there's no pretense.

 This is exactly what my goal is tell the upstream the type ANY will
 not be answered.

Upstream?

Is reducing the number of ANY queries an immediate goal of yours?
(Discounting any indirect effect that useless ANY answers will
have on future application changes.)

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

[Michael Sinatra]

On 03/18/15 01:11, Michael Sinatra wrote:

 I think there are a few issues at play.  google and other public
 recursives will sometimes have multiple backend servers fetch a given RR
 when they receive a single query for that RR on one instance of, say,
 8.8.8.8.  I am basing this both on observed behavior and on Geoff
 Huston's research (recently presented at NANOG).  And since nothing is
 cached, I get the same servers asking the same query over and over
 again.  Writ large, the result is that I end up with 1-2k of
 simultaneous TCP sessions, per server, per domain.  

Just a quick qualification: This is during an active attack, not as a
normal course of events.  However, the attacks can and will last for
several weeks.

michael

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

[Paul Vixie]

 Paul Wouters mailto:p...@nohats.ca
 Wednesday, March 18, 2015 6:58 AM
 On Wed, 18 Mar 2015, Paul Vixie wrote:



 my proposal is, limit ANY to a selected set of source-ip addresses,
 as is commonly done with AXFR/IXFR.

 Which I answered before by saying that is basically killing the ANY
 query. The proposed solution merely pretends to not kill it by saying
 acl.

i don't think there's any pretense here about not wanting to kill, or
not killing, ANY.

the history of DNS is replete with examples of information leaks which
had to be stopped, either by ad-hoc action or by standards action.
limiting who can do zone transfers was first (BIND4 King James
Edition, 1989-ish). preventing DNSSEC zone walking was next (DNSEXT,
NSEC3, 2001-2014). now it's ANY. many things which made sense on an
academic research Internet do not make sense on a world-wide commercial
internet.

we need a document that says If you don't want to answer ANY, here's
how to do it interoperably. we don't need to say you should not answer
ANY, but we do need to say if you want to query for ANY, here's what
might happen. that, sir, is a killing. we are killing ANY. there's no
pretense.

-- 
Paul Vixie
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

[Paul Vixie]

Paul Wouters wrote:
 On Tue, 17 Mar 2015, Yunhong Gu wrote:

 The reason that this response can be used for an amplification attack
 is its size, not the ANY type. A responses with 200 A records can be
 used for the same purpose. The (even deeper) root cause is the use of
 UDP in DNS protocol. I just do not think banning ANY touches any of
 these fundamental issues.

 Right, so require tcp or eastlake cookies,

that would protect third parties, but not the server itself.

 or allow padding the ANY
 request so the request/response ratio is close to 1 before allowing
 the answer.

that would not prevent the unfortunate information leak that allows
third parties to scan our caches.

 Make the dig command default to tcp. That should cover
 the vast majority of valid ANY queries.

my proposal is, limit ANY to a selected set of source-ip addresses, as
is commonly done with AXFR/IXFR.

-- 
Paul Vixie
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

[Paul Vixie]

note: replying only to dnsop@. no thread is ever appropriate for dnsop@
plus some other mailing list. please stop cc'ing dns-operations@ on your
replies; this is not an operational thread, and the people in the dns
community who care about protocol development, are probably on both lists.

 Mark Andrews mailto:ma...@isc.org
 Tuesday, March 17, 2015 10:10 AM

 Lets get DNS cookies finalised so that TC=1 isn't needed for repeat
 legitimate clients. ...

 TC=1 for amplification suppression should be triggered by response
 size and whether you are a known repeat client or not rather than
 {meta} query type.

to be clear, response rate limiting will still be necessary even with
dns cookies in place.

without dns cookies, the requests don't have to have correct source-ip
addresses, and thus, a dns server can be made to attack the apparent
source of those queries. rrl helps with this.

with dns cookies, the requests have to have correct source-ip addresses,
and thus, a dns server can be made to attack its own upstream
infrastructure. rrl helps with this, also.

there should of course be more strict rate limits in place for the
former, than for the latter.

-- 
Paul Vixie
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

[Paul Vixie]

removing dns-operations@ as a cc. one mailing list at a time, please?


Michael Sinatra wrote:
 On 3/16/15 4:15 PM, P Vixie wrote:
  Michael, what attacks do you think we can stop by limiting ANY? Paul 
 ...

 * These domains are DNSSEC-signed with NSEC3.  Many tools set the TTL of
 NSEC3PARAM to 0 when signing zones with NSEC3.  The NSEC3PARAM RR is
 part of the ANY response.

well, that's part of your problem right there. but i can see how ANY is
involved, now.


 * The public recursive servers use an implementation that clears all
 records from the cache when the TTL of one record expires, so the next
 time the recursive server gets an ANY query, it must re-query the
 authoritative server.

this is an internet-affecting bug and i hope you report it as such.
RRsets are to be purged when the lowest TTL therein expires, but the
other RRsets sharing that name should not be affected. can i ask which
public facing dns service has mandated that the rest of us juggle their
chainsaws for them in this way? (this is even worse than the jerk who
decided that EDNS could use IP fragmentation -- but i think that guy has
apologized at least.)

 In this situation, if I set TC=1 for all ANY queries on my authoritative
 server, but the public recursives don't, then the victim still gets hit
 with a pretty big amplification attack, and my authoritative servers get
 hammered with TCP queries.

hammered sounds like a volume greater than that which would be
detected and strangled with DNS RRL. what am i missing here, that makes
this your problem, rather than the public recursive dns operator's problem?

 ...

 So my point is that if we're going to specify TC=1 for ANY queries, it
 has to be mandatory, and all implementations have to handle it the same:
 Send an empty NOERROR and set TC=1.  If I am the only one setting TC=1,
 it won't doing any good for the attack described above, even if my
 domains are the ones being used in the attack.

 The other option is to allow the authoritative servers to control what
 gets set out in response to QTYPE=ANY.  But I see devils in the details,
 just as with NOTIMP and other proposals.

i think there's no saving ANY at this point. we're deciding how it dies
and where to bury it, that's all.

however, you've provided an example of an ANY attack that can't be
trivially switch to TXT, so, thank you.

-- 
Paul Vixie
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

[Paul Wouters]

On Tue, 17 Mar 2015, Yunhong Gu wrote:


The reason that this response can be used for an amplification attack is its 
size, not the ANY type. A responses
with 200 A records can be used for the same purpose. The (even deeper) root 
cause is the use of UDP in DNS protocol.
I just do not think banning ANY touches any of these fundamental issues.


Right, so require tcp or eastlake cookies, or allow padding the ANY
request so the request/response ratio is close to 1 before allowing
the answer. Make the dig command default to tcp. That should cover
the vast majority of valid ANY queries.

Paul

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

[Michael Sinatra]

On 03/16/15 18:07, Yunhong Gu wrote:
 
 
 On Mon, Mar 16, 2015 at 8:50 PM, Michael Sinatra mich...@brokendns.net
 mailto:mich...@brokendns.net wrote:
 
 On 3/16/15 4:15 PM, P Vixie wrote:
 
 
  On March 17, 2015 7:42:09 AM GMT+09:00, Michael Sinatra 
 mich...@brokendns.net mailto:mich...@brokendns.net wrote:
 
 
  On 03/16/15 07:23, bert hubert wrote:
 
  Separately, I fail to see why we actually need to outlaw ANY queries
  when we
  can happily TC=1 them.
 
  If the public recursives also support TC=1 on all ANY queries, then
  this
  works.  If not, the issue arises where just-below-the-radar attacks are
  using many public recursives, in which case you're not stopping much.
 
  Michael, what attacks do you think we can stop by limiting ANY? Paul
 
 The attack that I have had to grapple with is this:
 
 * Someone sets up a bot to query public recursives (google, opendns,
 level3, etc.) for a particular domain whose ANY response is large.
 (This _usually_ means DNSSEC-signed.)
 
 * The query from each client,domain,qtype tuple is just barely slow
 enough not to trigger rate limiting from the public recursive service.
 
 * The backend of the public recursive service queries my authoritatives
 for some of the involved domains.  Suppose the response is just under
 the usual typical default EDNS0 buffer size of 4096.
 
 * These domains are DNSSEC-signed with NSEC3.  Many tools set the TTL of
 NSEC3PARAM to 0 when signing zones with NSEC3.  The NSEC3PARAM RR is
 part of the ANY response.
 
 
 Sounds to me this is the root cause of the problem and ANY is the just a
 scapegoat.

Giving NSEC3PARAM a positive TTL would prevent my headache, but it
wouldn't help the victim of the attack, and would probably make it worse
for the victim.

michael

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

[bert hubert]

On Mon, Mar 16, 2015 at 11:53:17PM +0900, Paul Vixie wrote:
 that is not the use case for this. the updated document makes clear that
 the iteration complexity in split-authority systems having a lightweight
 front end, is the situation where ANY is painful.

Sorry? We solve implementation hardship by standards action now?

   Some modern Authoritative servers, such as those used by CDN's, do
   not have DNS zones.  For those servers answering ANY query truthfully
   is hard work.  Thus ignoring ANY queries simplifies the
   implementation.

Is this really all there is to the story? Seriously? 

I have lots of respect for Olafur, but this does seem to turn a local
challenge into a global standards action..

Bert

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

[Ray Bellis]

 On 16 Mar 2015, at 15:05, bert hubert bert.hub...@netherlabs.nl wrote:
 
 Sorry? We solve implementation hardship by standards action now?
 
   Some modern Authoritative servers, such as those used by CDN's, do
   not have DNS zones.  For those servers answering ANY query truthfully
   is hard work.  Thus ignoring ANY queries simplifies the
   implementation.
 
 Is this really all there is to the story? Seriously? 
 
 I have lots of respect for Olafur, but this does seem to turn a local
 challenge into a global standards action..

Hypothetically, if you're using one of those funky NoSQL-style backends where 
RRs are looked up in a key-value store directly from a (QNAME, QTYPE) tuple I 
can see how supporting QTYPE == ANY would be tricky.

The fact that ANY exists can put some significant implementation constraints 
on your system :(

Ray

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

[bert hubert]

On Mon, Mar 16, 2015 at 03:16:08PM +, Ray Bellis wrote:

 Hypothetically, if you're using one of those funky NoSQL-style backends
 where RRs are looked up in a key-value store directly from a (QNAME,
 QTYPE) tuple I can see how supporting QTYPE == ANY would be tricky.

At DNS query rates, you could just query purely based on the name as the
key. You'd have to do so anyhow to determine what kind of NXDOMAIN/NOERROR
response to generate!

Or are we going to flatten that distinction too to ease implementation?

Bert

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

[Paul Vixie]

 bert hubert mailto:bert.hub...@netherlabs.nl
 Monday, March 16, 2015 11:23 PM
 On Mon, Mar 09, 2015 at 04:18:12PM +0100, bert hubert wrote:
 On Mon, Mar 09, 2015 at 11:08:03AM -, D. J. Bernstein wrote:
 My qmail software is very widely deployed (on roughly 1 million SMTP
 server IP addresses) and, by default, relies upon ANY queries in a way
 that is guaranteed to work by the mandatory DNS standards.
 (...)
 Do you think I read 4.3.2 wrong? Or is there another RFC that updates the
 algorithm?

 Thanks to some clarification from Dan, I now understand that one can indeed
 rely on ANY queries to resolvers to either deliver a CNAME or no CNAME, in
 which case there is no CNAME. 

i'd like to see those clarifications. if any non-CNAME RRset had existed
and been cached, and then replaced by a CNAME, then ANY would not see
the CNAME until the last non-CNAME RRset had expired from that cache.

which is why, when i want to know if there is a CNAME, i ask if there's
a CNAME.

i realize that this only matters when the non-CNAME TTL's are one to two
weeks long, and weren't trimmed before replacement with the CNAME.
however, that situation is common enough that i dispute the phrase
quoted above, guaranteed to work by mandatory DNS standards.


 Separately, I fail to see why we actually need to outlaw ANY queries when we
 can happily TC=1 them. 

TC=1'ing them would be a way to prevent them from being used as an
amplifying reflector. that is not the use case for this. the updated
document makes clear that the iteration complexity in split-authority
systems having a lightweight front end, is the situation where ANY is
painful.

there never was an ANY-related problem for which TC=1 was the solution.

-- 
Paul Vixie
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

[Ray Bellis]

 On 16 Mar 2015, at 15:22, bert hubert bert.hub...@netherlabs.nl wrote:
 
 At DNS query rates, you could just query purely based on the name as the
 key. You'd have to do so anyhow to determine what kind of NXDOMAIN/NOERROR
 response to generate!

Yes, that's a good point :)

 Or are we going to flatten that distinction too to ease implementation?

No, we had that argument already - NOERROR is definitely the right error for an 
empty non-terminal ;-)

Ray

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

[Paul Vixie]

 Nicholas Weaver mailto:nwea...@icsi.berkeley.edu
 Sunday, March 15, 2015 4:44 AM
 On Mar 13, 2015, at 7:59 PM, Paul Vixie p...@redbarn.org wrote:

 Nicholas Weaver Saturday, March 14, 2015 5:07 AM

 ...

 Overall, unless you are validating on the end host rather than the 
 recursive resolver, DNSSEC does a lot of harm from misconfiguration-DOS, 
 but almost no good.
 several of us jumped for joy in 2008 when kaminsky showed rdns poisoning to 
 be a trivial exercise, because it finally provided justification for what 
 was at that time 12 years of apparently-wasted effort on DNSSEC.

 But it didn't justify DNSSEC, even at the time.

no, of course not. dnssec was well justified by the need for new
dnssec-aware applications such as DANE. all we got from kaminsky was a
whip to frighten the crowds with.

 Between actually adding in a bit more entropy in the request through 0x20 and 
 port randomization, and more importantly cleaning up the glue policy for 
 recursive resolvers (which Unbound did), you close the door on off-path 
 attackers: both making races harder AND eliminating the race until win 
 property.

i wish this were so. but 0x20 didn't add enough bits on average-sized
names, and furthermore, a lot of RDNS servers are behind NAT. (CGN is a
reality, in japan.) NAT's source port derandomization is as dangerous as
we thought. far too many RDNS servers were never patches, or were
patched but NAT'ed.

 so we'll keep pushing the crap system we have, uphill all the way, noone 
 loving it, and almost everyone in fact hating it. we've now spent more 
 calendar- and person-years on DNSSEC than was spent on the entire IPv4 
 protocol suite (including DNS itself) as of 1996 when the DNSSEC effort 
 began. ugly, ugly, ugly.

 At which point is it sunk cost fallacy?

it always has been. we needed end-to-end authentication, because of
bullshit like SOPA, and ad-insertion, and DNS Changer. the DNS
resolution path looks like raw meat for the BBQ's of every ISP and many
ASP's and governments and criminals and oh my. but DNSSEC was the wrong
answer, architecturally, because it tried to secure the middle of the
data path rather than the ends, and no dnssec-aware endpoint can get
DNSSEC if they are behind a non-dnssec-aware RDNS or CPE. it's been an
inarguable clusterfsck for the last ten years. we are so far into the
sunk cost fallacy on DNSSEC that we can't even see or remember our
starting conditions any more.

 DNS is insecure, live with it may be the best answer.  Why keep throwing 
 good effort after bad?

it's not, though, the best answer. we have to secure the DNS resolution
path. what's in doubt is whether DNSSEC can do this, or if it can,
whether it's the best way to have done this.


 It certainly is a hell of a lot better than the DOS attack that is recursive 
 resolver validation which provides almost no meaningful security gain.

don't get bent about dnssec as an amplifier. TXT is also a fine
amplifier. but in many DDoS victim data paths, the bottleneck is defined
in terms of number of packets processed, not the number of bits
processed, so a non-amplifying reflector is still quite valuable to
attackers. even an attenuator at the bit level is quite valuable. (an
attenuator at the packet level is not valuable to attackers, which is
why RRL uses SLIP=2 as a default.)

in other words we had to, and still have to, solve the reflector problem
-- with or without DNSSEC. andrews/eastlake dns cookies will do that.
and once we've done that, DNSSEC as a DoS vector will be just another
dead meme.

 If I was Comcast, after the HBO DNSSEC mess-up, on top of previous mess-ups 
 where Comcast inevitably gets the blame, I'd be really really tempted to turn 
 OFF DNSSEC validation.  It has failed.

i know what you mean and i'd face the same temptation. i wonder if there
has ever been a validation failure in the comcast resolver complex that
wasn't due to a keying/signing cockup by the domain holder -- that is,
if comcast has to have negative trust anchors to protect its validation
investment, what's the upside? could they defend their users just as
well by not running validation at all, so that keying/signing problems
don't have to be managed by the comcast NOC?

what matters for DNSSEC is the end-to-end case. as long as comcast is
running DNSSEC-aware resolvers, they don't need to validate anything in
order to make DNSSEC applications like DANE workable for their
customers. and i'd rather see them turn off validation than see negative
trust anchors added to the specification.

-- 
Paul Vixie
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

[David Conrad]

Hi,

 DNS is insecure, live with it may be the best answer. Why keep throwing 
 good effort after bad?
 it's not, though, the best answer. we have to secure the DNS resolution path.

Probably a terminology issue, but I think we need to secure the data, not the 
resolution path.

I'm not a particular fan of DNSSEC for a number of reasons, however what the 
Kaminsky thing demonstrated to me was that as long as the data is not 
protected, there are going to be path-based attacks that are going to allow for 
compromise. I see DNSSEC as a way of being able to stop playing whack-a-mole 
with those path-based attacks.

  i'd rather see them turn off validation than see negative trust anchors 
 added to the specification.

Simply: I believe without NTAs, DNSSEC will not get deployed except by a few 
'true believers'.

Regards,
-drc



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

[Ted Lemon]

On Mar 15, 2015, at 6:14 AM, Mark Andrews ma...@isc.org wrote:
 Can we kill this myth that recursive servers do not need to validate
 because they do need to validate for DNSSEC to work reliably.  DNSSEC
 only work without validation in the middle if no one is spoofing, dropping
 RRSIGs etc.  The moment there is anything other than only good answers
 being cached things will go wrong.

+1

Of course, what goes wrong is that the response can't be validated, so DNSSEC 
is still doing its job, but it can prevent cache poisoning if validation is 
done in the cache, and cannot if it is not.

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

[Nicholas Weaver]

 On Mar 13, 2015, at 7:59 PM, Paul Vixie p...@redbarn.org wrote:

  Nicholas Weaver Saturday, March 14, 2015 5:07 AM
 
 ...
 
 Overall, unless you are validating on the end host rather than the 
 recursive resolver, DNSSEC does a lot of harm from misconfiguration-DOS, 
 but almost no good.
 
 several of us jumped for joy in 2008 when kaminsky showed rdns poisoning to 
 be a trivial exercise, because it finally provided justification for what was 
 at that time 12 years of apparently-wasted effort on DNSSEC.

But it didn't justify DNSSEC, even at the time.

Between actually adding in a bit more entropy in the request through 0x20 and 
port randomization, and more importantly cleaning up the glue policy for 
recursive resolvers (which Unbound did), you close the door on off-path 
attackers: both making races harder AND eliminating the race until win 
property.

In fact, several have viewed the glue policy cleanup which gets to the root 
cause of the Kaminski problem as detrimental specifically because of the desire 
to force DNSSEC adoption.

 so we'll keep pushing the crap system we have, uphill all the way, noone 
 loving it, and almost everyone in fact hating it. we've now spent more 
 calendar- and person-years on DNSSEC than was spent on the entire IPv4 
 protocol suite (including DNS itself) as of 1996 when the DNSSEC effort 
 began. ugly, ugly, ugly.

At which point is it sunk cost fallacy?

DNS is insecure, live with it may be the best answer.  Why keep throwing good 
effort after bad?


It certainly is a hell of a lot better than the DOS attack that is recursive 
resolver validation which provides almost no meaningful security gain.

If I was Comcast, after the HBO DNSSEC mess-up, on top of previous mess-ups 
where Comcast inevitably gets the blame, I'd be really really tempted to turn 
OFF DNSSEC validation.  It has failed.

--
Nicholas Weaver  it is a tale, told by an idiot,
nwea...@icsi.berkeley.edufull of sound and fury,
510-666-2903 .signifying nothing
PGP: http://www1.icsi.berkeley.edu/~nweaver/data/nweaver_pub.asc



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

[Nicholas Weaver]

 On Mar 13, 2015, at 10:21 AM, Morizot Timothy S timothy.s.mori...@irs.gov 
 wrote:
 It’s been steadily increasing for years now and gives me an idea what 
 percentage of the US public is protected against certain types of attacks 
 involving our zones. DNSSEC validation is not a panacea, but in a layered 
 approach toward combating fraud and certain sorts of attacks, it does provide 
 a particular sort of protection not available through any other means. 
 Whether or not ISPs sign their authoritative zones matters much less to us 
 than whether or not they implement DNSSEC validation on their recursive 
 nameservers. And that’s not a failure at all. By the measure above (which 
 isn’t perfect, but the best one available) roughly a fifth to a quarter of 
 the US public, the primary consumers of our zones, exclusively use validating 
 nameservers. That’s significant. Would I like to see it higher? Sure. But 
 I’ll take it.
 

The problem is validation by the recursive resolver is nearly useless for 
security, but one heck of an effective DOS attack (NASA, HBO, etc)...

Lets look at what real world attacks on DNS are.

a:  Corrupt the registrar.  DNSSEC do any good?  Nope.

b:  Corrupt the traffic in-flight (on-path or in-path).  DNSSEC do any good?  
Only if the attacker is not on the path for the final traffic, but just the DNS 
request.

c:  The recursive resolver lies.  Why would you trust it to validate?

d:  The NAT or a device between the recursive resolver and the user lies.  
Again, validation from the recursive resolver works how?


Overall, unless you are validating on the end host rather than the recursive 
resolver, DNSSEC does a lot of harm from misconfiguration-DOS, but almost no 
good.

--
Nicholas Weaver  it is a tale, told by an idiot,
nwea...@icsi.berkeley.edufull of sound and fury,
510-666-2903 .signifying nothing
PGP: http://www1.icsi.berkeley.edu/~nweaver/data/nweaver_pub.asc



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

[Morizot Timothy S]

Nonsense.

I'm not sure exactly what sort of attack profile you have in mind at the 
registrar with a, but given that the TTL for DS records is generally 24 hours, 
most attacks at that level will create pretty widespread DNSSEC validation 
errors for at least that initial day. DNSSEC validation helps a great deal.

B  d are issues securing the first hop if validation is not done on the 
endpoint itself. Those are valid, but do not mean that DNSSEC validation 
provides no protection. It certainly protects against an array of cache 
poisoning attacks even in that configuration. And that's protection the clients 
would not otherwise have. It definitely makes it a lot harder to use DNS as an 
attack vector with nobody noticing. One layer of a layered approach.

C is certainly a problem if you don't validate on the end point and trust any 
random nameserver on any network to which you connect.

However, most enterprise clients and ISP users do tend to have a reliable and 
reasonably secure path to their first hop recursive nameserver. It's not nearly 
as secure as validating on the client, but it's much more secure than having no 
validation whatsoever.

Nor is DNSSEC validation a DOS vector. That's a non sequitur and frankly a 
pretty silly assertion. Yes, an organization can break their own authoritative 
DNS (which is related to signing not validation), but frankly DNSSEC is just 
one of many ways an organization can screw up DNS or anything else in their 
network. It's best to know what you're doing. Organizations will learn. If you 
haven't implemented DNSSEC validation yourself, you may not have noticed, but 
US government agency management of DNSSEC has improved greatly with experience. 
Outages due to error are less and less common and usually limited in scope when 
they occur. Since we've been validating all Internet responses for four years 
and counting now (and tend to interact quite a bit with other agencies), we 
have noticed the improvement. Refusing to return results when the authoritative 
DNS response fails validation is good thing, not a bad thing, even when it's 
the authoritative zone administrators who screwed up their own zone.

DNSSEC validation is not a panacea, but if you refuse to implement it you are 
denying your users one layer of protection you could pretty easily provide. And 
given that in the US the large majority of federal agency DNS authoritative 
zones are signed, you also can't claim there's no benefit to the US public from 
validation. Implementing validation on recursive nameservers does not protect 
users from every attack. Nothing does. Nor is it as good as performing 
validation at the client. But it is a solid first step with real security 
benefits. And it's a step that can be followed and built upon with further 
enhancements later.

Scott

-Original Message-
From: Nicholas Weaver [mailto:nwea...@icsi.berkeley.edu] 
Sent: Friday, March 13, 2015 3:08 PM
To: Morizot Timothy S
Cc: Nicholas Weaver; dnsop@ietf.org
Subject: Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS 
standards


 On Mar 13, 2015, at 10:21 AM, Morizot Timothy S timothy.s.mori...@irs.gov 
 wrote:
 It’s been steadily increasing for years now and gives me an idea what 
 percentage of the US public is protected against certain types of attacks 
 involving our zones. DNSSEC validation is not a panacea, but in a layered 
 approach toward combating fraud and certain sorts of attacks, it does provide 
 a particular sort of protection not available through any other means. 
 Whether or not ISPs sign their authoritative zones matters much less to us 
 than whether or not they implement DNSSEC validation on their recursive 
 nameservers. And that’s not a failure at all. By the measure above (which 
 isn’t perfect, but the best one available) roughly a fifth to a quarter of 
 the US public, the primary consumers of our zones, exclusively use validating 
 nameservers. That’s significant. Would I like to see it higher? Sure. But 
 I’ll take it.
 

The problem is validation by the recursive resolver is nearly useless for 
security, but one heck of an effective DOS attack (NASA, HBO, etc)...

Lets look at what real world attacks on DNS are.

a:  Corrupt the registrar.  DNSSEC do any good?  Nope.

b:  Corrupt the traffic in-flight (on-path or in-path).  DNSSEC do any good?  
Only if the attacker is not on the path for the final traffic, but just the DNS 
request.

c:  The recursive resolver lies.  Why would you trust it to validate?

d:  The NAT or a device between the recursive resolver and the user lies.  
Again, validation from the recursive resolver works how?


Overall, unless you are validating on the end host rather than the recursive 
resolver, DNSSEC does a lot of harm from misconfiguration-DOS, but almost no 
good.

--
Nicholas Weaver  it is a tale, told by an idiot,
nwea...@icsi.berkeley.edufull of sound and fury,
510-666-2903

Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

[Colm MacCárthaigh]

On Thu, Mar 12, 2015 at 4:09 PM, Mark Andrews ma...@isc.org wrote:

 In message 3d558422-d5da-4434-bded-e752ba353...@flame.org, Michael Graff 
 writes:
 What problem are we specifically trying to solve here again?

 A non-problem for most of us.

 Michael

 If one really wants to reduce the number of packets required with
 SMTP processibg just write a RFC that says A and  records should
 be returned in the additional section if no MX records exist at the
 qname.  This is currently permitted so vendors could do this today.

For some data; Route 53 does do this for MX, NS, SRV and CNAME. It's
never been a problem, and does seem to speed up processing a little.

-- 
Colm

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

[Paul Vixie]

 Nicholas Weaver mailto:nwea...@icsi.berkeley.edu
 Saturday, March 14, 2015 5:07 AM

 ...

 Overall, unless you are validating on the end host rather than the
 recursive resolver, DNSSEC does a lot of harm from
 misconfiguration-DOS, but almost no good.

several of us jumped for joy in 2008 when kaminsky showed rdns poisoning
to be a trivial exercise, because it finally provided justification for
what was at that time 12 years of apparently-wasted effort on DNSSEC.

you're entirely right that the end-system case (for example, DANE) is
the only actual justification for the added costs and risks of Secure
DNS, and you'd be right if you said that the current system is both
over- and under-engineered for this sole actual use case.

because it takes so many years to get everybody's permission to make any
change to the DNS protocol, and so many more years to get everybody's
permission to make any change of this magnitude to the root zone, the
cost of giving up and starting over necessarily includes not just the
tear-down but the re-negotiation. not practical.

so we'll keep pushing the crap system we have, uphill all the way, noone
loving it, and almost everyone in fact hating it. we've now spent more
calendar- and person-years on DNSSEC than was spent on the entire IPv4
protocol suite (including DNS itself) as of 1996 when the DNSSEC effort
began. ugly, ugly, ugly.

-- 
Paul Vixie
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

[D. J. Bernstein]

I remain puzzled at the entire technological motivation that CloudFlare
claims for this deliberate creation of interoperability problems.

In particular, what exactly is the programming difficulty that they
claim they're encountering in implementing QTYPE=*? Are they also having
trouble implementing NXDOMAIN, which from a programming perspective is a
very similar unification of data across all types?

The rest of this message identifies specific rules that CloudFlare's
threatened plan will violate in IETF's mandatory DNS standards.

David C Lawrence writes:
 RFC 1035 explicitly allows for a server to indicate that a kind of
 query is not implemented. Whether it is a good idea to respond to ANY
 this way is a separate argument that is worth having. You just won't
 win on the foundation that it is a violation of the standard.

Let's look at what the standards actually say.

RFC 1034 clearly defines QTYPE=* to match all RR types, along with,
e.g., QTYPE=A to match just that type. It explicitly says that the
name server looks for matching RRs.

CloudFlare's stated plans will violate this rule. This matching for
QTYPE=* is precisely what CloudFlare claims is too hard to implement!

You claim that this violation of a rule in IETF's mandatory DNS
standards doesn't constitute a violation of the standards. Evidently
you believe that the standards contain some relevant exception to the
rule. What exactly do you claim that this exception is?

The foundation for your argument, apparently, is the fact that RFC 1035
defines a syntax for a NOTIMP response. But why do you think this is of
any relevance to the matching RRs rule? The rule doesn't say the name
server looks for matching RRs, except for types that the server doesn't
want to bother implementing. Where exactly, and what exactly, is the
CloudFlare exception?

Do you believe that the availability of a NOTIMP syntax overrides all
other rules and frees the server to use this syntax for anything that it
doesn't want to implement? Here's a hypothetical example to consider:

   * A very large cache operator is opposed to the usage of DNSSEC. (The
 operator's reason for this isn't relevant to this example.)

   * To deter usage of DNSSEC, the cache operator decides to create
 large-scale DNSSEC interoperability problems, augmenting DNSSEC's
 existing fragility.

   * Specifically, the cache operator issues DNSSEC queries to servers;
 and then, if a server response shows DNSSEC support, the cache
 operator returns NOTIMP to clients for _all_ of the server's data.

   * To avoid any sudden changes, the cache operator slowly ramps up
 this behavior, turning on the DNSSEC queries with higher and higher
 probability as time passes, but jumping immediately to probability
 1 for servers that don't show DNSSEC support.

   * To justify the use of NOTIMP, the cache operator claims that it
 _wanted_ to implement actually returning DNSSEC records to clients
 but found this too complicated given geoip blah blah blah, so it
 had to return NOTIMP. It quotes your claim that RFC 1035
 explicitly allows returning NOTIMP.

Would you call this cache behavior compliant with the mandatory DNS
standards? No? Why not? Why isn't the cache free to use NOTIMP whenever
it hasn't implemented something? Are you quite sure that you've thought
through what you're claiming?

Let's continue looking at the mandatory DNS standards. RFC 1034
explicitly allows not-implemented queries in _some_ cases, such as
inverse queries:

   Implementation of this service is optional in a name server, but all
   name servers must at least be able to understand an inverse query
   message and return a not-implemented error response.

RFC 1035 is also quite clear about this:

   Inverse queries are an optional part of the DNS. Name servers are
   not required to support any form of inverse queries. If a name server
   receives an inverse query that it does not support, it returns an
   error response with the Not Implemented error set in the header. 
   While inverse query support is optional, all name servers must be at
   least able to return the error response.

If the RFCs had meant to say that _all_ DNS features are optional
(leaving interoperability up to the whim of bullies, apparently what
you're endorsing), then why didn't the RFCs simply say that? Why did
they explicitly highlight particular features as being optional?

Furthermore, RFC 1123 explicitly requires DNS software to support all
well-known, class-independent formats. This is another mandatory rule
that CloudFlare's plan clearly violates. What exactly do you think this
support requirement means, if servers are free to use NOTIMP whenever
they want, for example for QTYPE=*?

RFC 1034 explicitly says that a server is free to refuse to perform
recursive services for any or all clients (and also explicitly says
that an AXFR may cause an error, such as refused) but explicitly says
that All name servers must 

Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

[Darcy Kevin (FCA)]

Regarding the statement query type ANY 'matches all RR types CURRENTLY IN THE 
CACHE'.

Actually, there's nothing in RFC 1034 that clearly *mandates* this behavior -- 
Section 3.7.1 says only that a QTYPE of * matches all RR types, whereas 
Section 5.3.3 (Algorithm) says to return the answer or the data if it's 
in the cache, but this is ambiguous with respect to QTYPE=* (other than the 
highly-improbable case that we have RRsets for every possible RR type, how can 
we know we have the answer/the data in our cache, given that the QTYPE 
matches all RR types at the node and there might be other RRsets extant which 
don't happen to be cached at the time? Is an answer really the answer if we 
can't be sure that it satisfies the matching rule of the QTYPE definition?).

People cite the examples of Section 6.2.2 as definitive evidence that QTYPE=* 
queries can always be satisfied by whatever happens to be laying around in a 
cache, but they don't seem to notice that those were *non-recursive* queries in 
the examples, and it's their *non-recursiveness* that gives rise to the lack of 
rigor in returning a response (as it is whenever a non-recursive query is sent 
to a DNS entity that doesn't happen to be authoritative for the relevant zone). 
The required fetching behavior of a caching resolver in response to a 
*recursive* QTYPE=* query, is basically undefined by RFC 1034. Common practice 
is to treat QTYPE=* queries as effectively non-recursive, despite RD being set 
to 1, if *any* relevant RRset exists in the cache. Possibly, this is because 
the Section 6.2.2 examples were misunderstood. Or, simply because it was easier 
to code that way. A more modern concern would be that this rigor could be 
abused for possible DoS attacks. But, at this point in DNS histor
 y, I doubt we can roll back the clock and force everyone to be rigorous in 
fetching answers for QTYPE=* queries. So the answers are inherently unreliable, 
and that situation is not likely to change, unless and until someone invents an 
ALL QTYPE/RR-type/meta-type. 


- Kevin

-Original Message-
From: DNSOP [mailto:dnsop-boun...@ietf.org] On Behalf Of Paul Wouters
Sent: Monday, March 09, 2015 10:48 AM
To: D. J. Bernstein
Cc: dnsop@ietf.org; dns-operati...@dns-oarc.net
Subject: Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS 
standards

On Mon, 9 Mar 2015, D. J. Bernstein wrote:

 My qmail software is very widely deployed (on roughly 1 million SMTP 
 server IP addresses) and, by default, relies upon ANY queries in a way 
 that is guaranteed to work by the mandatory DNS standards.

And you've been told for two decades that this was wrong?

 Specifically, query type ANY matches all RR types for that node on 
 that server.

Wrong, query type ANY matches all RR types CURRENTLY IN THE CACHE. So the 
result of qmail's ANY query is completely meaningless and qmail cannot derive 
any conclusion from the absence of any record from that query.

So if the MX or  record has expired from the cache but another RRtype with 
larger TTL (say NS) is still in there, your ANY query will fail to find 
records. qmail with this feature is broken.

Additionally, Tony Finch did a write up of qmail's ANY problems too:
https://fanf.livejournal.com/10.html

 In new software today I would sacrifice these efficiency benefits for 
 the sake of simplicity, but this doesn't mean that I'm going to 
 frivolously inflict retroactive punishment upon administrators who 
 have installed standards-compliant software and done nothing wrong.

You have had 10 years to fix it. Luckilly, I believe most distributions 
shipping qmail add the patch to fix this already.

 I understand how a sufficiently large site might acquire the 
 impression that it can safely take radical action at its own whim, 
 violating the existing protocol standards

Uhm, we pointd out qmail's _bug_ for a decade. I'm quite sure even you do not 
need to interop with BIND4 anymore.

 Apparently Firefox recently deployed ANY queries. I haven't looked at 
 the details but I gather that they're related to the well-known 
 annoyances of handling  etc. Firefox was browbeaten into reverting 
 this change on the basis of highly questionable claims regarding
 amplification: It can return enormous result sets, and some 
 authoritative servers have taken to refusing ANY queries because of 
 the frequency with which such queries show up in amplification 
 attacks - I'm concerned about amplification and the perception 
 thereof by security monitors.

No, they were also told that ANY queries only return data from the cache, and 
using ANY queries means you might miss actual A or  records. This has 
nothing to do with ANY queries and amplification.

 The common theme of CNAME/MX/A and A/ is that there's widepread 
 interest in being able to easily retrieve multiple record types. What 
 I'm saying

Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

[D. J. Bernstein]

Paul Wouters writes:
 So if the MX or  record has expired from the cache but another
 RRtype with larger TTL (say NS) is still in there, your ANY query will
 fail to find records.

The client is behaving correctly. The ANY query isn't guaranteed to find
the MX, but you're wrong in claiming that the client is relying on this.
I realize that you don't understand how this type of DNS client works,
so let me go through the details, slowly, covering

   (1) why the queries reliably produce the desired information and
   (2) why QTYPE=ANY ends up reducing the number of queries that the
   authoritative server has to handle for producing this information.

The client begins with an ANY query to the cache. There are several
possibilities for the cache state at this moment:

   * maybe there's nothing;
   * maybe there's an MX record;
   * maybe there's an A record;
   * maybe there's some other regular record, such as NS;
   * maybe there's a mix of regular records;
   * maybe there's a CNAME record;
   * etc.

In the nothing case, the cache forwards the query to the server. This
could end up retrieving, e.g., an MX set, an A set, and an NS set; it
could end up retrieving a CNAME; there are many possibilities.

The cache then returns whatever it has to the client. The client notices
failure cases (such as SERVFAIL) and, in those cases, defers mail
delivery. Let's now focus on what happens in the success cases.

If the cache returns a CNAME: The client sees the CNAME, replaces the
original name with the CNAME, and starts over.

If the cache returns, e.g., an NS record: The client sees this record
and concludes that there _isn't_ a CNAME. This conclusion is justified
by the rule that a name can't have CNAME together with regular records.
An administrator who sets up a single name with both CNAME and NS (or
CNAME and MX, etc.) is entirely at fault for the resulting confusion.

The client then sends an MX query to the cache. Again failures are
caught and defer mail delivery. The most common success case is that
the cache has an MX set at this point; the client sees the MX set and
acts accordingly. (The A that the MX points to is normally cached too.)
If there's a successful response without an MX (case 5 described in
http://cr.yp.to/djbdns/notes.html#response-parsing) then the client
correctly concludes that there isn't an MX and falls back to an A query
for the original name.

To summarize, this type of ANY-MX-A client correctly sees whether
there's a CNAME, correctly sees whether there's an MX, and (when there
isn't an MX) correctly sees whether there's an A. If there's a server
failure (e.g., NOTIMP) or cache failure, the client correctly defers
mail delivery.

A comprehensive efficiency analysis requires detailed measurements for
many years at many sites, but spot checks have consistently shown that
the following cases are most important:

   * Most common: MX in server and in cache. The ANY-MX-A client ends
 up generating 0 queries to the server: the cache answers ANY with
 MX, and answers MX with MX.
 
 For comparison, a CNAME-MX-A client would also end up sending 0
 queries to the server _if_ the cache were smart enough to use the
 MX as a reason to deny CNAME. But typical caches aren't that smart,
 so this type of client would end up sending 1 query to the server.

 An MX-A client uninterested in CNAME would end up sending 0
 queries to the server.

   * MX in server but not in cache. The ANY-MX-A client ends up
 generating 1 query to the server: the server answers ANY with MX
 (and typically A), and then the cache answers MX with MX.

 For comparison, a CNAME-MX-A client would end up generating 2
 queries to the server: the server answers CNAME with no data, then
 answers MX with MX.

 An MX-A client uninterested in CNAME would end up sending 1 query
 to the server: the server answers MX with MX.

   * A in server and in cache, no MX in server: The ANY-MX-A client
 ends up sending 1 query to the server. The cache answers ANY with
 A; the server answers MX with no data; the cache answers A with A.

 For comparison, a CNAME-MX-A client would end up generating 2
 queries to the server (or 1 if the cache is smarter): the server
 answers CNAME with no data; the server answers MX with no data; the
 cache answers A with A.

 An MX-A client uninterested in CNAME would end up sending 1 query
 to the server. The server answers MX with no data, and the cache
 answers A with A.

   * A in server, nothing in cache: The ANY-MX-A client ends up
 sending 2 queries to the server. The server answers ANY with A; the
 server answers MX with no data; the cache answers A with A.

 For comparison, a CNAME-MX-A client would end up generating 3
 queries to the server: the server answers CNAME with no data; the
 server answers MX with no data; the server answers A with A.

 An MX-A client uninterested in 

Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

[Michael Graff]

Packet size is harder to analyze. ANY often pulls some records that
aren't used, and if the site isn't configured carefully then ANY can
even end up falling back to TCP, costing bytes _and_ packets. On the
other hand, there are a huge number of Internet sites that don't have a
noticeable volume of unusual records and don't need TCP, and there's a
clear traffic win for every skipped query and skipped no-data response.

My guess is that with DNSSEC, this will be common, as often times the domain 
apex is where the email would be sent.  For my personal domain, that’s 
@flame.orghttp://flame.org, and weighs in at 1758 bytes to an ANY query right 
now.

Once this is done, the MX target then needs to be followed of course (or 
targets in the case of a failure to connect.)

In the following, I’m using ESND0.  If this isn’t true, we all know anything  
512 bytes as a response was a TCP hit.  I’m not as scared of TCP hits as others 
may be, but I do think they should be avoided when practical.

ANY comes in as 1769 with or without DNSSEC.  Had it asked for the MX directly, 
it would have gotten 60 bytes without DNSSEC, and 229 with.

If there was no MX record, I assume then another query would be issued for the 
 and A records.  That’s two more queries, but both of which would be 
smallish in comparison to the ANY query.  The DNSSEC keys nearly always 
dominate ANY queries at the apex.

I’m happy we are discussing issues with ANY queries, and the fairly small 
number of clients that use them.  I would have to see hard numbers collected 
over a lot of data showing where the ANY query was actually better than 
following the MX, , A path.  Until data is collected from how people set 
up zones today, I’m not sure I can say one is better than the other, other than 
as a feeling that it might help reduce queries but I’m not sure it reduces 
bandwidth.

What problem are we specifically trying to solve here again?

—Michael

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

[Tony Finch]

Darcy Kevin (FCA) kevin.da...@fcagroup.com wrote:

 Regarding the statement query type ANY 'matches all RR types CURRENTLY
 IN THE CACHE'.

 Actually, there's nothing in RFC 1034 that clearly *mandates* this
 behavior

It is sort-of specified in the algorithm in section 4.3.2 which says,

   4. Start matching down in the cache.  If QNAME is found in the
  cache, copy all RRs attached to it that match QTYPE into the
  answer section.

That applies to RD=0 queries. For RD=1, section 5.3.3 says,

   1. See if the answer is in local information, and if so return
  it to the client.

This is usually understood to mean what you would get from an RD=0 query.

Tony.
-- 
f.anthony.n.finch  d...@dotat.at  http://dotat.at/
Northwest Fitzroy, Sole: Southwesterly, backing southeasterly for a time, 4 or
5 increasing 6 to gale 8. Moderate or rough, becoming very rough later in
west. Occasional rain, fog patches. Moderate or good, occasionally very poor.

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

[Jared Mauch]

 On Mar 9, 2015, at 10:54 AM, Tony Finch d...@dotat.at wrote:
 
 D. J. Bernstein d...@cr.yp.to wrote:
 
 My qmail software is very widely deployed (on roughly 1 million SMTP
 server IP addresses) and, by default, relies upon ANY queries in a way
 that is guaranteed to work by the mandatory DNS standards.
 
 There are three bugs in the way qmail uses ANY queries.
 
 (1) qmail uses ANY queries for domain canonicalization on outgoing
 messages, as specified by RFC 1123. But canonicalization is not required
 by the current SMTP specification. It is a waste of time. Fixing this bug
 would make bug (3) moot.
 
 (2) qmail's DNS response buffer is too small to accommodate a complete DNS
 message, so it fails if it gets a large response. It uses the low-level
 libc resolver API which can easily handle large responses, including
 fallback to TCP, so it is a pity that qmail breaks this part of the
 resolver's functionality. This bug means it is not guaranteed to work.
 
 (3) Using an ANY query suppresses alias processing, so qmail makes a
 series of queries to follow CNAME chains. This is inefficient and
 wasteful. If you make an A or MX query, the DNS server will chase the
 CNAME chain for you, so you only need to make one query to get the
 canonical name.

Even ignoring if qmail is “broken”.  (I would rather classify it as, could do
better), depreciating the ANY qtype is going to have some significant side
effects of users troubleshooting DNS problems.

I’m very sensitive to the abuse of ANY queries, but this is something that
I feel there are sufficient controls that exist to mitigate the issues,
namely using TC=1 to direct well behaving clients to receive a valid response.

dnsop-any-notimp violates the principle of least surprise in technology by
returning NOTIMP where Paul Vixie suggested NOERROR/ANCOUNT=0 would be more
appropriate with the existing definitions.

Much of this is triggered by bad coding practices and bad networking examples
that are littered around codebases, e.g.: gethostbyname() vs getnameinfo() and
by broken behaviors by nscd and other OS/LIBC implementations that also violate
the principle of least surprise.

- Jared

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

[Jared Mauch]

 On Mar 9, 2015, at 11:16 AM, Edward Lewis edward.le...@icann.org wrote:
 
 On 3/9/15, 7:08, D. J. Bernstein d...@cr.yp.to wrote:
 
 The common theme of CNAME/MX/A and A/ is that there's widepread
 interest in being able to easily retrieve multiple record types. What
 I'm saying is not that query type ANY is the ultimate answer (clearly it
 can be improved); what I'm saying is that these are protocol issues, and
 that protocol changes need to be handled by an appropriately chartered
 IETF working group.
 
 (I removed the dns-operations list from this because this needs to be
 discussed on DNSOP.)
 
 
 Dan,
 
 You're right.  But.
 
 Operators are not bound to comply with what the IETF documents.
 
 As much as operators shouldn't bully the IETF nor the public for which the
 serve, the street goes two ways.  The IETF is not able to and should not
 bully them.  The IETF is supposed to provide us with an interoperable way
 to operate and is supposed to have documents that reflect running code.”

I would be interested in hearing the results you had from disabling ANY
queries, or anyone else results.  

This isn’t standing in opposition to change, but trying to understand the true
scope and nature of this problem.  Perhaps I’m missing parts of the problem, but
the qmail issue has existed for 10 years.  Firefox recently turned on and back 
off
ANY queries in 36.0 and 36.0.1 to try to keep performance what it should be
for websites that have low TTLs vs being ‘sticky’ to an old A/ record.

 * Second: The merits of the protocol modification have to be properly
   discussed in that working group, to evaluate the costs and benefits
   of the protocol modification---and to consider whether there are
   better ways to achieve the same benefits.
 
 
 If operators find that a protocol needs to be modified to be properly
 operated, the IETF ought to adjust the protocol definition.  Having a
 migration path would be a plus too.  (Said tongue in cheek.)
 
 But - finding that a protocol needs to be modified is not as easy as
 that - hence my quoting of your words above.

I’m concerned a change of this sort will cause a number of people to see
something as ‘broken’ where it really is not.  If we are dealing with code
that will break things for existing users, giving them broad warning is
important, even if they are using/abusing this capability of the DNSs
system today.

- Jared
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

[bert hubert]

On Mon, Mar 09, 2015 at 11:08:03AM -, D. J. Bernstein wrote:
 My qmail software is very widely deployed (on roughly 1 million SMTP
 server IP addresses) and, by default, relies upon ANY queries in a way
 that is guaranteed to work by the mandatory DNS standards.

Hi Dan,

The way I read RFC 1034 4.3.2, this is not true. In step 4 we match whatever
we find in the cache, put it in the packet, and move on to step 6.

This means the algorithm might terminate returning only an A record or only
an  record.  Or a TXT record for that matter.

This reading of 4.3.2 makes 'ANY' queries to resolvers fragile. It might not
return what you need.

Do you think I read 4.3.2 wrong? Or is there another RFC that updates the
algorithm?

Bert

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

[Edward Lewis]

On 3/9/15, 7:08, D. J. Bernstein d...@cr.yp.to wrote:

The common theme of CNAME/MX/A and A/ is that there's widepread
interest in being able to easily retrieve multiple record types. What
I'm saying is not that query type ANY is the ultimate answer (clearly it
can be improved); what I'm saying is that these are protocol issues, and
that protocol changes need to be handled by an appropriately chartered
IETF working group.

(I removed the dns-operations list from this because this needs to be
discussed on DNSOP.)


Dan,

You're right.  But.

Operators are not bound to comply with what the IETF documents.

As much as operators shouldn't bully the IETF nor the public for which the
serve, the street goes two ways.  The IETF is not able to and should not
bully them.  The IETF is supposed to provide us with an interoperable way
to operate and is supposed to have documents that reflect running code.

  * Second: The merits of the protocol modification have to be properly
discussed in that working group, to evaluate the costs and benefits
of the protocol modification---and to consider whether there are
better ways to achieve the same benefits.


If operators find that a protocol needs to be modified to be properly
operated, the IETF ought to adjust the protocol definition.  Having a
migration path would be a plus too.  (Said tongue in cheek.)

But - finding that a protocol needs to be modified is not as easy as
that - hence my quoting of your words above.

Ed Lewis


smime.p7s
Description: S/MIME cryptographic signature
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

[Tony Finch]

Jared Mauch ja...@puck.nether.net wrote:

 Even ignoring if qmail is “broken”.  (I would rather classify it as, could do
 better)

Yes.

 dnsop-any-notimp violates the principle of least surprise in technology by
 returning NOTIMP where Paul Vixie suggested NOERROR/ANCOUNT=0 would be more
 appropriate with the existing definitions.

This would have the amusing effect of disabling qmail's address
canonicalization without patching qmail.

Tony.
-- 
f.anthony.n.finch  d...@dotat.at  http://dotat.at/
Rockall, Malin: Cyclonic in north Rockall at first, otherwise westerly or
southwesterly severe gale 9 to violent storm 11, decreasing 5 or 6. High or
very high, becoming very rough. Squally showers. Good, occasionally poor.___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

[Tony Finch]

bert hubert bert.hub...@netherlabs.nl wrote:
 On Mon, Mar 09, 2015 at 11:08:03AM -, D. J. Bernstein wrote:
  My qmail software is very widely deployed (on roughly 1 million SMTP
  server IP addresses) and, by default, relies upon ANY queries in a way
  that is guaranteed to work by the mandatory DNS standards.

 The way I read RFC 1034 4.3.2, this is not true. In step 4 we match whatever
 we find in the cache, put it in the packet, and move on to step 6.

 This means the algorithm might terminate returning only an A record or only
 an  record.  Or a TXT record for that matter.

 This reading of 4.3.2 makes 'ANY' queries to resolvers fragile. It might not
 return what you need.

Dan is aware of that, but this particular oddity isn't a problem for
qmail. Later in his message he wrote:

  Of course, there's no guarantee of which RR types for a node are
  available at a cache, but a client is guaranteed to be able to detect
  CNAME records from responses to query type ANY (as qmail does), since
  a CNAME type prohibits all regular RR types.

Tony.
-- 
f.anthony.n.finch  d...@dotat.at  http://dotat.at/
Fair Isle: Southeast veering west, severe gale 9 to violent storm 11. Very
rough or high, becoming very high for a time. Rain then showers. Moderate or
poor, becoming good.

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

[D. J. Bernstein]

Edward Lewis writes:
 Operators are not bound to comply with what the IETF documents.

As I said before, this is making a mockery of the IETF standardization
process. Instead of

   * obeying the existing mandatory standards,
   * giving due respect to the installed base relying on the standards,
   * trying to build consensus for a transition that demands action from
 the installed base, and
   * taking the slow steps necessary to maintain interoperability during
 a transition if any transition happens,

a large operator is using its market position to violate the standards
and _create_ interoperability failures as a tool to enforce a protocol
change that it wants. Furthermore, a few weeks before this standards
violation is going to be deployed, the stated rationale for the change
is undergoing massive revisions, making serious discussion difficult and
leading observers to wonder how carefully the change was thought through
in the first place.

If you want IETF standards to be taken seriously---if you think that the
basic rules of Internet communication should be established by consensus
in IETF, and not simply overridden by future developers and operators
who think they know better, including cases where you _don't_ agree with
them---then you have to stop endorsing standards violations.

Tony Finch writes:
 qmail uses ANY queries for domain canonicalization on outgoing
 messages, as specified by RFC 1123. But canonicalization is not
 required by the current SMTP specification. It is a waste of time.

I fully agree that this was made optional in SMTP---that qmail is no
longer required to do this. But how do you leap to the wild conclusion
(stated twice in your message) that this is a bug in qmail?

More importantly, why do you think this is relevant to anything that I
said? I didn't say that qmail's behavior is currently required for SMTP.
I said that qmail is very widely deployed and relies upon ANY queries in
a way that is guaranteed to work by the mandatory DNS standards. The
dnsop-any-notimp proposal ignores those standards and will create real
interoperability problems with mail delivery.

 Using an ANY query suppresses alias processing, so qmail makes a
 series of queries to follow CNAME chains. This is inefficient and
 wasteful.

No, you have the efficiency picture backwards. CNAME chains have always
been an extremely small fraction of the DNS queries inside mail, while
the QTYPE=ANY side effect of preloading MX/A records has always produced
a significantly larger reduction in DNS queries.

This item is something else that you explicitly label as a bug. You
keep using that word; I do not think that word means what you think it
means.

 qmail's DNS response buffer is too small to accommodate a complete DNS
 message, so it fails if it gets a large response.

Precisely how many bytes do you believe are in a complete DNS message?
65535, the TCP limit? Do you seriously believe that 65535-byte responses
work reliably today, and that any failure to handle such responses is a
bug? How about 512, given the fact that the mandatory DNS standards do
_not_ require TCP support? Or maybe 1280, the recommended safe size for
EDNS0 UDP (depending on the network etc.)?

Even in an imaginary world where 65535-byte responses work, what do you
think happens if a server administrator puts _more_ than 65535 bytes of
records at a single node? Do you blame the server administrator? If DNS
implementors handle this use case by introducing a DNS transport capable
of handling 4-gigabyte responses, will you then claim that there's a
bug in every DNS client that has less RAM available or that simply
insists on a smaller limit to control its resource use?

In fact, all DNS client and server deployments have size limits on DNS
responses, and these limits have always varied, making the system as a
whole increasingly fragile for the unfortunate administrators pushing
the limits (notably DNSSEC administrators). The only sane way out is for
the protocol to declare a single reasonable size limit to be respected
by all clients and servers---but this implies reengineering large DNS
record types to split data across nodes (the same way that TCP splits
streams across packets), and nobody seems willing to do this work. It's
much easier to stuff all data into one node, pretend that the system
works, and blame the administrators for all of the resulting failures.

I'd be happy to discuss this issue further if anyone is interested in
fixing these aspects of the DNS protocol. I would, however, suggest
starting a separate thread for that, since this really isn't relevant to
how dnsop-any-notimp violates the DNS standards.

---Dan

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

[Darcy Kevin (FCA)]

My 2 cents...

It is commonplace, these days, to clearly enumerate MANDATORY TO IMPLEMENT 
elements of a protocol specification. But, this was not the typical practice at 
the time RFCs 1034/1035 was written, and I don't think we can apply modern 
standards-parlance retroactively. RFC 1034/1035 certainly marked some protocol 
elements as optional or experimental, e.g.
-  inverse query opcode (optional)
-  the MG, MINFO, MR and NULL RR types (experimental)
- negative-caching via the inclusion of an SOA RR in the Additional Section of 
the response (optional)
yet, none of the QTYPEs defined in the RFCs are so labelled.

In the face of such circumstantial evidence, I would say that conformance to 
RFCs 1034/1035 requires implementation, to some degree, of all QTYPEs defined 
in those RFCs, That, to me, is a reasonable reading of the document. 
RCODE=NOTIMP exists, ergo any/all QTYPEs which aren't also RR types[1], are 
optional to implement is not, IMO, a reasonable reading, but admittedly, the 
MANDATORY TO IMPLEMENT construct probably came into vogue in the first place, 
to forestall any such shaky interpretations.

Now, having said that, I think it would be standards-conforming for an 
implementation to always answer with RCODE=REFUSED, always answer with NODATA, 
or to pick only certain RR types, more-or-less arbitrarily, (e.g. A and ) 
and only answer with RRs matching those RR types (as a way to minimize the 
amplification effect), in response to QTYPE=* queries. None of those would be 
violations of the standard, which in no way usurps local administrative control 
over what queries get substantive responses, versus those which do not, nor 
commits an implementation to rigorously tracking down *every* RRset owned by 
the QNAME of a given QTYPE=* query. But, I have to agree with Dan: NOTIMP in 
response to QTYPE=* is not standards-conforming. As for his meta-argument that 
DNSOP cannot make changes to the protocol, I'm still mulling that one over, in 
light of the charter language.


- Kevin

[1] The reason for the which aren't also RR types qualification is that RFC 
1123, Section 6.1.3.5 states that DNS software MUST support all well-known, 
class-independent formats  [sic]. While 1123 is silent on QTYPEs, _per_se_, at 
least the set of [QTYPEs that are also well-known, class-independent RR types], 
as of the date of 1123's publication, fall within mandatory-to-implement, and 
there is no need to debate over those.

-Original Message-
From: DNSOP [mailto:dnsop-boun...@ietf.org] On Behalf Of David C Lawrence
Sent: Monday, March 09, 2015 12:24 PM
To: dnsop@ietf.org; dns-operati...@dns-oarc.net
Subject: Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS 
standards

RFC 1035 explicitly allows for a server to indicate that a kind of query is not 
implemented.

Whether it is a good idea to respond to ANY this way is a separate argument 
that is worth having.  You just won't win on the foundation that it is a 
violation of the standard.

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop