On 06. 07. 26 21:51, Roman Danyliw via Datatracker wrote:
Roman Danyliw has entered the following ballot position for
draft-ietf-dnsop-structured-dns-error-24: Discuss

As a dnsdir reviewer reponsible for parts of the this ambiguity I feel obliged to respond:

----------------------------------------------------------------------
DISCUSS:
----------------------------------------------------------------------

Questions around the use of clear-text DNS and EXTRA-TEXT:

-- Section 5.3
    1.  If the integrity of the DNS response is not guaranteed, the DNS
        client MUST NOT act upon data in the EXTRA-TEXT field, as the
        data is vulnerable to modification by an on-path attacker.

What provides an adequate guarantee of integrity to act upon the data?

DNS has number of integrity protection mechanism: TLS, TSIG, SIG(0), to name few. Do you envision mandatory subset?


> What> happens if the stub resolver uses DOH, but the recursive resolver does not?

EDNS is hop-by-hop so EDE option is always generated by 'first hop'. What happens upstream of the first hop is irrelevant because EDE options would not be passed verbatim to the end client.


-- Section 10.1, “This specification assumes the use of authenticated,
integrity-protected DNS transports (e.g., DoT, DoH, or DoQ).  Such transports
MUST be based on TLS 1.3 [RFC8446] or later.”   This seems ambiguous.  Is
“assuming the use of” the same thing as requiring the using of “authenticated,
integrity-protected DNS transports” when the EXTRA-TEXT field is use?  If so,
please be explicit. I ask because a few sections later (Section 10.4 note
below) the text is unambiguous on the need for “encrypted DNS transport”.

-- (not DISCUSS feedback, here for reference) Section 10.4, “This specification
requires the use of an encrypted DNS transport (e.g., DoT, DoH, or DoQ), which
protects both the DNS query and the structured error response from passive
observers.” This is unambiguous.  Thanks.

I agree 'assumes the use of' might be weird and a MUST is in order here.

Having said that, the same argument about protocol agility as above applies. This document should not mandate one specific integrity protection when there's multiple standardized options for DNS.

--
Petr Špaček

_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to