On 3/14/23 17:05, Shumon Huque wrote:
The NXDOMAIN or NOERROR "state" definitely has to be proven by the signed
records inside the message.
(...)
So, I think the only way we could safely do RCODE replacement for signed
responses is by the use of an EDNS signal.
I'd like to understand better how that could work specifically. In another
message (March 5), you explained:
proposal to have compact answer proofs AND an NXDOMAIN rode, would be to introduce an
EDNS signaling flag or option ("Compact Answers OK"). If the authoritative
server receives that from a resolver, it could provide the compact answer proof as well
as set RCODE 3. Resolvers would also have to support this on the downstream hops.
So I take it that when the EDNS signal is there, compact DoE responses get an
NXDOMAIN code.
In case the EDNS flag is not set, does the nameserver return (a) the compact
proof (with sentinel in the type map) is sent, but with a NOERROR code, or (b)
a classical proof (no sentinel), but with an NXDOMAIN code?
It occurs to me that if you want to ensure the cryptographic statement cannot
be undermined, then (b) is not an option. It would allow an on-path attacker to
replace the NSEC proof in an answer with a classical proof (which the attacker
can obtain via an extra query without the EDNS signal). The response that the
client receives will then not be distinguishable from an ENT response, i.e. an
on-path attacker can downgrade an NXDOMAIN proof to an ENT proof.
That can only be avoided if the nameserver never ever returns an NSEC proof
without sentinel bit in an NXDOMAIN situation.*
That's option (a). However, that means that client not supporting the EDNS
option won't get NXDOMAIN, i.e. it's a semantics change.
One way to retain the NXDOMAIN code for legacy clients without opening this
attack vector would be to add *yet another* sentinel to the type bitmap, which
would be present at both ENT and non-existent names, when compact DoE support
was signaled via EDNS. This would prove to clients signaling compact DoE
support that an answer that looks like an ENT answer really is one (i.e. was
not exchanged as described above).
I've done some very quick empirical tests (with a hacked up DNS authoritative
server that returns NXDOMAIN for all signed responses) and the results are
interesting:
Indeed! Thanks for doing the experiment.
~Peter
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
