Rendered at 20:35:45 GMT+0000 (Coordinated Universal Time) with Cloudflare Workers.
pocksuppet 1 days ago [-]
Summary: it's not DNSSEC itself, it's DNS providers like Cloudflare returning incorrect data to make responses shorter and avoid switching to TCP. A DNSSEC signature for "this domain doesn't exist" is much longer than a DNSSEC signature for "this domain exists, but doesn't have the type of record you asked for" so these providers choose to always return the latter type of answer. Since the server is telling you the domain exists, policies about what to do when the domain doesn't exist don't apply.
tptacek incoming in 3...2...1...
growse 1 days ago [-]
> Summary: it's not DNSSEC itself, it's DNS providers like Cloudflare returning incorrect data to make responses shorter and avoid switching to TCP.
I feel like we need the angry goose meme here.
"But why are those providers returning incorrect data?"
jeroenhd 1 days ago [-]
> "But why are those providers returning incorrect data?"
In this case, because they decided actually implementing the protocol they were supposed to be implementing didn't work for their hacky design, so they hacked together a series of Good Enough workarounds.
These cloud companies are the Microsoft Internet Explorer of DNS service but unlike IE6 they're considered cool enough that they're tolerated.
teddyh 23 hours ago [-]
Cloudflare is well known for breaking DNS standards whenever they feel like it; they’re too big to ignore, so they get away with murder.
pocksuppet 22 hours ago [-]
How did they get this way, anyway? Let's say that I want half the world to sign up for me to MITM their traffic. How would I achieve that?
teddyh 22 hours ago [-]
Solve a DDoS problem by positioning yourself as the middleman (instead of designing new protocols without the vulnerability).
cdmckay 1 days ago [-]
So you’re cool with letting anyone walk your DNS?
phicoh 1 days ago [-]
The problem here is that computing three 3 NSEC3 records as you might need to return an NXDOMAIN was considered too expensive. It's just a choice to reduce their costs while increasing complexity for everyone else.
phicoh 1 days ago [-]
At the time it was well known that messing around with NXDOMAIN would cause problems. But some companies wanted to do it anyhow.
The solution is simple, if you want to use this DMARC feature then don't host with companies that do weird stuff with NXDOMAIN.
woodruffw 1 days ago [-]
> A DNSSEC signature for "this domain doesn't exist" is much longer than a DNSSEC signature for "this domain exists, but doesn't have the type of record you asked for" so these providers choose to always return the latter type of answer
This seems like a major design flaw in DNSSEC, if so.
(I don’t have an opinion on whether Cloudflare or whoever else is a good participant in the DNS.)
formerly_proven 23 hours ago [-]
Most of the time people are not asking for domains which don't resolve. Also, think about what DNSSEC is actually having to do when signing an NXDOMAIN. It needs to prove a negative with offline signing keys, DNSSEC does this by basically making a linked list of each zone and signing the links.
tptacek 23 hours ago [-]
It's doing that because the protocol was designed for offline signers, which in turn was a result of a folk belief in the 1990s that computers wouldn't be fast enough to do online signing.
pocksuppet 8 hours ago [-]
Was it really nothing to do with keeping keys safer offline?
tptacek 5 hours ago [-]
Go read the mailing lists of the time.
phicoh 12 hours ago [-]
A linked list of each authoritative name in the zone. Not a list of zones.
That's for offline signing. For online signing you can do different things.
But the point is, and that's what this discussion is about is that DNSSEC can evolve. It can get extra features to make online signing more efficient.
The problem is that getting all validating recursive resolvers and other validators to update takes a very long time, on the order of decades.
So we got this problem because people started using this feature without verifying that validator support had spread wide enough.
tptacek 1 hours ago [-]
At this point, with this microscopic level of adoption and this track record of instability, and given that we're now 4 major revisions (all premised on the same original service model that TIS came up with in the mid-1990s), it would make a lot more sense to go back to the drawing board.
That's basically what we did with DoH, a protocol that has drastically more deployment than DNSSEC and a more coherent threat model.
The simplest and most obvious thing you could do, if you were being parsimonious about it, would be to switch to an online-signer model. With modern (circa 2005) cryptography, you'd do a straightforward client/server authenticated denial without any of the record-chaining silliness. A big chunk of the complexity of the protocol would just vanish.
winstonwinston 23 hours ago [-]
> Finally, one aspect to consider is that many mail servers reject mail when the Envelope From domain has no MX or A/AAAA records. When the Envelope From domain and From domain are identical, this may reduce the number of relevant cases. The np tag was nonetheless introduced, so it was probably deemed realistic that a mail receiver reaches the point where the np policy is evaluated.
In practice DMARC verifiers can/will do the same for checking ‘non-existent’ subdomain. Query A/AAAA/MX and if no usable answers are given, the subdomain does not exist. Who cares if it is NXDOMAIN or NODATA.
amluto 1 days ago [-]
While nothing good can be said about the design of DNSSEC here, it seems to me that the new np feature’s semantics are also misguided. I get it: if I own company.com and I’m not using foo.company.com, then maybe I should set np=reject on company.com’s DMARC rule so that no one can spoof email from it.
But it seems odd that www.company.com should be considered present for this purpose even if it has no MX records. And if I want to send from noreply.company.com, then setting some unrelated DNS record type there to prevent it from being not “not present” seems like a giant kludge.
And lots of domains have subdomains that are intended for some non-email purpose (api.company.com or whatever), and those shouldn’t be allowed without further policy. Nor should (technically invalid for SMTP but maybe allowed anyway) delights like _dmarc.company.com itself.
Why didn’t the DMARC spec say that a domain is “not present” if it lacks MX records?
toast0 1 days ago [-]
> Why didn’t the DMARC spec say that a domain is “not present” if it lacks MX records?
That doesn't match the SMTP spec, RFC 5321 says
> If an empty list of MXs is returned, the address is treated as if it was associated with an implicit MX RR, with a preference of 0, pointing to that host.
Now, steelman argument is that DMARC is used together with SMTP, so it should be somewhat compatible to work in practice. But in this case there isn't fundamental conflict breaking SMTP.
em-bee 21 hours ago [-]
DMARC demands extra DNS entries that SMTP doesn't need, so there is no reason why DMARC could not also demand an explicit MX record even if plain SMPT doesn't
jeroenhd 1 days ago [-]
> Why didn’t the DMARC spec say that a domain is “not present” if it lacks MX records?
MX implies a domain can receive email, you don't need it to send email. A setup where company.example sends email from companymailings.example but sets a reply-to for support@company.example is perfectly valid (even if it's stupid and confusing). Plus there's that weird legacy behaviour of mail servers delivering to port 25 to the IP in the A record if MX records are missing.
amluto 1 days ago [-]
> A setup where company.example sends email from companymailings.example but sets a reply-to for support@company.example is perfectly valid
So shouldn’t this be done explicitly by setting a policy at _dmarc.companymailings.example instead of implicitly by setting at otherwise entirely useless record (of type A? some unused TXT variant?) at companymailings.example?
2000UltraDeluxe 15 hours ago [-]
No.
MX tells a sender where the mail goes.
DMARC allows the recipient to verify the adress in the From header.
Neither has anything to do with the fact whether a server sends emails or not.
tptacek incoming in 3...2...1...
I feel like we need the angry goose meme here.
"But why are those providers returning incorrect data?"
In this case, because they decided actually implementing the protocol they were supposed to be implementing didn't work for their hacky design, so they hacked together a series of Good Enough workarounds.
These cloud companies are the Microsoft Internet Explorer of DNS service but unlike IE6 they're considered cool enough that they're tolerated.
The solution is simple, if you want to use this DMARC feature then don't host with companies that do weird stuff with NXDOMAIN.
This seems like a major design flaw in DNSSEC, if so.
(I don’t have an opinion on whether Cloudflare or whoever else is a good participant in the DNS.)
That's for offline signing. For online signing you can do different things.
But the point is, and that's what this discussion is about is that DNSSEC can evolve. It can get extra features to make online signing more efficient.
The problem is that getting all validating recursive resolvers and other validators to update takes a very long time, on the order of decades.
So we got this problem because people started using this feature without verifying that validator support had spread wide enough.
That's basically what we did with DoH, a protocol that has drastically more deployment than DNSSEC and a more coherent threat model.
The simplest and most obvious thing you could do, if you were being parsimonious about it, would be to switch to an online-signer model. With modern (circa 2005) cryptography, you'd do a straightforward client/server authenticated denial without any of the record-chaining silliness. A big chunk of the complexity of the protocol would just vanish.
In practice DMARC verifiers can/will do the same for checking ‘non-existent’ subdomain. Query A/AAAA/MX and if no usable answers are given, the subdomain does not exist. Who cares if it is NXDOMAIN or NODATA.
But it seems odd that www.company.com should be considered present for this purpose even if it has no MX records. And if I want to send from noreply.company.com, then setting some unrelated DNS record type there to prevent it from being not “not present” seems like a giant kludge.
And lots of domains have subdomains that are intended for some non-email purpose (api.company.com or whatever), and those shouldn’t be allowed without further policy. Nor should (technically invalid for SMTP but maybe allowed anyway) delights like _dmarc.company.com itself.
Why didn’t the DMARC spec say that a domain is “not present” if it lacks MX records?
That doesn't match the SMTP spec, RFC 5321 says
> If an empty list of MXs is returned, the address is treated as if it was associated with an implicit MX RR, with a preference of 0, pointing to that host.
https://www.rfc-editor.org/rfc/rfc5321.html#section-5
Now, steelman argument is that DMARC is used together with SMTP, so it should be somewhat compatible to work in practice. But in this case there isn't fundamental conflict breaking SMTP.
MX implies a domain can receive email, you don't need it to send email. A setup where company.example sends email from companymailings.example but sets a reply-to for support@company.example is perfectly valid (even if it's stupid and confusing). Plus there's that weird legacy behaviour of mail servers delivering to port 25 to the IP in the A record if MX records are missing.
So shouldn’t this be done explicitly by setting a policy at _dmarc.companymailings.example instead of implicitly by setting at otherwise entirely useless record (of type A? some unused TXT variant?) at companymailings.example?
MX tells a sender where the mail goes.
DMARC allows the recipient to verify the adress in the From header.
Neither has anything to do with the fact whether a server sends emails or not.