Mailing List Archive

IPv6 root DNS change
Noted on slashdot:

Just before year's end, ICANN/IANA sent out a short message saying that "on 4
February 2008, IANA will add AAAA records for the IPv6 addresses of the four
root servers whose operators have requested it."

There are some potential bugs in spf libraries that should be tested:

http://www.icann.org/committees/security/sac018.pdf

Especially those that use their own resolver, e.g. pyspf + pydns.
Firewall appliances that look inside DNS packets are also suspect.
(And one pyspf user has already had trouble with a firewall that didn't
like DNS request packets with a TID of 0.)

--
Stuart D. Gathman <stuart@bmsi.com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/1007/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/1007/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311533&id_secret=81776543-6a92a7
Powered by Listbox: http://www.listbox.com
Re: IPv6 root DNS change [ In reply to ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Stuart D. Gathman wrote:
> Just before year's end, ICANN/IANA sent out a short message saying
> that "on 4 February 2008, IANA will add AAAA records for the IPv6
> addresses of the four root servers whose operators have requested it."
>
> There are some potential bugs in spf libraries that should be tested:
>
> http://www.icann.org/committees/security/sac018.pdf

Can you be more specific about what sort of bugs might occur?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHflZ0wL7PKlBZWjsRAuSFAKCSPMssd3FX6a4sDZSjMHx1IzwpkQCeNrZL
DgV9WLL13YghYbRoym6N16k=
=w+yU
-----END PGP SIGNATURE-----

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/1007/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/1007/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311533&id_secret=81816060-613a53
Powered by Listbox: http://www.listbox.com
Re: Re: IPv6 root DNS change [ In reply to ]
On Fri, 4 Jan 2008, Julian Mehnle wrote:

> > http://www.icann.org/committees/security/sac018.pdf
>
> Can you be more specific about what sort of bugs might occur?

The above PDF is specific. But a few highlights:

1. The new root DNS packets will be 811 bytes (13 A, 13 AAAA records), UDP
only. This requires EDNS0 support.

2. Security software might block DNS records with unknown record types,
and might not know about AAAA.

A thought: Issue 1 says to me that SPF DNS packets ought to be allowed to be as
big as DNS root packets. So the minimum SPF packet size should be increased to
811 from 512.


--
Stuart D. Gathman <stuart@bmsi.com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/1007/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/1007/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311533&id_secret=81822061-3ebf94
Powered by Listbox: http://www.listbox.com
Re: IPv6 root DNS change [ In reply to ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Stuart D. Gathman wrote:
> On Fri, 4 Jan 2008, Julian Mehnle wrote:
> > > http://www.icann.org/committees/security/sac018.pdf
> >
> > Can you be more specific about what sort of bugs might occur?
>
> The above PDF is specific.

Certainly, but I scanned the document briefly and it didn't occur to me
how any of it would affect SPF implementations directly.

> 1. The new root DNS packets will be 811 bytes (13 A, 13 AAAA records),
> UDP only. This requires EDNS0 support.
> [...]
> A thought: Issue 1 says to me that SPF DNS packets ought to be allowed
> to be as big as DNS root packets. So the minimum SPF packet size
> should be increased to 811 from 512.

I can't think of why SPF implementations would be concerned with root
server list priming. Besides, the only place where RFC 4408 is
explicitly mentioning the 512 bytes limit is in section 3.1.4, "record
size", saying that SPF records should be designed to stay below that
limit, which is an entirely different issue.

Do you think that any SPF implementations enforce a 512 bytes limit in
some context affected by the use of IPv6 (addresses)?

> 2. Security software might block DNS records with unknown record types,
> and might not know about AAAA.

OK, so checking SPF for incoming IPv6 connections might fail. But that
possibility has existed for years now, and there's nothing an SPF
implementation can do about it, is there?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHfmHVwL7PKlBZWjsRAvtQAJ9TijiLStec62JBu7anYIlJ9wuybgCcDlgB
QnDudFJyv4lVYEmvQXVoRog=
=8Ltd
-----END PGP SIGNATURE-----

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/1007/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/1007/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311533&id_secret=81837153-5826b6
Powered by Listbox: http://www.listbox.com
Re: Re: IPv6 root DNS change [ In reply to ]
On Fri, 4 Jan 2008, Julian Mehnle wrote:

> > 2. Security software might block DNS records with unknown record types,
> > and might not know about AAAA.
>
> OK, so checking SPF for incoming IPv6 connections might fail. But that
> possibility has existed for years now, and there's nothing an SPF
> implementation can do about it, is there?

This change affects IPv4 lookups also. That is why the committee is
being so careful. Yes, the change may cause *all* SPF checks to fail
if a security filter doesn't like the "unknown" AAAA records.

I have already had to deal with SPF checks via pyspf failing because a security
appliance didn't like 0 in the TID field.

Your point on issue 1 is that an SPF implementation queries a local caching
name server, and doesn't need to worry about root DNS packet size.
That may be tree, however, a production implementation should find out whether
some part of the chain fails before Feb 4. The committee points out
that the UA, FR, JP, and HK top level domains have AAAA records and DNS
response packets exceeding 512 bytes. If an implementation can handle
lookups below those top level domains, it should be ok.

Again, this change can affect (and did affect in committee testing) some
(older) IPv4 implementations.

--
Stuart D. Gathman <stuart@bmsi.com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/1007/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/1007/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311533&id_secret=81839847-1db977
Powered by Listbox: http://www.listbox.com
Re: IPv6 root DNS change [ In reply to ]
Julian Mehnle wrote:

> the only place where RFC 4408 is explicitly mentioning the 512 bytes
> limit is in section 3.1.4, "record size", saying that SPF records
> should be designed to stay below that limit, which is an entirely
> different issue.

| Records that are too long to fit in a single UDP packet MAY be
| silently ignored by SPF clients.

Even if you are in the position to handle longer records without
truncation you are free to ignore them silently. For publishers
that is a disguised "don't try this if you want receivers to look
at your policy", isn't it ?

I don't get Stuart's proposal "just replace 512 by 811". The old
UDP limit doesn't go away just because some root and TLD servers
decided that they are forced to ignore it for their IPv6 purposes.

But it's an interesting topic, if you have insights to share please
consider to publish them also on the Wiki. What a year, IPv6, IDN,
EAI, IDNAbis, 4646bis, 2821bis, 2822upd, net-utf8, ... :-)

Frank

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/1007/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/1007/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311533&id_secret=83024461-826fd8
Powered by Listbox: http://www.listbox.com
Re: Re: IPv6 root DNS change [ In reply to ]
On Tue, 8 Jan 2008, Frank Ellermann wrote:

> I don't get Stuart's proposal "just replace 512 by 811". The old
> UDP limit doesn't go away just because some root and TLD servers
> decided that they are forced to ignore it for their IPv6 purposes.

When the root servers go to 811, then DNS (and SPF) won't work at all unless
the DNS implementation talking to the root server for your SPF lib
(which could be a caching nameserver) handles EDNS0, and larger UDP packets.
This means that larger UDP packet support will be pretty much universal very
soon, being driven by the need to use the root name servers. In particular,
firewall limits on DNS UDP size had better be upped quickly. For all these
reasons, the root DNS UDP size is a good minimum size to require. I understand
it is too late, since we already mentioned 512 in the rfc. But maybe a SHOULD
support at least 811...

--
Stuart D. Gathman <stuart@bmsi.com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/1007/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/1007/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311533&id_secret=83088914-63da25
Powered by Listbox: http://www.listbox.com
Re: IPv6 root DNS change [ In reply to ]
Stuart D. Gathman wrote:

> I understand it is too late, since we already mentioned 512
> in the rfc. But maybe a SHOULD support at least 811...

Of course 4408bis could adjust 512 to 811 if that's *really*
common practice at this time (for the reasons stated by you).

But what should the remaining receivers limited to what UDP
offers do ? They get a truncated policy. What do existing
implementations in this case if they don't pull "MAY ignore"
in the RFC ? Caveat, my DNS knowledge is extremely limited,
I hope for a simple answer :-)

Frank

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/1007/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/1007/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311533&id_secret=83622744-51c845
Powered by Listbox: http://www.listbox.com
Re: IPv6 root DNS change [ In reply to ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Frank Ellermann wrote:
> Stuart D. Gathman wrote:
> > I understand it is too late, since we already mentioned 512 in the
> > rfc. But maybe a SHOULD support at least 811...
>
> Of course 4408bis could adjust 512 to 811 if that's *really* common
> practice at this time (for the reasons stated by you).
>
> But what should the remaining receivers limited to what UDP offers do ?
> They get a truncated policy. What do existing implementations in this
> case if they don't pull "MAY ignore" in the RFC ? Caveat, my DNS
> knowledge is extremely limited, I hope for a simple answer :-)

If the packet got truncated, its truncated bit is set and you cannot use
the SPF record (trying to parse it from the packet anyway is likely to
run you into the packet's end boundary anyway).

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHhL39wL7PKlBZWjsRAo48AKCEokcRZBNmOTI1VE/xckZVMsSp9gCgzCBS
AHeGg0Rwua+tEFNvDkdRlIY=
=VSxy
-----END PGP SIGNATURE-----

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/1007/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/1007/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311533&id_secret=83628193-ee4cfd
Powered by Listbox: http://www.listbox.com
Re: Re: IPv6 root DNS change [ In reply to ]
On Wed, 9 Jan 2008, Frank Ellermann wrote:

> Of course 4408bis could adjust 512 to 811 if that's *really*
> common practice at this time (for the reasons stated by you).
>
> But what should the remaining receivers limited to what UDP
> offers do ? They get a truncated policy. What do existing
> implementations in this case if they don't pull "MAY ignore"
> in the RFC ? Caveat, my DNS knowledge is extremely limited,
> I hope for a simple answer :-)

Be strict in what you transmit, lax in what you receive.

Obviously, you would publish 512 records for some time yet,
but libraries would be adjusted and tested for 811 (or maybe 1024
for a little growth, since the 811 includes only 3 IPv6 records,
and more will be needed if IPv6 takes off).

--
Stuart D. Gathman <stuart@bmsi.com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/1007/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/1007/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311533&id_secret=83646735-92714f
Powered by Listbox: http://www.listbox.com
Re: IPv6 root DNS change [ In reply to ]
Stuart D. Gathman wrote:

> Be strict in what you transmit, lax in what you receive.

> Obviously, you would publish 512 records for some time yet,
> but libraries would be adjusted and tested for 811 (or maybe 1024
> for a little growth, since the 811 includes only 3 IPv6 records,
> and more will be needed if IPv6 takes off).

Oh, another case of "SHOULD NOT generate" (= publish) coupled
with "SHOULD accept" (where possible, as explained by Julian).

Yes, that's okay, and using 1024 is more convincing than 811.
Odd, EDNS0 is apparently still "only" at PS (RFC 2671), no DS.

Frank

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Archives: http://v2.listbox.com/member/archive/1007/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/1007/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1311533&id_secret=83664022-bca801
Powered by Listbox: http://www.listbox.com