proposal: security feature improvement for builtin DNS stub resolver #13356

mikioh · 2015-11-22T02:31:00Z

Summary

This issue gathers and maps security feature proposals for the existing builtin DNS stub resolver from bird's-eye view. For now the builtin DNS stub resolver provides only

Insecure DNS RR exchange over insecure DNS transport

and proposals try to implement any of the following:

Secure DNS RR exchange over insecure DNS transport
Insecure DNS RR exchange over secure DNS transport
Secure DNS RR exchange over secure DNS transport

Protocols

Session and presentation

EDNS0: https://tools.ietf.org/html/rfc6891
- The well known IP fragmentation-based attack might be out of scope
- Related issues: net: add EDNS0 support to builtin DNS stub resolver #6464
DNSSEC: https://tools.ietf.org/html/rfc4033
- DNSSEC requires EDNS0 and cipher suites
- The well-known issue that DNS64 breaks DNSSEC might be out of scope
- Related issues: net: validate DNSSEC in Go's DNS resolver #13279
DANE: https://tools.ietf.org/html/rfc6698
- DANE requires DNSSEC

Transport

DNS over TLS: https://tools.ietf.org/html/rfc7858
- DNS over TLS requires TLS
DNS over DTLS: https://tools.ietf.org/html/draft-ietf-dprive-dnsodtls
- DNS over DTLS requires DTLS

Implementation

Exposed APIs
- A few packages in the golang.org/x/net or golang.org/x/crypto repositories may provide APIs using secure RR exchange over secure DNS transport. So far there is no discussion for adding new APIs into standard packages, there might be a few behavioral changes to standard package APIs though.
Test cases
- Related issues: net: dnsclient should be more robust against bogus UDP packets #13281, net: more complete DNS stub resolver tests for uncommon scenarios #13295
Package reorganization
- There probably needs to be a sort of reorganization of related network and crypto packages for avoiding circular dependencies. For example, we cannot use tls.Dial in the net package for constructing DNS over TLS transport because net.Dial is used by tls.Dial.
- Related issues: net/internal/dns: new package #11160

bradfitz · 2016-08-22T23:45:53Z

I'm going to close this because it looks too broad and vague for a proposal.

If you have specific API changes, you can send those for proposals.

If you have security fixes, please send CLs.

mikioh added Proposal Thinking labels Nov 22, 2015

ianlancetaylor added this to the Unplanned milestone Nov 23, 2015

mikioh mentioned this issue Dec 11, 2015

net: pure Go dns does not handle UDP packets > 512 octets #13561

Closed

mikioh mentioned this issue Dec 21, 2015

net: can not unmarshal DNS over UDP message which is more than 512 octets long and indicates TC=0 #13696

Closed

bradfitz closed this as completed Aug 22, 2016

golang locked and limited conversation to collaborators Aug 22, 2017

gopherbot added the FrozenDueToAge label Aug 22, 2017

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

proposal: security feature improvement for builtin DNS stub resolver #13356

proposal: security feature improvement for builtin DNS stub resolver #13356

mikioh commented Nov 22, 2015 •

edited

Loading

bradfitz commented Aug 22, 2016

proposal: security feature improvement for builtin DNS stub resolver #13356

proposal: security feature improvement for builtin DNS stub resolver #13356

Comments

mikioh commented Nov 22, 2015 • edited Loading

Summary

Protocols

Session and presentation

Transport

Implementation

bradfitz commented Aug 22, 2016

mikioh commented Nov 22, 2015 •

edited

Loading