Encrypting zone transfers closes one more leak left open by old DNS technology
By Monika Ermert, eLance Journalist - Making the DNS more privacy friendly is the declared goal of the IETF DPRIVE Working Group (WG). As they gathered virtually for IETF108, the WG took a sharp look at the proposal to extend privacy to the technical operation of zone transfers.
Zone transfers occur when registries dispatch so called zones, records of domains managed by the registries, to several servers, for instance to ensure reliability. So far, zone transfers are all in cleartext, meaning that the records become visible on the wire during the transfer. That’s not state of the art security any more, says Sara Dickinson, engineer at Sinodun.
She presented a revised draft of Zone Transfers over TLS (XOT) and said that draft authors were aware of “a real world need for this”. The group, which includes Salesforce engineers and an NLnet Labs researcher, wanted to push for a WG last call around the upcoming IETF109 in November.
The use of TLS to encrypt data streams will prevent passive attackers from observing what data is in the zone, according to Dickinson. Some of this data may be personal data, making it especially worthy of protection in European jurisdictions, but the mechanism will also protect DNS infrastructure by effectivly obscuring the location of DNS servers, so that a ‘hidden primary’ can in fact stay hidden.
A number of details are still being worked out, or will remain optional. Implementers may decide to only hide the zone transfers – so called IXFR and AXFR requests and answers – or they could create a TLS-encrypted channel even for the start of authority (SOA) request that initiates the transfer. Other options include whether two-way-authorization for the servers is needed, or if opportunistic connectivity is enough. The latter could be the case if the parties rely on other security mechanisms like transaction signatures (TSIG) or access control lists (ACLs).
During the discussion questions were raised on whether protection has to go even beyond the proposals in the draft. Daniel Kahn Gillmor, tech expert of the American Civil Liberty Union, underlined the need to protect the encrypted streams against being detected as zone transfer type. One method to answer this is already part of the draft. It is padding, well known from two RFCs developed earlier to further obscure encrypted DNS queries from the stub resolver to the DNS resolver.
The DPRIVE WG also briefly looked into the other big topic: encrypting traffic from resolvers to authoritative DNS servers (ADOT). ADOT is still a contentious issue (see our forthcoming blog post), but in spite of fears that working on encrypted zone transfers (XOT) might further delay important security enhancements in the upstream infrastructure, engineers converged around the idea of running code and getting things done.
A step too far?
From a registrar’s point of view, encrypting zone transfers was “not a terrible idea”, said Michele Neylon, head of the Irish registrar Blacknight. He did not, however, believe that recent developments in European privacy law, such as the European Court of Justice ruling in Schrems II on 16 July 2020, had an impact on the need for stronger privacy and security.
A DNS zone in Neylon‘s view should not contain PII, “unless you take a very extreme view and argue that the domain itself can contain PII”. This could happen if the domain-name contains for instance a personal name. Neylon was pretty sure that while European case-law could “have an impact on a lot of things within the internet ecosystem, I would hope that people don't start looking at DNS records”. He did, however, point out that the WHOIS records, that match domain names with individuals names and contact details, are another ball park. But this, of course, is more a discussion for the ICANN policy setting processes than for IETF technical specifications.
Encrypting zone transfers might be something Neylon would consider when DNS server software is prepared. At the moment, his company only relies on zone transfers between their own DNS servers.
Looking for XOT tests and interoperability
The implementation of XOT was in the making for NSD DNS servers, said Dickinson. The XOT drafters had also started to investigate updates in BIND. Plans are also being made for Knot DNS. According to Daniel Salzman from CZ.NIC: “We might do XOT in Knot DNS sometime next year, assuming the protocol draft standard does not get too hairy”.
Dickinson is hoping for stronger interoperability tests down the road, and if you ask developers, 2021 could be the year when clear text zone transfers become outdated.