Re: [Add] data integrity and DNSSEC or DoH/DoT
Eric Rescorla <ekr@rtfm.com> Fri, 23 August 2019 12:25 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B5C9E120ACB for <add@ietfa.amsl.com>; Fri, 23 Aug 2019 05:25:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bDgjDUCgAreY for <add@ietfa.amsl.com>; Fri, 23 Aug 2019 05:25:54 -0700 (PDT)
Received: from mail-lj1-x233.google.com (mail-lj1-x233.google.com [IPv6:2a00:1450:4864:20::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2D5B4120026 for <add@ietf.org>; Fri, 23 Aug 2019 05:25:54 -0700 (PDT)
Received: by mail-lj1-x233.google.com with SMTP id x3so8685662lji.5 for <add@ietf.org>; Fri, 23 Aug 2019 05:25:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=kZPeh0nA5mmVvPPauYIyYvVELY4n9/y+um9nVDxGIgQ=; b=vqIS+8L9ApUYL9KFomeyKLmVnSOLRIQpHWLTdFOo2bRxlm7WIggCBBD0OskXSW0GCP mAJ7WrQA39rgHwexcxZJzmd9a2QT56ixtsc27Eg+fk4holajSwi6NGaTk0at3h8AJ76h 7/iQYHNBZ1kYhinwE7J0C1dcl1m40c9CPbS6qoL/vFcbvs7bA3gRcBkVCvpiuMJWMV3S hhDw24m+2sJYgM9xzrDqDnp8zUV+46WNbfTFFxS3e9+edPZOJH1WxYtfycjHfeJUG4Vi gP2uOeckZHUqSp+mu0PSU2ViFruBxyWwZl87ptuM5w4XzaNpXIrmYddyvIG53K4GahLn DDOw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=kZPeh0nA5mmVvPPauYIyYvVELY4n9/y+um9nVDxGIgQ=; b=fDjp9ixE3t9fIY0bW7n8oBJ1KUKD6Js7O9IHMSnsu+cYtiY5ftjz657gGzYsSxQtrF cLDeOM8GNEyZoN656pgLaJ+jfV5yLETKcHY3uE5Rly3WM6sgCGQGZ+Ro4VtVdMpWspGS zJAKofMhDnVmRHGfz81Pnrrhq5nGbvwj1IosRhjylNqbrq9lZ/IdQT1aPPvsMHDecQtF yTIK3++K2wwWXcgtPjPPKg9BMgsq3XUY3xn3WXEpvv2nWDcnu1W5AuKYddn+EZ/5ZURC 70/knCAEuVUtXoJ6kG4mcaXzdiZPT3yFr7MPH7pGt1iVdGRLk6DbHbF7WGq0FUAzdndP /KLQ==
X-Gm-Message-State: APjAAAUGxFSsBa1KXlftXHsiRHhboUjo8mP3KELUJ2Jl/kb7kM19mciU GAdBJHbtZG6lDRXRnQa2it25oOHERg5Y5RGVtkNtP+I0GQs=
X-Google-Smtp-Source: APXvYqybcreSla1VJtmOwj3uo5l8dDQABMm/dfqgpn/vYdgtRgfEjb9ki7O2V2CsvFKjYVOaSsHSyCBNQ2Olp/Ev/oc=
X-Received: by 2002:a2e:9b0c:: with SMTP id u12mr2833867lji.239.1566563152297; Fri, 23 Aug 2019 05:25:52 -0700 (PDT)
MIME-Version: 1.0
References: <A1128702-1E19-4657-9740-E84AE09992F2@piuha.net> <CABcZeBMfOTjq-8hDDoKMtJvfHUA5nC8o60zuk-2Xe-ZhfwriJQ@mail.gmail.com> <766112E1-F532-4C6B-8CA8-A096671E02EE@piuha.net> <CA+9kkMAfuOwJu8_qJTuhAY4mUwR+tVUxr+k3QFHBk3byV672Ow@mail.gmail.com> <A7EA862E-8E80-40E3-834D-E628988C0A24@virtualized.org> <CAFWeb9KT=2JL0oHUgJ2WMcduR3na+hP2QncvRR4YurmqsAWxTA@mail.gmail.com> <59E0EC53-0E30-431C-8376-52C7BFC121A8@virtualized.org> <CAFWeb9+Z7RmXEr46qx5PaUcxh2R3+HXhrZeW-8QEMX4HLt7a-w@mail.gmail.com> <589DAFCB-1BDC-4156-A2CA-179C4559A6B2@virtualized.org> <cf2152d7-8618-7ad2-b8f9-7a259ab5df19@cs.tcd.ie> <683A176C-3CE6-4866-A736-F2A7465FA5B5@rfc1035.com> <CABcZeBPmWYBKcKhjTUBLw62xJT=OXbp3v6MZ+8Gtr=gFmQ-g6A@mail.gmail.com> <E40CC478-BBA1-4DA9-8F6A-FE1782E0F27E@rfc1035.com> <CABcZeBMnG_HJHYrGpQD1LWWNi8zuhAm=0Uy2HNRRmhYS9PsCtg@mail.gmail.com> <69015C05-4AE8-4FB2-94D4-3B52018DEBA6@rfc1035.com>
In-Reply-To: <69015C05-4AE8-4FB2-94D4-3B52018DEBA6@rfc1035.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 23 Aug 2019 13:25:16 +0100
Message-ID: <CABcZeBPbvug-+N+4_85XN++ySLqZmUGOqzU-jRbr0h6AZ0usNw@mail.gmail.com>
To: Jim Reid <jim@rfc1035.com>
Cc: ADD Mailing list <add@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000036176a0590c7e88c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/Hq7QlJLlwMPnOOrcwqFBTa61R7I>
Subject: Re: [Add] data integrity and DNSSEC or DoH/DoT
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Aug 2019 12:25:57 -0000
On Fri, Aug 23, 2019 at 9:04 AM Jim Reid <jim@rfc1035.com> wrote: > On 23 Aug 2019, at 05:39, Eric Rescorla <ekr@rtfm.com> wrote: > > > > > > > > On Thu, Aug 22, 2019 at 1:41 PM Jim Reid <jim@rfc1035.com> wrote: > > > >> > On 22 Aug 2019, at 08:00, Eric Rescorla <ekr@rtfm.com> wrote: > >> > > >> > Suppose that I receive a bogus response to my A record query, how am > I to usefully distinguish "this is malware blocking" from "this resolver is > malicious"? > >> > >> I suppose draft-ietf-dnsop-extended-error could add another error code > for the specific case of a malicious resolver. Whatever that might mean. > Though I doubt the operators of such servers will choose to set that evil > bit on their responses. > >> > >> PS A potential problem with this I-D is these extended error codes > won’t be signed. So they can be spoofed by bad actors. > >> > > Yes, and for this reason I don't see how this solves the problem. It's > just "resolver blocked it and claims reason X". > > Which I thought answered your original question. Though maybe those > responses should be signed somehow. Handwave, handwave. If you have > suggestions on how to improve the security considerations of that I-D, > please supply text to dnsop. > > But now I’m confused. Could you please clarify what you mean by malicious > resolver? We seem to be using different (unwritten) definitions. > > I also don’t understand why it matters to distinguish between responses > that say "this is malware blocking" from "this resolver is malicious”. The > end result’s the same - the resolver’s not returning the expected DNS data > for the query. What difference does it make if the resolver’s giving a > genuine or a bogus reason for doing that? After all, the client will almost > always believe what the resolver told them. It entered into an implicit or > explicit trust relationship with that resolver when the client sent its DNS > queries there. Let's go back to your original message, which made the distinction between actual truth and whatever the resolver told you "DNSSEC validation means you get the truth, the whole truth and nothing but the truth regardless of your choice of resolver or the transport path between you and that resolver. DoH and DoT offer no protection at all from a lying resolver - you’re just guaranteed to receive precisely whatever lies or truth that resolver sends" This distinction is only relevant if you actually aren't going to just trust whatever the resolver tells you. -Ekr
- [Add] What to do in this potential working group Jari Arkko
- Re: [Add] What to do in this potential working gr… Eric Orth
- Re: [Add] What to do in this potential working gr… Jari Arkko
- Re: [Add] What to do in this potential working gr… Eric Rescorla
- Re: [Add] What to do in this potential working gr… Jim Reid
- Re: [Add] What to do in this potential working gr… Vittorio Bertola
- Re: [Add] What to do in this potential working gr… Jari Arkko
- Re: [Add] What to do in this potential working gr… Eric Vyncke (evyncke)
- Re: [Add] What to do in this potential working gr… Ted Lemon
- Re: [Add] What to do in this potential working gr… Jim Reid
- Re: [Add] What to do in this potential working gr… Ted Lemon
- Re: [Add] What to do in this potential working gr… Tommy Jensen
- Re: [Add] What to do in this potential working gr… Jari Arkko
- Re: [Add] What to do in this potential working gr… Eric Rescorla
- Re: [Add] What to do in this potential working gr… Ray Bellis
- Re: [Add] What to do in this potential working gr… Eric Rescorla
- Re: [Add] What to do in this potential working gr… Ray Bellis
- Re: [Add] What to do in this potential working gr… Eric Rescorla
- Re: [Add] What to do in this potential working gr… Ted Hardie
- Re: [Add] What to do in this potential working gr… David Conrad
- Re: [Add] What to do in this potential working gr… Alec Muffett
- Re: [Add] What to do in this potential working gr… Ted Hardie
- Re: [Add] What to do in this potential working gr… David Conrad
- Re: [Add] What to do in this potential working gr… Brian Dickson
- Re: [Add] What to do in this potential working gr… Brian Dickson
- Re: [Add] What to do in this potential working gr… Stephen Farrell
- Re: [Add] What to do in this potential working gr… Ted Hardie
- Re: [Add] What to do in this potential working gr… Alec Muffett
- Re: [Add] What to do in this potential working gr… Stephen Farrell
- Re: [Add] What to do in this potential working gr… David Conrad
- Re: [Add] What to do in this potential working gr… Rob Sayre
- Re: [Add] What to do in this potential working gr… Jari Arkko
- Re: [Add] What to do in this potential working gr… Stephen Farrell
- Re: [Add] What to do in this potential working gr… Alec Muffett
- Re: [Add] What to do in this potential working gr… Ted Hardie
- Re: [Add] What to do in this potential working gr… Adam Roach
- Re: [Add] What to do in this potential working gr… Ted Hardie
- Re: [Add] What to do in this potential working gr… David Conrad
- Re: [Add] What to do in this potential working gr… Rob Sayre
- Re: [Add] What to do in this potential working gr… Stephen Farrell
- Re: [Add] What to do in this potential working gr… Alec Muffett
- Re: [Add] What to do in this potential working gr… David Conrad
- [Add] data integrity and DNSSEC or DoH/DoT Jim Reid
- Re: [Add] What to do in this potential working gr… Rob Sayre
- Re: [Add] data integrity and DNSSEC or DoH/DoT Stephen Farrell
- Re: [Add] data integrity and DNSSEC or DoH/DoT David Conrad
- Re: [Add] data integrity and DNSSEC or DoH/DoT Rob Sayre
- Re: [Add] data integrity and DNSSEC or DoH/DoT Stephen Farrell
- Re: [Add] Unstated assumptions in What to do in t… John Levine
- Re: [Add] data integrity and DNSSEC or DoH/DoT Brian Dickson
- Re: [Add] What to do in this potential working gr… Patrik Fältström
- Re: [Add] What to do in this potential working gr… Patrik Fältström
- Re: [Add] What to do in this potential working gr… Rob Sayre
- Re: [Add] What to do in this potential working gr… Eric Rescorla
- Re: [Add] What to do in this potential working gr… Martin Thomson
- Re: [Add] data integrity and DNSSEC or DoH/DoT Eric Rescorla
- Re: [Add] What to do in this potential working gr… Eric Rescorla
- Re: [Add] What to do in this potential working gr… Jari Arkko
- Re: [Add] What to do in this potential working gr… Daniel Stenberg
- Re: [Add] What to do in this potential working gr… Jari Arkko
- Re: [Add] data integrity and DNSSEC or DoH/DoT Stephen Farrell
- Re: [Add] What to do in this potential working gr… Ray Bellis
- Re: [Add] What to do in this potential working gr… Martin J. Dürst
- Re: [Add] What to do in this potential working gr… Stephen Farrell
- Re: [Add] What to do in this potential working gr… Vittorio Bertola
- Re: [Add] What to do in this potential working gr… Eric Rescorla
- Re: [Add] What to do in this potential working gr… Ralf Weber
- Re: [Add] data integrity and DNSSEC or DoH/DoT Ralf Weber
- Re: [Add] data integrity and DNSSEC or DoH/DoT Willem Toorop
- Re: [Add] data integrity and DNSSEC or DoH/DoT Jim Reid
- Re: [Add] What to do in this potential working gr… Rubens Kuhl
- Re: [Add] data integrity and DNSSEC or DoH/DoT Paul Wouters
- Re: [Add] What to do in this potential working gr… Paul Wouters
- Re: [Add] data integrity and DNSSEC or DoH/DoT Livingood, Jason
- Re: [Add] What to do in this potential working gr… Livingood, Jason
- Re: [Add] What to do in this potential working gr… Livingood, Jason
- Re: [Add] What to do in this potential working gr… Livingood, Jason
- Re: [Add] What to do in this potential working gr… Adam Roach
- Re: [Add] What to do in this potential working gr… Eric Rescorla
- Re: [Add] data integrity and DNSSEC or DoH/DoT Eric Rescorla
- Re: [Add] data integrity and DNSSEC or DoH/DoT Rob Sayre
- Re: [Add] data integrity and DNSSEC or DoH/DoT Jim Reid
- Re: [Add] What to do in this potential working gr… Vittorio Bertola
- Re: [Add] data integrity and DNSSEC or DoH/DoT Eric Rescorla
- Re: [Add] data integrity and DNSSEC or DoH/DoT Brian Dickson
- Re: [Add] data integrity and DNSSEC or DoH/DoT Jim Reid
- Re: [Add] data integrity and DNSSEC or DoH/DoT Eric Rescorla
- Re: [Add] data integrity and DNSSEC or DoH/DoT Neil Cook
- Re: [Add] data integrity and DNSSEC or DoH/DoT Neil Cook
- Re: [Add] data integrity and DNSSEC or DoH/DoT Neil Cook
- Re: [Add] data integrity and DNSSEC or DoH/DoT Paul Wouters
- Re: [Add] data integrity and DNSSEC or DoH/DoT Christian Huitema
- Re: [Add] data integrity and DNSSEC or DoH/DoT Christian Huitema
- Re: [Add] data integrity and DNSSEC or DoH/DoT Brian Dickson
- Re: [Add] data integrity and DNSSEC or DoH/DoT Andrew Campling
- Re: [Add] data integrity and DNSSEC or DoH/DoT Vittorio Bertola
- Re: [Add] data integrity and DNSSEC or DoH/DoT Paul Wouters
- Re: [Add] data integrity and DNSSEC or DoH/DoT Vittorio Bertola
- Re: [Add] data integrity and DNSSEC or DoH/DoT Alec Muffett
- Re: [Add] data integrity and DNSSEC or DoH/DoT Alec Muffett