IETF Logo Mail Archive

Re: [Add] data integrity and DNSSEC or DoH/DoT

Eric Rescorla <ekr@rtfm.com> Fri, 23 August 2019 12:25 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B5C9E120ACB for <add@ietfa.amsl.com>; Fri, 23 Aug 2019 05:25:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bDgjDUCgAreY for <add@ietfa.amsl.com>; Fri, 23 Aug 2019 05:25:54 -0700 (PDT)
Received: from mail-lj1-x233.google.com (mail-lj1-x233.google.com [IPv6:2a00:1450:4864:20::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2D5B4120026 for <add@ietf.org>; Fri, 23 Aug 2019 05:25:54 -0700 (PDT)
Received: by mail-lj1-x233.google.com with SMTP id x3so8685662lji.5 for <add@ietf.org>; Fri, 23 Aug 2019 05:25:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=kZPeh0nA5mmVvPPauYIyYvVELY4n9/y+um9nVDxGIgQ=; b=vqIS+8L9ApUYL9KFomeyKLmVnSOLRIQpHWLTdFOo2bRxlm7WIggCBBD0OskXSW0GCP mAJ7WrQA39rgHwexcxZJzmd9a2QT56ixtsc27Eg+fk4holajSwi6NGaTk0at3h8AJ76h 7/iQYHNBZ1kYhinwE7J0C1dcl1m40c9CPbS6qoL/vFcbvs7bA3gRcBkVCvpiuMJWMV3S hhDw24m+2sJYgM9xzrDqDnp8zUV+46WNbfTFFxS3e9+edPZOJH1WxYtfycjHfeJUG4Vi gP2uOeckZHUqSp+mu0PSU2ViFruBxyWwZl87ptuM5w4XzaNpXIrmYddyvIG53K4GahLn DDOw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=kZPeh0nA5mmVvPPauYIyYvVELY4n9/y+um9nVDxGIgQ=; b=fDjp9ixE3t9fIY0bW7n8oBJ1KUKD6Js7O9IHMSnsu+cYtiY5ftjz657gGzYsSxQtrF cLDeOM8GNEyZoN656pgLaJ+jfV5yLETKcHY3uE5Rly3WM6sgCGQGZ+Ro4VtVdMpWspGS zJAKofMhDnVmRHGfz81Pnrrhq5nGbvwj1IosRhjylNqbrq9lZ/IdQT1aPPvsMHDecQtF yTIK3++K2wwWXcgtPjPPKg9BMgsq3XUY3xn3WXEpvv2nWDcnu1W5AuKYddn+EZ/5ZURC 70/knCAEuVUtXoJ6kG4mcaXzdiZPT3yFr7MPH7pGt1iVdGRLk6DbHbF7WGq0FUAzdndP /KLQ==
X-Gm-Message-State: APjAAAUGxFSsBa1KXlftXHsiRHhboUjo8mP3KELUJ2Jl/kb7kM19mciU GAdBJHbtZG6lDRXRnQa2it25oOHERg5Y5RGVtkNtP+I0GQs=
X-Google-Smtp-Source: APXvYqybcreSla1VJtmOwj3uo5l8dDQABMm/dfqgpn/vYdgtRgfEjb9ki7O2V2CsvFKjYVOaSsHSyCBNQ2Olp/Ev/oc=
X-Received: by 2002:a2e:9b0c:: with SMTP id u12mr2833867lji.239.1566563152297; Fri, 23 Aug 2019 05:25:52 -0700 (PDT)
MIME-Version: 1.0
References: <A1128702-1E19-4657-9740-E84AE09992F2@piuha.net> <CABcZeBMfOTjq-8hDDoKMtJvfHUA5nC8o60zuk-2Xe-ZhfwriJQ@mail.gmail.com> <766112E1-F532-4C6B-8CA8-A096671E02EE@piuha.net> <CA+9kkMAfuOwJu8_qJTuhAY4mUwR+tVUxr+k3QFHBk3byV672Ow@mail.gmail.com> <A7EA862E-8E80-40E3-834D-E628988C0A24@virtualized.org> <CAFWeb9KT=2JL0oHUgJ2WMcduR3na+hP2QncvRR4YurmqsAWxTA@mail.gmail.com> <59E0EC53-0E30-431C-8376-52C7BFC121A8@virtualized.org> <CAFWeb9+Z7RmXEr46qx5PaUcxh2R3+HXhrZeW-8QEMX4HLt7a-w@mail.gmail.com> <589DAFCB-1BDC-4156-A2CA-179C4559A6B2@virtualized.org> <cf2152d7-8618-7ad2-b8f9-7a259ab5df19@cs.tcd.ie> <683A176C-3CE6-4866-A736-F2A7465FA5B5@rfc1035.com> <CABcZeBPmWYBKcKhjTUBLw62xJT=OXbp3v6MZ+8Gtr=gFmQ-g6A@mail.gmail.com> <E40CC478-BBA1-4DA9-8F6A-FE1782E0F27E@rfc1035.com> <CABcZeBMnG_HJHYrGpQD1LWWNi8zuhAm=0Uy2HNRRmhYS9PsCtg@mail.gmail.com> <69015C05-4AE8-4FB2-94D4-3B52018DEBA6@rfc1035.com>
In-Reply-To: <69015C05-4AE8-4FB2-94D4-3B52018DEBA6@rfc1035.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 23 Aug 2019 13:25:16 +0100
Message-ID: <CABcZeBPbvug-+N+4_85XN++ySLqZmUGOqzU-jRbr0h6AZ0usNw@mail.gmail.com>
To: Jim Reid <jim@rfc1035.com>
Cc: ADD Mailing list <add@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000036176a0590c7e88c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/Hq7QlJLlwMPnOOrcwqFBTa61R7I>
Subject: Re: [Add] data integrity and DNSSEC or DoH/DoT
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Aug 2019 12:25:57 -0000

On Fri, Aug 23, 2019 at 9:04 AM Jim Reid <jim@rfc1035.com> wrote:

> On 23 Aug 2019, at 05:39, Eric Rescorla <ekr@rtfm.com> wrote:
> >
> >
> >
> > On Thu, Aug 22, 2019 at 1:41 PM Jim Reid <jim@rfc1035.com> wrote:
> >
> >> > On 22 Aug 2019, at 08:00, Eric Rescorla <ekr@rtfm.com> wrote:
> >> >
> >> > Suppose that I receive a bogus response to my A record query, how am
> I to usefully distinguish "this is malware blocking" from "this resolver is
> malicious"?
> >>
> >> I suppose draft-ietf-dnsop-extended-error could add another error code
> for the specific case of a malicious resolver. Whatever that might mean.
> Though I doubt the operators of such servers will choose to set that evil
> bit on their responses.
> >>
> >> PS A potential problem with this I-D is these extended error codes
> won’t be signed. So they can be spoofed by bad actors.
> >>
> > Yes, and for this reason I don't see how this solves the problem. It's
> just "resolver blocked it and claims reason X".
>
> Which I thought answered your original question. Though maybe those
> responses should be signed somehow. Handwave, handwave. If you have
> suggestions on how to improve the security considerations of that I-D,
> please supply text to dnsop.
>
> But now I’m confused. Could you please clarify what you mean by malicious
> resolver? We seem to be using different (unwritten) definitions.
>
> I also don’t understand why it matters to distinguish between responses
> that say "this is malware blocking" from "this resolver is malicious”. The
> end result’s the same - the resolver’s not returning the expected DNS data
> for the query. What difference does it make if the resolver’s giving a
> genuine or a bogus reason for doing that? After all, the client will almost
> always believe what the resolver told them. It entered into an implicit or
> explicit trust relationship with that resolver when the client sent its DNS
> queries there.


Let's go back to your original message, which made the distinction between
actual truth and whatever the resolver told you "DNSSEC validation means
you get the truth, the whole truth and nothing but the truth regardless of
your choice of resolver or the transport path between you and that
resolver. DoH and DoT offer no protection at all from a lying resolver -
you’re just guaranteed to receive precisely whatever lies or truth that
resolver sends" This distinction is only relevant if you actually aren't
going to just trust whatever the resolver tells you.

-Ekr

v2.23.0 | Report a Bug | By Email