IETF Logo Mail Archive

Re: [Add] data integrity and DNSSEC or DoH/DoT

Brian Dickson <brian.peter.dickson@gmail.com> Fri, 23 August 2019 14:29 UTC

Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0EB7A1200C1 for <add@ietfa.amsl.com>; Fri, 23 Aug 2019 07:29:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.996
X-Spam-Level:
X-Spam-Status: No, score=-1.996 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MSkDH7QAoMpG for <add@ietfa.amsl.com>; Fri, 23 Aug 2019 07:29:56 -0700 (PDT)
Received: from mail-qk1-x72c.google.com (mail-qk1-x72c.google.com [IPv6:2607:f8b0:4864:20::72c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CEEB012009C for <add@ietf.org>; Fri, 23 Aug 2019 07:29:55 -0700 (PDT)
Received: by mail-qk1-x72c.google.com with SMTP id u190so8353215qkh.5 for <add@ietf.org>; Fri, 23 Aug 2019 07:29:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=h0udFHXz311FjPk+jK0cfRMGDtApoi+aft4uDIxmxYw=; b=u1dGTJfTqfKfi5B//17/ea7jZghfarP2kBWlLI2JDnujzODRNaUAfcrh1twXdLfDwG 620byo/2lWq+JpXqh1w2isWubooi87eM9zf8G53XXJDTFcoYahbevqZvtuJsL9hUZQob xAk545bzSbwASX0nkPQ8/pqJbPy2IU1zb1KCQGlFSQxhtX85nllJ+2AknH1AlPs2Ng/z U2dGaCnqZOOApV7ooPPi61EpxgosAyIRkkfkPgjIO7wDzsNIBTauBw6jHUMbGr56Cq6i 3aOS/QYElU+3qhHPBmxGGCWLruhib9m76sE7yLF5o4KokIcIUl7y89sFxp1D9okm1ANL GVmQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=h0udFHXz311FjPk+jK0cfRMGDtApoi+aft4uDIxmxYw=; b=EHPf8v1olzKWBQa/rce5tE39JChMvRBnbo7Bjdy/nlyp50zrvFZTos9CCJ5OTy5oVV YH4YSF6NdhWq45yYxpbzl2b0jKuMQr3ZBVRGxIWEebuPnG+Fcrm1CzeSTbAQsznnCaCf NefNL1IP+uzFL8kATTrOGZy2/3eEIAGgdWVjSuA5lWP0P4XWiEeKVgyvOb8rFO7XBMlL LqmZnLUZRrFM3TsSv/chs+DJ5LIICP76bIdwqnICsG5CIXuHqSgcrM4lmjxXunwPEh0U 8292GUFfUfucL5/Zzdhjyuv3ujUDs9lKk28qhdLCZVo1gR0OS99E0bRGBE3kLDZZMiTg uZKQ==
X-Gm-Message-State: APjAAAVu1KTSarlHkP0Zmwbfr5czC0yPzoCfBV6Jo+woryX+rf0WJ5Ig XBQC9DYKMrbcQi08Jz1R81kKz712
X-Google-Smtp-Source: APXvYqyScVq+cA49Q9XrQ2wUNFfBl0/4SMbnqW7J7zcfRUHNSQaAyr8xmtUvBTrfIuj52RtrFwsfZg==
X-Received: by 2002:a37:805:: with SMTP id 5mr4230307qki.351.1566570594732; Fri, 23 Aug 2019 07:29:54 -0700 (PDT)
Received: from [192.168.2.4] (cpe-76-179-66-50.maine.res.rr.com. [76.179.66.50]) by smtp.gmail.com with ESMTPSA id i8sm1482110qkm.46.2019.08.23.07.29.53 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 23 Aug 2019 07:29:53 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail-1AC752DA-E813-4518-9438-95833106670E"
Mime-Version: 1.0 (1.0)
From: Brian Dickson <brian.peter.dickson@gmail.com>
X-Mailer: iPhone Mail (16G77)
In-Reply-To: <CABcZeBPbvug-+N+4_85XN++ySLqZmUGOqzU-jRbr0h6AZ0usNw@mail.gmail.com>
Date: Fri, 23 Aug 2019 10:29:52 -0400
Cc: ADD Mailing list <add@ietf.org>
Content-Transfer-Encoding: 7bit
Message-Id: <6644AA53-6787-4F92-BEAF-C4C6FD8533BA@gmail.com>
References: <A1128702-1E19-4657-9740-E84AE09992F2@piuha.net> <CABcZeBMfOTjq-8hDDoKMtJvfHUA5nC8o60zuk-2Xe-ZhfwriJQ@mail.gmail.com> <766112E1-F532-4C6B-8CA8-A096671E02EE@piuha.net> <CA+9kkMAfuOwJu8_qJTuhAY4mUwR+tVUxr+k3QFHBk3byV672Ow@mail.gmail.com> <A7EA862E-8E80-40E3-834D-E628988C0A24@virtualized.org> <CAFWeb9KT=2JL0oHUgJ2WMcduR3na+hP2QncvRR4YurmqsAWxTA@mail.gmail.com> <59E0EC53-0E30-431C-8376-52C7BFC121A8@virtualized.org> <CAFWeb9+Z7RmXEr46qx5PaUcxh2R3+HXhrZeW-8QEMX4HLt7a-w@mail.gmail.com> <589DAFCB-1BDC-4156-A2CA-179C4559A6B2@virtualized.org> <cf2152d7-8618-7ad2-b8f9-7a259ab5df19@cs.tcd.ie> <683A176C-3CE6-4866-A736-F2A7465FA5B5@rfc1035.com> <CABcZeBPmWYBKcKhjTUBLw62xJT=OXbp3v6MZ+8Gtr=gFmQ-g6A@mail.gmail.com> <E40CC478-BBA1-4DA9-8F6A-FE1782E0F27E@rfc1035.com> <CABcZeBMnG_HJHYrGpQD1LWWNi8zuhAm=0Uy2HNRRmhYS9PsCtg@mail.gmail.com> <69015C05-4AE8-4FB2-94D4-3B52018DEBA6@rfc1035.com> <CABcZeBPbvug-+N+4_85XN++ySLqZmUGOqzU-jRbr0h6AZ0usNw@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/LRNQwzGywgCLAE3gUgSza_XhQ24>
Subject: Re: [Add] data integrity and DNSSEC or DoH/DoT
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Aug 2019 14:29:58 -0000


> On Aug 23, 2019, at 8:25 AM, Eric Rescorla <ekr@rtfm.com> wrote:
> 
> 
> 
>> On Fri, Aug 23, 2019 at 9:04 AM Jim Reid <jim@rfc1035.com> wrote:
>> On 23 Aug 2019, at 05:39, Eric Rescorla <ekr@rtfm.com> wrote:
>> > 
>> > 
>> > 
>> > On Thu, Aug 22, 2019 at 1:41 PM Jim Reid <jim@rfc1035.com> wrote:
>> > 
>> >> > On 22 Aug 2019, at 08:00, Eric Rescorla <ekr@rtfm.com> wrote:
>> >> > 
>> >> > Suppose that I receive a bogus response to my A record query, how am I to usefully distinguish "this is malware blocking" from "this resolver is malicious"?
>> >> 
>> >> I suppose draft-ietf-dnsop-extended-error could add another error code for the specific case of a malicious resolver. Whatever that might mean. Though I doubt the operators of such servers will choose to set that evil bit on their responses.
>> >> 
>> >> PS A potential problem with this I-D is these extended error codes won’t be signed. So they can be spoofed by bad actors.
>> >> 
>> > Yes, and for this reason I don't see how this solves the problem. It's just "resolver blocked it and claims reason X".
>> 
>> Which I thought answered your original question. Though maybe those responses should be signed somehow. Handwave, handwave. If you have suggestions on how to improve the security considerations of that I-D, please supply text to dnsop.
>> 
>> But now I’m confused. Could you please clarify what you mean by malicious resolver? We seem to be using different (unwritten) definitions.
>> 
>> I also don’t understand why it matters to distinguish between responses that say "this is malware blocking" from "this resolver is malicious”. The end result’s the same - the resolver’s not returning the expected DNS data for the query. What difference does it make if the resolver’s giving a genuine or a bogus reason for doing that? After all, the client will almost always believe what the resolver told them. It entered into an implicit or explicit trust relationship with that resolver when the client sent its DNS queries there.
> 
> Let's go back to your original message, which made the distinction between actual truth and whatever the resolver told you "DNSSEC validation means you get the truth, the whole truth and nothing but the truth regardless of your choice of resolver or the transport path between you and that resolver. DoH and DoT offer no protection at  all from a lying resolver - you’re just guaranteed to receive precisely whatever lies or truth that resolver sends" This distinction is only relevant if you actually aren't going to just trust whatever the resolver tells you.

There are two kinds of “blocked” answers that a resolver doing this kind of blocking would return. All non-blocked answers would pass such a check. 

The two kinds are:
1) A non-zero response code (indicating an error) with Jim’s suggested extended error code explaining why. This “lie” is meta-data only. The only time this response would fail to validate is if it was an NXDOMAIN response, which would require a signed proof of non-existence. Adding Jim’s suggested logic only blocks access, it never requires trusting data in the answer. (Adding a signed proof might be possible but would require adding DNSSEC trust anchors.)
2) A substitute response, typically directing the client (user) to a “walled garden” explaining the blocking and possibly doing other things (like offering the user the option of reporting a false positive). There may be ways to sign these substitute responses, but those would require additional DNSSEC trust anchors (on the client).

If the blocking is done using only the first type of response, the distinction is significant: the client only ever has to trust negative answers marked as “blocked by XXX”. All other answers would validate. The client would never have to trust a bogus positive answer.

If additional trust anchors are used, their use could be restricted to answers marked with extended response codes, and highlighted by the browser as such. In this case, all responses would be validated, either with the standard trust anchor, or with an extra trust anchor used only for blocking.

Brian

v2.23.0 | Report a Bug | By Email