Re: [Add] data integrity and DNSSEC or DoH/DoT
Brian Dickson <brian.peter.dickson@gmail.com> Tue, 03 September 2019 17:39 UTC
Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 76E4C12006F for <add@ietfa.amsl.com>; Tue, 3 Sep 2019 10:39:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DyPG4XT3a0cW for <add@ietfa.amsl.com>; Tue, 3 Sep 2019 10:39:36 -0700 (PDT)
Received: from mail-vs1-xe2d.google.com (mail-vs1-xe2d.google.com [IPv6:2607:f8b0:4864:20::e2d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 81FD7120043 for <add@ietf.org>; Tue, 3 Sep 2019 10:39:36 -0700 (PDT)
Received: by mail-vs1-xe2d.google.com with SMTP id w195so9216315vsw.11 for <add@ietf.org>; Tue, 03 Sep 2019 10:39:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=vtYY0dxkNZ1NPRmp2vJDbhHLyhKzt+lVY5EUcPlaF/8=; b=tVDIgxb5GnnoLtvS6/WUvf838hUWPcV6YzrSqpa6qv02rw0Gp7KY5LjecKDy9AaXFt +yq4xv4qFlmT9a+pnjCzkQ6xbZpPCFFqLFtPbzfZP+8tmn5k+jKdyMMpjnfdc5fPIS6T qf9P+wt4A15nVsoRBvQTku1gijHGCfI/CPdjUfftlObe25TO9GHPpCymZjBJAaxXQi1x m6sPBNmDHQ534E+t2P4tjIs90Ppk8T4fcEnovRVu/w3BdsJZJGC9PMshsGiZHi/tVMzT sPUHuWVdKp0TRNbLz9ruNz6eYwOndPJxXPqAVxeRppRvwJEC5kplxDmr+8SDXWpzKFZL ALCA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=vtYY0dxkNZ1NPRmp2vJDbhHLyhKzt+lVY5EUcPlaF/8=; b=cdGSOVfrRX0GQTDV57BpC/54GnNbRDYGQAQsvs/0gcmaB5daTYLoB1q72uBIGznKYe ODbkTS82cKFckOumwDbfDlAKDMjGIUnYY+aKPVtG8XEgdSTrUvYVSZIBBGBYw83SPTWm fCOTy3HFLSRFfC3Zw1l79Bl+KZZlvJdLMshqrFSbqndGjJb2rxm4r2Vtwe+zyxxT07i4 GPlfaQUqH1WmUYgz6/+2AW19S25NX4NbwjMv4WELBeOyMyGFeIE+3TB/1NCG8yLoPvKm HjFidg8S+LKxRQIRWSJrvJBVRus/RqYXMAwAnRIsbc7167/S3k5ZT/gYhvKPQHMYWKHS BMMA==
X-Gm-Message-State: APjAAAXcU50mP8d21llujR/kbJjV1wRAslORlz9APD2MR2mhm3KuFQfG 1yZXffg9AjKBJ2bSPYy1nGMMLcW0T62D4kNUpaA=
X-Google-Smtp-Source: APXvYqxfLW5mvmRsDGkj8KjB7wgBBpyU9IHd7Z8NpfLx7Q0lTNnXVV2RiQj57cX5tahsr/5dCuEuczrf4wiGDRYBwtc=
X-Received: by 2002:a67:f546:: with SMTP id z6mr18530849vsn.136.1567532375607; Tue, 03 Sep 2019 10:39:35 -0700 (PDT)
MIME-Version: 1.0
References: <A1128702-1E19-4657-9740-E84AE09992F2@piuha.net> <CABcZeBMfOTjq-8hDDoKMtJvfHUA5nC8o60zuk-2Xe-ZhfwriJQ@mail.gmail.com> <766112E1-F532-4C6B-8CA8-A096671E02EE@piuha.net> <CA+9kkMAfuOwJu8_qJTuhAY4mUwR+tVUxr+k3QFHBk3byV672Ow@mail.gmail.com> <A7EA862E-8E80-40E3-834D-E628988C0A24@virtualized.org> <CAFWeb9KT=2JL0oHUgJ2WMcduR3na+hP2QncvRR4YurmqsAWxTA@mail.gmail.com> <59E0EC53-0E30-431C-8376-52C7BFC121A8@virtualized.org> <CAFWeb9+Z7RmXEr46qx5PaUcxh2R3+HXhrZeW-8QEMX4HLt7a-w@mail.gmail.com> <589DAFCB-1BDC-4156-A2CA-179C4559A6B2@virtualized.org> <cf2152d7-8618-7ad2-b8f9-7a259ab5df19@cs.tcd.ie> <683A176C-3CE6-4866-A736-F2A7465FA5B5@rfc1035.com> <CABcZeBPmWYBKcKhjTUBLw62xJT=OXbp3v6MZ+8Gtr=gFmQ-g6A@mail.gmail.com> <E40CC478-BBA1-4DA9-8F6A-FE1782E0F27E@rfc1035.com> <CABcZeBMnG_HJHYrGpQD1LWWNi8zuhAm=0Uy2HNRRmhYS9PsCtg@mail.gmail.com> <06613304-C325-4BA4-AB6F-32D79DFCECA0@open-xchange.com> <CABcZeBMr6WtzbyPPA6W1Da0A9bUoowMVucbBf5K0BQgqZrNdwg@mail.gmail.com>
In-Reply-To: <CABcZeBMr6WtzbyPPA6W1Da0A9bUoowMVucbBf5K0BQgqZrNdwg@mail.gmail.com>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Tue, 03 Sep 2019 10:39:17 -0700
Message-ID: <CAH1iCioWFzHN_hTW4G=0kNHX+2onC64xTSEG-U4miQ1YUH8bSQ@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: Neil Cook <neil.cook@open-xchange.com>, ADD Mailing list <add@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000006c0e710591a992ae"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/LxX8Fu6HapjemPYjk9MqWxIS9F8>
X-Mailman-Approved-At: Wed, 04 Sep 2019 09:08:00 -0700
Subject: Re: [Add] data integrity and DNSSEC or DoH/DoT
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Sep 2019 17:39:40 -0000
On Tue, Sep 3, 2019 at 8:42 AM Eric Rescorla <ekr@rtfm.com> wrote: > > > On Tue, Sep 3, 2019 at 6:15 AM Neil Cook <neil.cook@open-xchange.com> > wrote: > >> >> >> It’s not entirely useless. The problem it does solve is giving the user >> a better experience when a site is blocked for resolvers that support this >> extended Error Code. Currently for HTTPS the user will end up with a TLS >> connection error of some kind (or a blank page in some browsers). If a >> resolver returns a “blocked/censored/prohibited” response, then the browser >> can tell the user that the web page was blocked with an informative >> message. Assuming this becomes the default behaviour for non-malicious >> resolvers then I think it will a good signal for distinguishing "this is >> malware blocking" from "this resolver is malicious”. >> > > I'm not following. Suppose that we add an error code that says "this site > has malware". Now, I operate a resolver which is malicious in the sense > that it wishes to block a certain form of content (say, access to the IETF) > but don't want the people whose content I am blocking is being blocked for > that reason. So, instead I return "this site has malware". > > My point here is that a code of this type only tells you what the resolver > *asserts* the reason it blocked it is, it doesn't necessarily tell you what > the actual reason that the content was blocked. > The high-level issue is that at very least some of the blocking services or resolvers doing blocking, are set up based on some specific trust relationship, and that trust is essential in order to have a reason to use the service or resolver. Those are typically either internal (enterprise) scenarios where that trust is basically "same company" and mandated, or a service offered with some specific terms of service, whether it is a fee-based service or free. Trying to overlay a different model of third-party resolver where the client doesn't have a pre-defined trust relationship with that third party, is where things start to go sideways. While it might be possible to re-engineer both sides of that equation so they are not incompatible, the basic issue is that you can't easily tell whether a resolver currently being used is strictly giving unmodified results or not. There is no clear signal or flag. Going beyond assertion might be possible with re-engineering, such as providing some fourth-party attestation (e.g. the source of the feed that gets used by the DNS resolver also provides its own signature on individual entries that would permit human inspection). >From a mathematical perspective, the problem is one of classical logic versus modern logic: saying "Every X is a Y" also require an assertion of existence "There is one member of X", in order to guarantee that Y is not vacuously true. In this case, the underlying truth problem is asking a user to pick one of N different resolvers to trust, without the user having any way to know independently if any of those resolvers are trustworthy. If none of the resolvers is trustworthy, then the only solution is to not trust the resolvers. This can be done by forcing DNSSEC validation to be done and to discard any failures. If and only if the user is able to legitimately trust their selected resolver, can that assertion be relied upon, and at that point the assertion has value. There are at least two things that I see as being problems that need to be worked on to achieve this possibility: discovery of trustworthiness and/or trust relationship with the existing configured resolver; and the "who watches the watchmen" problem of persistent monitoring of allegedly trustworthy resolver operators to determine whether a given response from a particular resolver (including any assertion about blocking and reason) can be trusted. IMHO, deploying any TRR without this devolves to the "can't trust the resolver", which means no blocking, which is a terrible result (given that we live in a malware-infested world as well as other subjectively- and objectively-bad stuff like child pornography). I would prefer to actually work on these problems. I also think it would be better for all parties if implementers not deploy things like TRRs until the bare minimum of mechanisms is available, which may require work not only on the applications (doing dns) but also on the resolvers themselves. Brian
- [Add] What to do in this potential working group Jari Arkko
- Re: [Add] What to do in this potential working gr… Eric Orth
- Re: [Add] What to do in this potential working gr… Jari Arkko
- Re: [Add] What to do in this potential working gr… Eric Rescorla
- Re: [Add] What to do in this potential working gr… Jim Reid
- Re: [Add] What to do in this potential working gr… Vittorio Bertola
- Re: [Add] What to do in this potential working gr… Jari Arkko
- Re: [Add] What to do in this potential working gr… Eric Vyncke (evyncke)
- Re: [Add] What to do in this potential working gr… Ted Lemon
- Re: [Add] What to do in this potential working gr… Jim Reid
- Re: [Add] What to do in this potential working gr… Ted Lemon
- Re: [Add] What to do in this potential working gr… Tommy Jensen
- Re: [Add] What to do in this potential working gr… Jari Arkko
- Re: [Add] What to do in this potential working gr… Eric Rescorla
- Re: [Add] What to do in this potential working gr… Ray Bellis
- Re: [Add] What to do in this potential working gr… Eric Rescorla
- Re: [Add] What to do in this potential working gr… Ray Bellis
- Re: [Add] What to do in this potential working gr… Eric Rescorla
- Re: [Add] What to do in this potential working gr… Ted Hardie
- Re: [Add] What to do in this potential working gr… David Conrad
- Re: [Add] What to do in this potential working gr… Alec Muffett
- Re: [Add] What to do in this potential working gr… Ted Hardie
- Re: [Add] What to do in this potential working gr… David Conrad
- Re: [Add] What to do in this potential working gr… Brian Dickson
- Re: [Add] What to do in this potential working gr… Brian Dickson
- Re: [Add] What to do in this potential working gr… Stephen Farrell
- Re: [Add] What to do in this potential working gr… Ted Hardie
- Re: [Add] What to do in this potential working gr… Alec Muffett
- Re: [Add] What to do in this potential working gr… Stephen Farrell
- Re: [Add] What to do in this potential working gr… David Conrad
- Re: [Add] What to do in this potential working gr… Rob Sayre
- Re: [Add] What to do in this potential working gr… Jari Arkko
- Re: [Add] What to do in this potential working gr… Stephen Farrell
- Re: [Add] What to do in this potential working gr… Alec Muffett
- Re: [Add] What to do in this potential working gr… Ted Hardie
- Re: [Add] What to do in this potential working gr… Adam Roach
- Re: [Add] What to do in this potential working gr… Ted Hardie
- Re: [Add] What to do in this potential working gr… David Conrad
- Re: [Add] What to do in this potential working gr… Rob Sayre
- Re: [Add] What to do in this potential working gr… Stephen Farrell
- Re: [Add] What to do in this potential working gr… Alec Muffett
- Re: [Add] What to do in this potential working gr… David Conrad
- [Add] data integrity and DNSSEC or DoH/DoT Jim Reid
- Re: [Add] What to do in this potential working gr… Rob Sayre
- Re: [Add] data integrity and DNSSEC or DoH/DoT Stephen Farrell
- Re: [Add] data integrity and DNSSEC or DoH/DoT David Conrad
- Re: [Add] data integrity and DNSSEC or DoH/DoT Rob Sayre
- Re: [Add] data integrity and DNSSEC or DoH/DoT Stephen Farrell
- Re: [Add] Unstated assumptions in What to do in t… John Levine
- Re: [Add] data integrity and DNSSEC or DoH/DoT Brian Dickson
- Re: [Add] What to do in this potential working gr… Patrik Fältström
- Re: [Add] What to do in this potential working gr… Patrik Fältström
- Re: [Add] What to do in this potential working gr… Rob Sayre
- Re: [Add] What to do in this potential working gr… Eric Rescorla
- Re: [Add] What to do in this potential working gr… Martin Thomson
- Re: [Add] data integrity and DNSSEC or DoH/DoT Eric Rescorla
- Re: [Add] What to do in this potential working gr… Eric Rescorla
- Re: [Add] What to do in this potential working gr… Jari Arkko
- Re: [Add] What to do in this potential working gr… Daniel Stenberg
- Re: [Add] What to do in this potential working gr… Jari Arkko
- Re: [Add] data integrity and DNSSEC or DoH/DoT Stephen Farrell
- Re: [Add] What to do in this potential working gr… Ray Bellis
- Re: [Add] What to do in this potential working gr… Martin J. Dürst
- Re: [Add] What to do in this potential working gr… Stephen Farrell
- Re: [Add] What to do in this potential working gr… Vittorio Bertola
- Re: [Add] What to do in this potential working gr… Eric Rescorla
- Re: [Add] What to do in this potential working gr… Ralf Weber
- Re: [Add] data integrity and DNSSEC or DoH/DoT Ralf Weber
- Re: [Add] data integrity and DNSSEC or DoH/DoT Willem Toorop
- Re: [Add] data integrity and DNSSEC or DoH/DoT Jim Reid
- Re: [Add] What to do in this potential working gr… Rubens Kuhl
- Re: [Add] data integrity and DNSSEC or DoH/DoT Paul Wouters
- Re: [Add] What to do in this potential working gr… Paul Wouters
- Re: [Add] data integrity and DNSSEC or DoH/DoT Livingood, Jason
- Re: [Add] What to do in this potential working gr… Livingood, Jason
- Re: [Add] What to do in this potential working gr… Livingood, Jason
- Re: [Add] What to do in this potential working gr… Livingood, Jason
- Re: [Add] What to do in this potential working gr… Adam Roach
- Re: [Add] What to do in this potential working gr… Eric Rescorla
- Re: [Add] data integrity and DNSSEC or DoH/DoT Eric Rescorla
- Re: [Add] data integrity and DNSSEC or DoH/DoT Rob Sayre
- Re: [Add] data integrity and DNSSEC or DoH/DoT Jim Reid
- Re: [Add] What to do in this potential working gr… Vittorio Bertola
- Re: [Add] data integrity and DNSSEC or DoH/DoT Eric Rescorla
- Re: [Add] data integrity and DNSSEC or DoH/DoT Brian Dickson
- Re: [Add] data integrity and DNSSEC or DoH/DoT Jim Reid
- Re: [Add] data integrity and DNSSEC or DoH/DoT Eric Rescorla
- Re: [Add] data integrity and DNSSEC or DoH/DoT Neil Cook
- Re: [Add] data integrity and DNSSEC or DoH/DoT Neil Cook
- Re: [Add] data integrity and DNSSEC or DoH/DoT Neil Cook
- Re: [Add] data integrity and DNSSEC or DoH/DoT Paul Wouters
- Re: [Add] data integrity and DNSSEC or DoH/DoT Christian Huitema
- Re: [Add] data integrity and DNSSEC or DoH/DoT Christian Huitema
- Re: [Add] data integrity and DNSSEC or DoH/DoT Brian Dickson
- Re: [Add] data integrity and DNSSEC or DoH/DoT Andrew Campling
- Re: [Add] data integrity and DNSSEC or DoH/DoT Vittorio Bertola
- Re: [Add] data integrity and DNSSEC or DoH/DoT Paul Wouters
- Re: [Add] data integrity and DNSSEC or DoH/DoT Vittorio Bertola
- Re: [Add] data integrity and DNSSEC or DoH/DoT Alec Muffett
- Re: [Add] data integrity and DNSSEC or DoH/DoT Alec Muffett