IETF Logo Mail Archive

Re: [Add] data integrity and DNSSEC or DoH/DoT

Brian Dickson <brian.peter.dickson@gmail.com> Tue, 03 September 2019 17:39 UTC

Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 76E4C12006F for <add@ietfa.amsl.com>; Tue, 3 Sep 2019 10:39:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DyPG4XT3a0cW for <add@ietfa.amsl.com>; Tue, 3 Sep 2019 10:39:36 -0700 (PDT)
Received: from mail-vs1-xe2d.google.com (mail-vs1-xe2d.google.com [IPv6:2607:f8b0:4864:20::e2d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 81FD7120043 for <add@ietf.org>; Tue, 3 Sep 2019 10:39:36 -0700 (PDT)
Received: by mail-vs1-xe2d.google.com with SMTP id w195so9216315vsw.11 for <add@ietf.org>; Tue, 03 Sep 2019 10:39:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=vtYY0dxkNZ1NPRmp2vJDbhHLyhKzt+lVY5EUcPlaF/8=; b=tVDIgxb5GnnoLtvS6/WUvf838hUWPcV6YzrSqpa6qv02rw0Gp7KY5LjecKDy9AaXFt +yq4xv4qFlmT9a+pnjCzkQ6xbZpPCFFqLFtPbzfZP+8tmn5k+jKdyMMpjnfdc5fPIS6T qf9P+wt4A15nVsoRBvQTku1gijHGCfI/CPdjUfftlObe25TO9GHPpCymZjBJAaxXQi1x m6sPBNmDHQ534E+t2P4tjIs90Ppk8T4fcEnovRVu/w3BdsJZJGC9PMshsGiZHi/tVMzT sPUHuWVdKp0TRNbLz9ruNz6eYwOndPJxXPqAVxeRppRvwJEC5kplxDmr+8SDXWpzKFZL ALCA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=vtYY0dxkNZ1NPRmp2vJDbhHLyhKzt+lVY5EUcPlaF/8=; b=cdGSOVfrRX0GQTDV57BpC/54GnNbRDYGQAQsvs/0gcmaB5daTYLoB1q72uBIGznKYe ODbkTS82cKFckOumwDbfDlAKDMjGIUnYY+aKPVtG8XEgdSTrUvYVSZIBBGBYw83SPTWm fCOTy3HFLSRFfC3Zw1l79Bl+KZZlvJdLMshqrFSbqndGjJb2rxm4r2Vtwe+zyxxT07i4 GPlfaQUqH1WmUYgz6/+2AW19S25NX4NbwjMv4WELBeOyMyGFeIE+3TB/1NCG8yLoPvKm HjFidg8S+LKxRQIRWSJrvJBVRus/RqYXMAwAnRIsbc7167/S3k5ZT/gYhvKPQHMYWKHS BMMA==
X-Gm-Message-State: APjAAAXcU50mP8d21llujR/kbJjV1wRAslORlz9APD2MR2mhm3KuFQfG 1yZXffg9AjKBJ2bSPYy1nGMMLcW0T62D4kNUpaA=
X-Google-Smtp-Source: APXvYqxfLW5mvmRsDGkj8KjB7wgBBpyU9IHd7Z8NpfLx7Q0lTNnXVV2RiQj57cX5tahsr/5dCuEuczrf4wiGDRYBwtc=
X-Received: by 2002:a67:f546:: with SMTP id z6mr18530849vsn.136.1567532375607; Tue, 03 Sep 2019 10:39:35 -0700 (PDT)
MIME-Version: 1.0
References: <A1128702-1E19-4657-9740-E84AE09992F2@piuha.net> <CABcZeBMfOTjq-8hDDoKMtJvfHUA5nC8o60zuk-2Xe-ZhfwriJQ@mail.gmail.com> <766112E1-F532-4C6B-8CA8-A096671E02EE@piuha.net> <CA+9kkMAfuOwJu8_qJTuhAY4mUwR+tVUxr+k3QFHBk3byV672Ow@mail.gmail.com> <A7EA862E-8E80-40E3-834D-E628988C0A24@virtualized.org> <CAFWeb9KT=2JL0oHUgJ2WMcduR3na+hP2QncvRR4YurmqsAWxTA@mail.gmail.com> <59E0EC53-0E30-431C-8376-52C7BFC121A8@virtualized.org> <CAFWeb9+Z7RmXEr46qx5PaUcxh2R3+HXhrZeW-8QEMX4HLt7a-w@mail.gmail.com> <589DAFCB-1BDC-4156-A2CA-179C4559A6B2@virtualized.org> <cf2152d7-8618-7ad2-b8f9-7a259ab5df19@cs.tcd.ie> <683A176C-3CE6-4866-A736-F2A7465FA5B5@rfc1035.com> <CABcZeBPmWYBKcKhjTUBLw62xJT=OXbp3v6MZ+8Gtr=gFmQ-g6A@mail.gmail.com> <E40CC478-BBA1-4DA9-8F6A-FE1782E0F27E@rfc1035.com> <CABcZeBMnG_HJHYrGpQD1LWWNi8zuhAm=0Uy2HNRRmhYS9PsCtg@mail.gmail.com> <06613304-C325-4BA4-AB6F-32D79DFCECA0@open-xchange.com> <CABcZeBMr6WtzbyPPA6W1Da0A9bUoowMVucbBf5K0BQgqZrNdwg@mail.gmail.com>
In-Reply-To: <CABcZeBMr6WtzbyPPA6W1Da0A9bUoowMVucbBf5K0BQgqZrNdwg@mail.gmail.com>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Tue, 03 Sep 2019 10:39:17 -0700
Message-ID: <CAH1iCioWFzHN_hTW4G=0kNHX+2onC64xTSEG-U4miQ1YUH8bSQ@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: Neil Cook <neil.cook@open-xchange.com>, ADD Mailing list <add@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000006c0e710591a992ae"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/LxX8Fu6HapjemPYjk9MqWxIS9F8>
X-Mailman-Approved-At: Wed, 04 Sep 2019 09:08:00 -0700
Subject: Re: [Add] data integrity and DNSSEC or DoH/DoT
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Sep 2019 17:39:40 -0000

On Tue, Sep 3, 2019 at 8:42 AM Eric Rescorla <ekr@rtfm.com> wrote:

>
>
> On Tue, Sep 3, 2019 at 6:15 AM Neil Cook <neil.cook@open-xchange.com>
> wrote:
>
>>
>>
>> It’s not entirely  useless. The problem it does solve is giving the user
>> a better experience when a site is blocked for resolvers that support this
>> extended Error Code. Currently for HTTPS the user will end up with a TLS
>> connection error of some kind (or a blank page in some browsers). If a
>> resolver returns a “blocked/censored/prohibited” response, then the browser
>> can tell the user that the web page was blocked with an informative
>> message. Assuming this becomes the default behaviour for non-malicious
>> resolvers then I think it will a good signal for distinguishing  "this is
>> malware blocking" from "this resolver is malicious”.
>>
>
> I'm not following. Suppose that we add an error code that says "this site
> has malware". Now, I operate a resolver which is malicious in the sense
> that it wishes to block a certain form of content (say, access to the IETF)
> but don't want the people whose content I am blocking is being blocked for
> that reason. So, instead I return "this site has malware".
>
> My point here is that a code of this type only tells you what the resolver
> *asserts* the reason it blocked it is, it doesn't necessarily tell you what
> the actual reason that the content was blocked.
>

The high-level issue is that at very least some of the blocking services or
resolvers doing blocking, are set up based on some specific trust
relationship, and that trust is essential in order to have a reason to use
the service or resolver.
Those are typically either internal (enterprise) scenarios where that trust
is basically "same company" and mandated, or a service offered with some
specific terms of service, whether it is a fee-based service or free.

Trying to overlay a different model of third-party resolver where the
client doesn't have a pre-defined trust relationship with that third party,
is where things start to go sideways.

While it might be possible to re-engineer both sides of that equation so
they are not incompatible, the basic issue is that you can't easily tell
whether a resolver currently being used is strictly giving unmodified
results or not. There is no clear signal or flag.

Going beyond assertion might be possible with re-engineering, such as
providing some fourth-party attestation (e.g. the source of the feed that
gets used by the DNS resolver also provides its own signature on individual
entries that would permit human inspection).

>From a mathematical perspective, the problem is one of classical logic
versus modern logic: saying "Every X is a Y" also require an assertion of
existence "There is one member of X", in order to guarantee that Y is not
vacuously true.
In this case, the underlying truth problem is asking a user to pick one of
N different resolvers to trust, without the user having any way to know
independently if any of those resolvers are trustworthy.
If none of the resolvers is trustworthy, then the only solution is to not
trust the resolvers. This can be done by forcing DNSSEC validation to be
done and to discard any failures.
If and only if the user is able to legitimately trust their selected
resolver, can that assertion be relied upon, and at that point the
assertion has value.

There are at least two things that I see as being problems that need to be
worked on to achieve this possibility: discovery of trustworthiness and/or
trust relationship with the existing configured resolver; and the "who
watches the watchmen" problem of persistent monitoring of allegedly
trustworthy resolver operators to determine whether a given response from a
particular resolver (including any assertion about blocking and reason) can
be trusted.

IMHO, deploying any TRR without this devolves to the "can't trust the
resolver", which means no blocking, which is a terrible result (given that
we live in a malware-infested world as well as other subjectively- and
objectively-bad stuff like child pornography).

I would prefer to actually work on these problems.

I also think it would be better for all parties if implementers not deploy
things like TRRs until the bare minimum of mechanisms is available, which
may require work not only on the applications (doing dns) but also on the
resolvers themselves.

Brian

v2.23.0 | Report a Bug | By Email