IETF Logo Mail Archive

Re: [Add] fixing coffee shop brokenness with DoH

Eric Rescorla <ekr@rtfm.com> Wed, 24 July 2019 15:20 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F81F1202E1 for <add@ietfa.amsl.com>; Wed, 24 Jul 2019 08:20:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GIJducv4WZ4K for <add@ietfa.amsl.com>; Wed, 24 Jul 2019 08:20:57 -0700 (PDT)
Received: from mail-lf1-x134.google.com (mail-lf1-x134.google.com [IPv6:2a00:1450:4864:20::134]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 59C8E120337 for <add@ietf.org>; Wed, 24 Jul 2019 08:20:56 -0700 (PDT)
Received: by mail-lf1-x134.google.com with SMTP id z15so27964547lfh.13 for <add@ietf.org>; Wed, 24 Jul 2019 08:20:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=E9uqVOaEVHY7A/m4DURShfq/n1bg/uZ7Db+eXt33abM=; b=hLp6TuQyFjZdZtKMrmdAkj7sJulY3yCiuwrLFXiInzhHdo/iosEiy780VyVwyQ8vnq auiuVl++U8HhxmrT+AwP0ujb+4SMB3xscNhDmmyuysXpcmsAbc1+I/kdy2iXYr+1Ejxy q/iGSMZetnkS25Js07STAzej2zAXopYjKIdhtyXWLI26cEYtMXzPvOLVeA9zYzd9DiNK 0ByVkNknYf/RuE4WuWOyVqxL27xrZ5sZzpS8u7ycquWq5tF9DLbu1d24p9EwlUgstxy5 9BfXc5jwupO4xaoC9tdSj7D2ZP3jOQ/QXrdevVCl5DYj9C6gtoH8CYMJbGXcCX/7qX0Y 9SUw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=E9uqVOaEVHY7A/m4DURShfq/n1bg/uZ7Db+eXt33abM=; b=cT5axK3ihj9AbOddDSuIz95qLnWAKWAenrIfK3tppGk/cl9a/YqDrTSosnkKocnvDb MvIFCci+6SGy0z8KKy7mG6df3vFaH+fq2JgkT5q7lemXo7wXPkadifxsEK/Y4nTuRJ9S Rh9oaOjZ1pC880oaL4gwq2w2KwYIt2k7xTrycJIp4yuZl29tsSaJDFjjRyx1f6faSCmm sM18zSmaS033wszpoKrl1ObPB4Pe3fxbbTHnPnQyZ37bd4Zf2eEg47YkPFhyQ9IaWW0q h6xAjk+2GjTpsRQ0ZWhw/xRwZ/y2R/SfMwd5qhvAHKzK03AuDOfmt4jAxU+dGkCNdnBd EtNw==
X-Gm-Message-State: APjAAAUco4S6LuscAmv4HqZtr6MmM9Nytvh8si4ZQ1uhopdIugprisAZ kPaNXqf9am7P8ysDA4c6p1cnWhQtGyYLqARVGBg=
X-Google-Smtp-Source: APXvYqznMWsFzWWP5LfsV2bhom+8rcM35OBn+SRNuEalwJ0dCXJNExWElPcSCXEtrW0uod7uGXy5s+GPNTivWzztP3s=
X-Received: by 2002:ac2:528e:: with SMTP id q14mr36213165lfm.17.1563981654592; Wed, 24 Jul 2019 08:20:54 -0700 (PDT)
MIME-Version: 1.0
References: <CAChr6Sx9TEt6CMzRRrdb-HwT_k987oW=4yF1FCbDF17zkaE2Vg@mail.gmail.com> <2D09D61DDFA73D4C884805CC7865E6114E23910C@GAALPA1MSGUSRBF.ITServices.sbc.com> <14DF8769-A817-4C06-9140-80198518244F@akamai.com> <CAChr6SzH1EycAr5n+dK5BQcG=0Zsw66qE=8Rptvq7SEoEvQQ=Q@mail.gmail.com> <E5A0DAE2-A718-41EA-B490-58ABD0F31CF2@rfc1035.com> <CABcZeBMqvZivS_Hk_2mSOAOnM+mHy1mtcwnHVFc14v_jdkgU=Q@mail.gmail.com> <4DE9B8B1-36D5-4EB5-BE84-D61C182F7372@fugue.com> <CABcZeBN+4RGWN0+xhtb-bMtSJ1B0FAU4JjRJTOSd1x_9JJZBWg@mail.gmail.com> <D361E72B-3783-4E57-8F08-8B418639BB29@fugue.com> <CABcZeBP2MY3pjeZv4Q+1Kj3_GKOgVq8+OYe7im2gYvBzy=Mz7g@mail.gmail.com> <F8A56D5D-B05E-4E80-880C-60D6B550F107@fugue.com> <CABcZeBOO5yvcm=DvDjr-7v4AvVG=13Zy--j362eE0Qqp7hcRaw@mail.gmail.com> <4FC4184E-E41D-420E-A594-60ECF3CD73F1@fugue.com>
In-Reply-To: <4FC4184E-E41D-420E-A594-60ECF3CD73F1@fugue.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 24 Jul 2019 08:20:18 -0700
Message-ID: <CABcZeBOjWQr1HWbGaCkpdR1S7FQUmum=by_SOYWB9OENy8Y-hA@mail.gmail.com>
To: Ted Lemon <mellon@fugue.com>
Cc: Jim Reid <jim@rfc1035.com>, "add@ietf.org" <add@ietf.org>, Rob Sayre <sayrer@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000f52a2f058e6eda6e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/TNrvB-AAhKxyk5eo3qclvsPuBYM>
Subject: Re: [Add] fixing coffee shop brokenness with DoH
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Jul 2019 15:21:00 -0000

On Wed, Jul 24, 2019 at 8:18 AM Ted Lemon <mellon@fugue.com> wrote:

> On Jul 24, 2019, at 11:10 AM, Eric Rescorla <ekr@rtfm.com> wrote:
>
> Sure. The case of interest here is that you have a client which wants to
> connect to domain A and the resolver (or a network attacker) wants to stop
> them.
>
> In the case where A is not DNSSEC signed, the attacker just sends
> NXDOMAIN, which the client accepts and refuses to connect.
>
> In the case where A *is* DNSSEC signed, the attacker can also inject an
> NXDOMAIN. DNSSEC of course won't validate, but the client still doesn't
> have an IP address to connect to, so it's only recourse is to error out.
> Now, it can show the user a different error than it did for NXDOMAIN, but
> these errors tend to be fairly generic anyway (Firefox, for instance, shows
> "Hmm. We’re having trouble finding that site."), so from the user
> perspective these aren't really very different.
>
>
> Ah, I see where the disconnect is.   Yes, if the resolver and the network
> are controlled by the same entity, then DNSSEC doesn’t help you to get a
> connection.
>
> However, if you are able to tunnel to a resolver that is not controlled by
> the network operator, then this equivalence no longer exists.   In this
> case, DNSSEC is useful for validating the NXDOMAIN, because the network
> operator is not cooperating with the resolver operator.
>

I'm sorry, I think I'm confused. Where do you think the attacker is
positioned?

-Ekr

v2.23.0 | Report a Bug | By Email