IETF Logo Mail Archive

Re: [Add] data integrity and DNSSEC or DoH/DoT

Jim Reid <jim@rfc1035.com> Fri, 23 August 2019 08:04 UTC

Return-Path: <jim@rfc1035.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A80641200CD for <add@ietfa.amsl.com>; Fri, 23 Aug 2019 01:04:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RJeGurxNVYlQ for <add@ietfa.amsl.com>; Fri, 23 Aug 2019 01:04:21 -0700 (PDT)
Received: from shaun.rfc1035.com (smtp.v6.rfc1035.com [IPv6:2001:4b10:100:7::25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DFF40120059 for <add@ietf.org>; Fri, 23 Aug 2019 01:04:20 -0700 (PDT)
Received: from gromit.rfc1035.com (gromit.rfc1035.com [195.54.233.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by shaun.rfc1035.com (Postfix) with ESMTPSA id 7C81C242109D; Fri, 23 Aug 2019 08:04:17 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: Jim Reid <jim@rfc1035.com>
In-Reply-To: <CABcZeBMnG_HJHYrGpQD1LWWNi8zuhAm=0Uy2HNRRmhYS9PsCtg@mail.gmail.com>
Date: Fri, 23 Aug 2019 09:04:16 +0100
Cc: ADD Mailing list <add@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <69015C05-4AE8-4FB2-94D4-3B52018DEBA6@rfc1035.com>
References: <A1128702-1E19-4657-9740-E84AE09992F2@piuha.net> <CABcZeBMfOTjq-8hDDoKMtJvfHUA5nC8o60zuk-2Xe-ZhfwriJQ@mail.gmail.com> <766112E1-F532-4C6B-8CA8-A096671E02EE@piuha.net> <CA+9kkMAfuOwJu8_qJTuhAY4mUwR+tVUxr+k3QFHBk3byV672Ow@mail.gmail.com> <A7EA862E-8E80-40E3-834D-E628988C0A24@virtualized.org> <CAFWeb9KT=2JL0oHUgJ2WMcduR3na+hP2QncvRR4YurmqsAWxTA@mail.gmail.com> <59E0EC53-0E30-431C-8376-52C7BFC121A8@virtualized.org> <CAFWeb9+Z7RmXEr46qx5PaUcxh2R3+HXhrZeW-8QEMX4HLt7a-w@mail.gmail.com> <589DAFCB-1BDC-4156-A2CA-179C4559A6B2@virtualized.org> <cf2152d7-8618-7ad2-b8f9-7a259ab5df19@cs.tcd.ie> <683A176C-3CE6-4866-A736-F2A7465FA5B5@rfc1035.com> <CABcZeBPmWYBKcKhjTUBLw62xJT=OXbp3v6MZ+8Gtr=gFmQ-g6A@mail.gmail.com> <E40CC478-BBA1-4DA9-8F6A-FE1782E0F27E@rfc1035.com> <CABcZeBMnG_HJHYrGpQD1LWWNi8zuhAm=0Uy2HNRRmhYS9PsCtg@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/VRcb96scJNM4RLsudldIe6HxHCw>
Subject: Re: [Add] data integrity and DNSSEC or DoH/DoT
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Aug 2019 08:04:23 -0000

On 23 Aug 2019, at 05:39, Eric Rescorla <ekr@rtfm.com> wrote:
> 
> 
> 
> On Thu, Aug 22, 2019 at 1:41 PM Jim Reid <jim@rfc1035.com> wrote:
> 
>> > On 22 Aug 2019, at 08:00, Eric Rescorla <ekr@rtfm.com> wrote:
>> > 
>> > Suppose that I receive a bogus response to my A record query, how am I to usefully distinguish "this is malware blocking" from "this resolver is malicious"?
>> 
>> I suppose draft-ietf-dnsop-extended-error could add another error code for the specific case of a malicious resolver. Whatever that might mean. Though I doubt the operators of such servers will choose to set that evil bit on their responses.
>> 
>> PS A potential problem with this I-D is these extended error codes won’t be signed. So they can be spoofed by bad actors.
>> 
> Yes, and for this reason I don't see how this solves the problem. It's just "resolver blocked it and claims reason X".

Which I thought answered your original question. Though maybe those responses should be signed somehow. Handwave, handwave. If you have suggestions on how to improve the security considerations of that I-D, please supply text to dnsop.

But now I’m confused. Could you please clarify what you mean by malicious resolver? We seem to be using different (unwritten) definitions.

I also don’t understand why it matters to distinguish between responses that say "this is malware blocking" from "this resolver is malicious”. The end result’s the same - the resolver’s not returning the expected DNS data for the query. What difference does it make if the resolver’s giving a genuine or a bogus reason for doing that? After all, the client will almost always believe what the resolver told them. It entered into an implicit or explicit trust relationship with that resolver when the client sent its DNS queries there.

v2.23.0 | Report a Bug | By Email