Re: [Add] data integrity and DNSSEC or DoH/DoT
Jim Reid <jim@rfc1035.com> Fri, 23 August 2019 08:04 UTC
Return-Path: <jim@rfc1035.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A80641200CD for <add@ietfa.amsl.com>; Fri, 23 Aug 2019 01:04:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RJeGurxNVYlQ for <add@ietfa.amsl.com>; Fri, 23 Aug 2019 01:04:21 -0700 (PDT)
Received: from shaun.rfc1035.com (smtp.v6.rfc1035.com [IPv6:2001:4b10:100:7::25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DFF40120059 for <add@ietf.org>; Fri, 23 Aug 2019 01:04:20 -0700 (PDT)
Received: from gromit.rfc1035.com (gromit.rfc1035.com [195.54.233.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by shaun.rfc1035.com (Postfix) with ESMTPSA id 7C81C242109D; Fri, 23 Aug 2019 08:04:17 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: Jim Reid <jim@rfc1035.com>
In-Reply-To: <CABcZeBMnG_HJHYrGpQD1LWWNi8zuhAm=0Uy2HNRRmhYS9PsCtg@mail.gmail.com>
Date: Fri, 23 Aug 2019 09:04:16 +0100
Cc: ADD Mailing list <add@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <69015C05-4AE8-4FB2-94D4-3B52018DEBA6@rfc1035.com>
References: <A1128702-1E19-4657-9740-E84AE09992F2@piuha.net> <CABcZeBMfOTjq-8hDDoKMtJvfHUA5nC8o60zuk-2Xe-ZhfwriJQ@mail.gmail.com> <766112E1-F532-4C6B-8CA8-A096671E02EE@piuha.net> <CA+9kkMAfuOwJu8_qJTuhAY4mUwR+tVUxr+k3QFHBk3byV672Ow@mail.gmail.com> <A7EA862E-8E80-40E3-834D-E628988C0A24@virtualized.org> <CAFWeb9KT=2JL0oHUgJ2WMcduR3na+hP2QncvRR4YurmqsAWxTA@mail.gmail.com> <59E0EC53-0E30-431C-8376-52C7BFC121A8@virtualized.org> <CAFWeb9+Z7RmXEr46qx5PaUcxh2R3+HXhrZeW-8QEMX4HLt7a-w@mail.gmail.com> <589DAFCB-1BDC-4156-A2CA-179C4559A6B2@virtualized.org> <cf2152d7-8618-7ad2-b8f9-7a259ab5df19@cs.tcd.ie> <683A176C-3CE6-4866-A736-F2A7465FA5B5@rfc1035.com> <CABcZeBPmWYBKcKhjTUBLw62xJT=OXbp3v6MZ+8Gtr=gFmQ-g6A@mail.gmail.com> <E40CC478-BBA1-4DA9-8F6A-FE1782E0F27E@rfc1035.com> <CABcZeBMnG_HJHYrGpQD1LWWNi8zuhAm=0Uy2HNRRmhYS9PsCtg@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/VRcb96scJNM4RLsudldIe6HxHCw>
Subject: Re: [Add] data integrity and DNSSEC or DoH/DoT
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Aug 2019 08:04:23 -0000
On 23 Aug 2019, at 05:39, Eric Rescorla <ekr@rtfm.com> wrote: > > > > On Thu, Aug 22, 2019 at 1:41 PM Jim Reid <jim@rfc1035.com> wrote: > >> > On 22 Aug 2019, at 08:00, Eric Rescorla <ekr@rtfm.com> wrote: >> > >> > Suppose that I receive a bogus response to my A record query, how am I to usefully distinguish "this is malware blocking" from "this resolver is malicious"? >> >> I suppose draft-ietf-dnsop-extended-error could add another error code for the specific case of a malicious resolver. Whatever that might mean. Though I doubt the operators of such servers will choose to set that evil bit on their responses. >> >> PS A potential problem with this I-D is these extended error codes won’t be signed. So they can be spoofed by bad actors. >> > Yes, and for this reason I don't see how this solves the problem. It's just "resolver blocked it and claims reason X". Which I thought answered your original question. Though maybe those responses should be signed somehow. Handwave, handwave. If you have suggestions on how to improve the security considerations of that I-D, please supply text to dnsop. But now I’m confused. Could you please clarify what you mean by malicious resolver? We seem to be using different (unwritten) definitions. I also don’t understand why it matters to distinguish between responses that say "this is malware blocking" from "this resolver is malicious”. The end result’s the same - the resolver’s not returning the expected DNS data for the query. What difference does it make if the resolver’s giving a genuine or a bogus reason for doing that? After all, the client will almost always believe what the resolver told them. It entered into an implicit or explicit trust relationship with that resolver when the client sent its DNS queries there.
- [Add] What to do in this potential working group Jari Arkko
- Re: [Add] What to do in this potential working gr… Eric Orth
- Re: [Add] What to do in this potential working gr… Jari Arkko
- Re: [Add] What to do in this potential working gr… Eric Rescorla
- Re: [Add] What to do in this potential working gr… Jim Reid
- Re: [Add] What to do in this potential working gr… Vittorio Bertola
- Re: [Add] What to do in this potential working gr… Jari Arkko
- Re: [Add] What to do in this potential working gr… Eric Vyncke (evyncke)
- Re: [Add] What to do in this potential working gr… Ted Lemon
- Re: [Add] What to do in this potential working gr… Jim Reid
- Re: [Add] What to do in this potential working gr… Ted Lemon
- Re: [Add] What to do in this potential working gr… Tommy Jensen
- Re: [Add] What to do in this potential working gr… Jari Arkko
- Re: [Add] What to do in this potential working gr… Eric Rescorla
- Re: [Add] What to do in this potential working gr… Ray Bellis
- Re: [Add] What to do in this potential working gr… Eric Rescorla
- Re: [Add] What to do in this potential working gr… Ray Bellis
- Re: [Add] What to do in this potential working gr… Eric Rescorla
- Re: [Add] What to do in this potential working gr… Ted Hardie
- Re: [Add] What to do in this potential working gr… David Conrad
- Re: [Add] What to do in this potential working gr… Alec Muffett
- Re: [Add] What to do in this potential working gr… Ted Hardie
- Re: [Add] What to do in this potential working gr… David Conrad
- Re: [Add] What to do in this potential working gr… Brian Dickson
- Re: [Add] What to do in this potential working gr… Brian Dickson
- Re: [Add] What to do in this potential working gr… Stephen Farrell
- Re: [Add] What to do in this potential working gr… Ted Hardie
- Re: [Add] What to do in this potential working gr… Alec Muffett
- Re: [Add] What to do in this potential working gr… Stephen Farrell
- Re: [Add] What to do in this potential working gr… David Conrad
- Re: [Add] What to do in this potential working gr… Rob Sayre
- Re: [Add] What to do in this potential working gr… Jari Arkko
- Re: [Add] What to do in this potential working gr… Stephen Farrell
- Re: [Add] What to do in this potential working gr… Alec Muffett
- Re: [Add] What to do in this potential working gr… Ted Hardie
- Re: [Add] What to do in this potential working gr… Adam Roach
- Re: [Add] What to do in this potential working gr… Ted Hardie
- Re: [Add] What to do in this potential working gr… David Conrad
- Re: [Add] What to do in this potential working gr… Rob Sayre
- Re: [Add] What to do in this potential working gr… Stephen Farrell
- Re: [Add] What to do in this potential working gr… Alec Muffett
- Re: [Add] What to do in this potential working gr… David Conrad
- [Add] data integrity and DNSSEC or DoH/DoT Jim Reid
- Re: [Add] What to do in this potential working gr… Rob Sayre
- Re: [Add] data integrity and DNSSEC or DoH/DoT Stephen Farrell
- Re: [Add] data integrity and DNSSEC or DoH/DoT David Conrad
- Re: [Add] data integrity and DNSSEC or DoH/DoT Rob Sayre
- Re: [Add] data integrity and DNSSEC or DoH/DoT Stephen Farrell
- Re: [Add] Unstated assumptions in What to do in t… John Levine
- Re: [Add] data integrity and DNSSEC or DoH/DoT Brian Dickson
- Re: [Add] What to do in this potential working gr… Patrik Fältström
- Re: [Add] What to do in this potential working gr… Patrik Fältström
- Re: [Add] What to do in this potential working gr… Rob Sayre
- Re: [Add] What to do in this potential working gr… Eric Rescorla
- Re: [Add] What to do in this potential working gr… Martin Thomson
- Re: [Add] data integrity and DNSSEC or DoH/DoT Eric Rescorla
- Re: [Add] What to do in this potential working gr… Eric Rescorla
- Re: [Add] What to do in this potential working gr… Jari Arkko
- Re: [Add] What to do in this potential working gr… Daniel Stenberg
- Re: [Add] What to do in this potential working gr… Jari Arkko
- Re: [Add] data integrity and DNSSEC or DoH/DoT Stephen Farrell
- Re: [Add] What to do in this potential working gr… Ray Bellis
- Re: [Add] What to do in this potential working gr… Martin J. Dürst
- Re: [Add] What to do in this potential working gr… Stephen Farrell
- Re: [Add] What to do in this potential working gr… Vittorio Bertola
- Re: [Add] What to do in this potential working gr… Eric Rescorla
- Re: [Add] What to do in this potential working gr… Ralf Weber
- Re: [Add] data integrity and DNSSEC or DoH/DoT Ralf Weber
- Re: [Add] data integrity and DNSSEC or DoH/DoT Willem Toorop
- Re: [Add] data integrity and DNSSEC or DoH/DoT Jim Reid
- Re: [Add] What to do in this potential working gr… Rubens Kuhl
- Re: [Add] data integrity and DNSSEC or DoH/DoT Paul Wouters
- Re: [Add] What to do in this potential working gr… Paul Wouters
- Re: [Add] data integrity and DNSSEC or DoH/DoT Livingood, Jason
- Re: [Add] What to do in this potential working gr… Livingood, Jason
- Re: [Add] What to do in this potential working gr… Livingood, Jason
- Re: [Add] What to do in this potential working gr… Livingood, Jason
- Re: [Add] What to do in this potential working gr… Adam Roach
- Re: [Add] What to do in this potential working gr… Eric Rescorla
- Re: [Add] data integrity and DNSSEC or DoH/DoT Eric Rescorla
- Re: [Add] data integrity and DNSSEC or DoH/DoT Rob Sayre
- Re: [Add] data integrity and DNSSEC or DoH/DoT Jim Reid
- Re: [Add] What to do in this potential working gr… Vittorio Bertola
- Re: [Add] data integrity and DNSSEC or DoH/DoT Eric Rescorla
- Re: [Add] data integrity and DNSSEC or DoH/DoT Brian Dickson
- Re: [Add] data integrity and DNSSEC or DoH/DoT Jim Reid
- Re: [Add] data integrity and DNSSEC or DoH/DoT Eric Rescorla
- Re: [Add] data integrity and DNSSEC or DoH/DoT Neil Cook
- Re: [Add] data integrity and DNSSEC or DoH/DoT Neil Cook
- Re: [Add] data integrity and DNSSEC or DoH/DoT Neil Cook
- Re: [Add] data integrity and DNSSEC or DoH/DoT Paul Wouters
- Re: [Add] data integrity and DNSSEC or DoH/DoT Christian Huitema
- Re: [Add] data integrity and DNSSEC or DoH/DoT Christian Huitema
- Re: [Add] data integrity and DNSSEC or DoH/DoT Brian Dickson
- Re: [Add] data integrity and DNSSEC or DoH/DoT Andrew Campling
- Re: [Add] data integrity and DNSSEC or DoH/DoT Vittorio Bertola
- Re: [Add] data integrity and DNSSEC or DoH/DoT Paul Wouters
- Re: [Add] data integrity and DNSSEC or DoH/DoT Vittorio Bertola
- Re: [Add] data integrity and DNSSEC or DoH/DoT Alec Muffett
- Re: [Add] data integrity and DNSSEC or DoH/DoT Alec Muffett