IETF Logo Mail Archive

Re: [Add] data integrity and DNSSEC or DoH/DoT

Paul Wouters <paul@nohats.ca> Thu, 22 August 2019 18:53 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1755A120ADE for <add@ietfa.amsl.com>; Thu, 22 Aug 2019 11:53:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.995
X-Spam-Level:
X-Spam-Status: No, score=-1.995 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I229vP6yJvdr for <add@ietfa.amsl.com>; Thu, 22 Aug 2019 11:53:33 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2300B120AE4 for <add@ietf.org>; Thu, 22 Aug 2019 11:53:33 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 46DtwB5pMyzFZ2; Thu, 22 Aug 2019 20:53:30 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1566500010; bh=zL+0tOS+WqvrdmmJybjZhppjw4HO7I838D7DWV2Yswg=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=EOg7uiS4lnLdzNsvgCEA74nBp/NWRnaVNy0PEXtC/zYWvips0fq74M14k4Wy59wL7 SaO5fYciV/Ah0Ecl4gJtRls615jdBTeUecKMxlSCdpjBSXEzGVhe6Fdf34lZ0lExRR 8J9T7VxRCL9n6Epjd8EG9Bvyf4bdJhBmWKImsa4A=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id NwRYO96FHLcR; Thu, 22 Aug 2019 20:53:28 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Thu, 22 Aug 2019 20:53:28 +0200 (CEST)
Received: from [192.168.1.110] (104-195-254-115.cpe.teksavvy.com [104.195.254.115]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bofh.nohats.ca (Postfix) with ESMTPSA id C489859CFF7; Thu, 22 Aug 2019 09:47:26 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca C489859CFF7
Content-Type: multipart/alternative; boundary="Apple-Mail-C04C582F-7A6A-4465-867F-06CB188F37EA"
Mime-Version: 1.0 (1.0)
From: Paul Wouters <paul@nohats.ca>
X-Mailer: iPhone Mail (16G77)
In-Reply-To: <CABcZeBPmWYBKcKhjTUBLw62xJT=OXbp3v6MZ+8Gtr=gFmQ-g6A@mail.gmail.com>
Date: Thu, 22 Aug 2019 09:47:25 -0400
Cc: Jim Reid <jim@rfc1035.com>, ADD Mailing list <add@ietf.org>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
Content-Transfer-Encoding: 7bit
Message-Id: <71CF51A9-A018-4D5C-9D1C-FCF565B00D0B@nohats.ca>
References: <A1128702-1E19-4657-9740-E84AE09992F2@piuha.net> <CABcZeBMfOTjq-8hDDoKMtJvfHUA5nC8o60zuk-2Xe-ZhfwriJQ@mail.gmail.com> <766112E1-F532-4C6B-8CA8-A096671E02EE@piuha.net> <CA+9kkMAfuOwJu8_qJTuhAY4mUwR+tVUxr+k3QFHBk3byV672Ow@mail.gmail.com> <A7EA862E-8E80-40E3-834D-E628988C0A24@virtualized.org> <CAFWeb9KT=2JL0oHUgJ2WMcduR3na+hP2QncvRR4YurmqsAWxTA@mail.gmail.com> <59E0EC53-0E30-431C-8376-52C7BFC121A8@virtualized.org> <CAFWeb9+Z7RmXEr46qx5PaUcxh2R3+HXhrZeW-8QEMX4HLt7a-w@mail.gmail.com> <589DAFCB-1BDC-4156-A2CA-179C4559A6B2@virtualized.org> <cf2152d7-8618-7ad2-b8f9-7a259ab5df19@cs.tcd.ie> <683A176C-3CE6-4866-A736-F2A7465FA5B5@rfc1035.com> <CABcZeBPmWYBKcKhjTUBLw62xJT=OXbp3v6MZ+8Gtr=gFmQ-g6A@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/Z5N7uieSO46drTeNzd05OIYTO1Q>
Subject: Re: [Add] data integrity and DNSSEC or DoH/DoT
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Aug 2019 18:53:36 -0000

You move the Answer section data to the Authoritative section, and add an extended error code that the answer was filtered by policy. This allows a dnssec validator to validate and censor if it is configured to do so.

This is my proposal for rpz-bis which is only waiting on the rpz draft to go through the ISE.

Paul

Sent from mobile device

> On Aug 22, 2019, at 03:00, Eric Rescorla <ekr@rtfm.com> wrote:
> 
> 
> 
>> On Wed, Aug 21, 2019 at 10:43 PM Jim Reid <jim@rfc1035.com> wrote:
>> 
>> 
>> > On 21 Aug 2019, at 22:13, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote:
>> > 
>> > IMO you're both right but not quite using super-precise terminology:-)
>> > 
>> > ...
>> > 
>> > So yep, both give data integrity, just differently.
>> 
>> If we’re being super-precise, that’s not quite right either Stephen. :-)
>> 
>> DNSSEC and DoH/DoT are not different paths to the same end goal of data integrity. They provide different flavours of data integrity.
> 
> This I agree with.
> 
>  
>> DNSSEC validation means you get the truth, the whole truth and nothing but the truth regardless of your choice of resolver or the transport path between you and that resolver. DoH and DoT offer no protection at all from a lying resolver - you’re just guaranteed to receive precisely whatever lies or truth that resolver sends. So in effect you somehow decide to “trust” a TRR and hope for the best. In some cases, that may well be good enough. In others, perhaps not.
> 
> I'd like to push on this slightly, if I may.
> 
> I certainly agree that from a cryptographic perspective, DNSSEC allows you to evaluate whether or not the records that you receive are those which were provisioned (modulo typos, key expiry, etc.). However, as has been observed here a number of times, there are many cases where the resolver desires to elide certain records (e.g., for malware filtering) or to redirect you to some other location (e.g., captive portals). So from a systems perspective it seems like things are more complicated. Suppose that I receive a bogus response to my A record query, how am I to usefully distinguish "this is malware blocking" from "this resolver is malicious"?
> 
> -Ekr
> 
>> 
>> 
>> -- 
>> Add mailing list
>> Add@ietf.org
>> https://www.ietf.org/mailman/listinfo/add
> -- 
> Add mailing list
> Add@ietf.org
> https://www.ietf.org/mailman/listinfo/add

v2.23.0 | Report a Bug | By Email