IETF Logo Mail Archive

Re: [Add] fixing coffee shop brokenness with DoH

Eric Rescorla <ekr@rtfm.com> Wed, 24 July 2019 14:43 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 232A01202A6 for <add@ietfa.amsl.com>; Wed, 24 Jul 2019 07:43:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nICuZj3r1Ft8 for <add@ietfa.amsl.com>; Wed, 24 Jul 2019 07:43:35 -0700 (PDT)
Received: from mail-lj1-x22d.google.com (mail-lj1-x22d.google.com [IPv6:2a00:1450:4864:20::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 62AEE12026E for <add@ietf.org>; Wed, 24 Jul 2019 07:43:32 -0700 (PDT)
Received: by mail-lj1-x22d.google.com with SMTP id x25so44821136ljh.2 for <add@ietf.org>; Wed, 24 Jul 2019 07:43:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=TLap8L92edzXNL5ruOiNw+Hb6Fd2COsgnkZAumoYM0A=; b=RbHRaxH0c/s5ONFomY1ZRZcP1E/Mx4vgRxriOm6E1X4S/EpA+HBJSsgQIdGt9BW+6+ qO1KO7ylPBJBCnf2DbfwPiPkTvUNhtsNq18Mrbn29+kbZv0NPXz2h8g4tpyoXm2smPJr UG/zhysINZg52z6tlfxsPEkO6emfg6F4rflHt73f3QC88fRSCeUnMGMuTVFPRyesJlZF DozxrKLFyHF+aORHkhIz5z20ihOVlVum68swrNVisx834jW9JPDNPyNW8lGAAdjec9I8 fWl9igjBwrA80OMGBEm+D9HtQ0jitoUtxDDE/xL23kNCu+IQpuROhZJTwLmDTo8MjbgV aXcg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=TLap8L92edzXNL5ruOiNw+Hb6Fd2COsgnkZAumoYM0A=; b=FlY3vN6xHxLo82Gf/jTlhIqr3QUBQW7FmgTJmugK4xSfIB+ah/5krX2c48edIgacfX puJvO4J/PH4HADcDEqDh15jdxrcHsWUWysl5PiLLq5Anktpl8wvWaRU7f1UcC64iFxXK Zqu7nz3PArK0zgpIUSFZCmE740f/Bcm/4vsrU2zT0EU4m6P3AzetGCbM13ygZwR9VLnx FObLzaXCf5wqqaW9mf4EbkYNic2O51ViUAwx1ZqGCGQhkBdkg+JAPH4aC5zje2kBefmj +LP/m8hVrBFkeZcvpCQ+hptLZ9FRlK/lBVgAKjvUZCgvi9nORbE5Gxjmt8qsnf7H9vVe bGqQ==
X-Gm-Message-State: APjAAAVNS20M7rhg/33Yhk8CXQOqfsiNdxeF9DIVrukvwC+hCPzAXJkr aqN14jayqLrUZlCHYMQmm9Os6whKt0qtF3gd/9M=
X-Google-Smtp-Source: APXvYqzg3as4sd7UZA4B1fEyz3/aKx2KPsSf+xk1Rn6JxkYN20AWSS+ogvzrll+hSro5RdWX2lZdXMkYC3HjIERLK0I=
X-Received: by 2002:a2e:8892:: with SMTP id k18mr43776947lji.239.1563979410600; Wed, 24 Jul 2019 07:43:30 -0700 (PDT)
MIME-Version: 1.0
References: <CAChr6Sx9TEt6CMzRRrdb-HwT_k987oW=4yF1FCbDF17zkaE2Vg@mail.gmail.com> <2D09D61DDFA73D4C884805CC7865E6114E23910C@GAALPA1MSGUSRBF.ITServices.sbc.com> <14DF8769-A817-4C06-9140-80198518244F@akamai.com> <CAChr6SzH1EycAr5n+dK5BQcG=0Zsw66qE=8Rptvq7SEoEvQQ=Q@mail.gmail.com> <E5A0DAE2-A718-41EA-B490-58ABD0F31CF2@rfc1035.com> <CABcZeBMqvZivS_Hk_2mSOAOnM+mHy1mtcwnHVFc14v_jdkgU=Q@mail.gmail.com> <4DE9B8B1-36D5-4EB5-BE84-D61C182F7372@fugue.com> <CABcZeBN+4RGWN0+xhtb-bMtSJ1B0FAU4JjRJTOSd1x_9JJZBWg@mail.gmail.com> <CAH1iCipMB_1mMC1ecbtSWNt4gKJie43LAETHFD59xkNMrjPdvA@mail.gmail.com>
In-Reply-To: <CAH1iCipMB_1mMC1ecbtSWNt4gKJie43LAETHFD59xkNMrjPdvA@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 24 Jul 2019 07:42:54 -0700
Message-ID: <CABcZeBOqP3ARjsrRiGcrAHzCqz_k1+u-qrW=6mzg-khrAjOKHg@mail.gmail.com>
To: Brian Dickson <brian.peter.dickson@gmail.com>
Cc: Ted Lemon <mellon@fugue.com>, Jim Reid <jim@rfc1035.com>, "add@ietf.org" <add@ietf.org>, Rob Sayre <sayrer@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000348c6f058e6e55a0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/cJz4OEXQIKY_OHdHfybJysLEzSE>
Subject: Re: [Add] fixing coffee shop brokenness with DoH
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Jul 2019 14:43:38 -0000

On Wed, Jul 24, 2019 at 7:33 AM Brian Dickson <brian.peter.dickson@gmail.com>
wrote:

>
>
> On Wed, Jul 24, 2019 at 9:15 AM Eric Rescorla <ekr@rtfm.com> wrote:
>
>>
>>
>> On Wed, Jul 24, 2019 at 3:54 AM Ted Lemon <mellon@fugue.com> wrote:
>>
>>> On Jul 24, 2019, at 6:40 AM, Eric Rescorla <ekr@rtfm.com> wrote:
>>> >> In many cases, whether you are being told the truth by your recursive
>>> resolver is a less interesting property than whether you can get the
>>> correct answer. For instance, if the recursive resolver replaces the A
>>> record you want with NXDOMAIN even if you know that it's done so, you're
>>> still blocked from going where you wanted to go.
>>>
>>> However, even if you are not blocked, without DNSSEC you do not know
>>> that the resolver gave you the right answer.  So ideally you want both: not
>>> to be blocked, and also to be able to validate the result you got.
>>>
>>
>> Well, this is true, but in the Web context, as we move towards 100%
>> HTTPS, the importance of getting the right IP starts to decrease quite a
>> bit: if you get the wrong IP address, then this turns into a connection
>> failure.
>>
>> -Ekr
>>
>
> This is an important assertion that requires refutation: this is incorrect.
>

I think this is a topic on which we are going to have to agree to disagree.

-Ekr


> The importance of the correct IP is essential, because of the relatively
> weak system under which TLS certificates are (or can be) issued.
> While individual CAs may be extremely trustworthy, there has been
> instances of other CAs (retrospectively discovered as being untrustworthy)
> issuing TLS certificates to parties other than the domain owner.
>
> This is why DNSSEC, and DANE, are an important mechanism available for
> strengthening certificate/browser security.
>
> DANE allows domain owners to securely link a specific CA or specific
> certificate to a domain name.
>
> Only with DNSSEC and DANE, is it true that the IP address being wrong
> would a connection failure be guaranteed to occur.
>
> That is, in fact, one of the underpinnings for why bad actors have an
> interest in altering DNS caches to provide forged IP addresses.
>
> Thus, I assert that not only is DANE not strictly orthogonal, it is an
> essential part of securing the web, along with DNSSEC.
>
> This is true even in a 100% HTTPS environment. The security of DNS as
> provided by DNSSEC is both orthogonal to, and more important than, the
> privacy of DNS recursive queries, when it to achieving that 100% HTTPS
> environment.
>
> Brian
>

v2.23.0 | Report a Bug | By Email