IETF Logo Mail Archive

Re: [Add] data integrity and DNSSEC or DoH/DoT

David Conrad <drc@virtualized.org> Wed, 21 August 2019 22:14 UTC

Return-Path: <drc@virtualized.org>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A0A4612010F for <add@ietfa.amsl.com>; Wed, 21 Aug 2019 15:14:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=virtualized-org.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FdBkQr5_vBWS for <add@ietfa.amsl.com>; Wed, 21 Aug 2019 15:14:55 -0700 (PDT)
Received: from mail-pg1-x532.google.com (mail-pg1-x532.google.com [IPv6:2607:f8b0:4864:20::532]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 325D91200A3 for <add@ietf.org>; Wed, 21 Aug 2019 15:14:55 -0700 (PDT)
Received: by mail-pg1-x532.google.com with SMTP id u17so2159558pgi.6 for <add@ietf.org>; Wed, 21 Aug 2019 15:14:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=virtualized-org.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc:message-id:references :to; bh=IPSV3K+uOmmDViemM3CStDlBqlzzCc2H414hpxFRemc=; b=oNcv0q2A2kH/Ddjr7xUfKkIR4uYwzy8w3O/YKH3gRlyieLNbsaM1WufZBLcFyF6jMN LeR+YNxzXq1+pxqSBHzcCaF1vTkeQcZag3t2rII0KmgkKtfKS0AxpCdrQiYQ1phxQdsu y385Yc4dMzUoAqiubKEMJ5BK5dNO6Xb2F9hEj7//IzotzymSZadr9oIcMgc4Jb5jOH9X a+/S/1eDTzkebGVRHGj3lg/1+02tzvV5X5E+QOQLhQv6obPV2rodjHA6BdD3KYcG0pGZ kEu/ql/Sweuz+RSmlBtlqfSkyJuYqqnIMQ4iqI4r3DRoW8drIGWUBEiOpboIaSUcAkI9 QEdQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=IPSV3K+uOmmDViemM3CStDlBqlzzCc2H414hpxFRemc=; b=pFTyArJetto5Vfb+U5Rpmqx+ZTJitCt7OxRqVplNiKUXMkNEX/WJ20jfm0jyUZ1ahh JBR6hHM+DZGTIyWs1uJD/yT6/N4Qo3M17KWcgVNkHmV/wO4WOPB/9schYltuYfTcMrrx XqHdUK4JsPlf0XYDPLgEYW4iQpjAsHGSpFrrdCWi/rC/2QMvX8URAWt12yMOhaDY/QRg k+6PMnB18w69YYM7TByRvcv3fb5TiPxJqRdV18b0KNQyO5SUYbi1JLytcsfBea5D3xHK 9JmwqYRZc4jh9yJP4f0Jv9PKQphzqNxUGNBxntPobeZ6r5w9iKUXPDVq/6CIxcvhD+g4 bF4w==
X-Gm-Message-State: APjAAAV1BEe7Z/dyy8rj2wNSg6MBcZODZX4wV/iGDCbSTCO8UZnAwxNi OQl0Fk+9RDiYDmtscdKm7wK3Kla7qQY=
X-Google-Smtp-Source: APXvYqyLHPIvCMPzJffEt8ghy7J6iYosrA4dvWq+F/uC15/O5ABhr5yns9GC9dXFljxMJUx21LXzYw==
X-Received: by 2002:a65:5144:: with SMTP id g4mr31078680pgq.202.1566425694656; Wed, 21 Aug 2019 15:14:54 -0700 (PDT)
Received: from ?IPv6:2620::2d0:110:a001:9cbc:6eb4:c2df? ([2620:0:2d0:110:a001:9cbc:6eb4:c2df]) by smtp.gmail.com with ESMTPSA id ce20sm852362pjb.16.2019.08.21.15.14.53 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 21 Aug 2019 15:14:53 -0700 (PDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_30E8F686-D526-461D-8B94-D4E3B6226CAA"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: David Conrad <drc@virtualized.org>
In-Reply-To: <ee8291ce-855f-a5d8-e9d8-74be9f58c321@cs.tcd.ie>
Date: Wed, 21 Aug 2019 15:14:51 -0700
Cc: Jim Reid <jim@rfc1035.com>, ADD Mailing list <add@ietf.org>
X-Mailbutler-Message-Id: 18518016-CBA5-4F83-88EC-CA50F5CD109D
Message-Id: <A73CCDC6-5AC4-4780-8B63-B9BD4A7ED70A@virtualized.org>
References: <A1128702-1E19-4657-9740-E84AE09992F2@piuha.net> <CABcZeBMfOTjq-8hDDoKMtJvfHUA5nC8o60zuk-2Xe-ZhfwriJQ@mail.gmail.com> <766112E1-F532-4C6B-8CA8-A096671E02EE@piuha.net> <CA+9kkMAfuOwJu8_qJTuhAY4mUwR+tVUxr+k3QFHBk3byV672Ow@mail.gmail.com> <A7EA862E-8E80-40E3-834D-E628988C0A24@virtualized.org> <CAFWeb9KT=2JL0oHUgJ2WMcduR3na+hP2QncvRR4YurmqsAWxTA@mail.gmail.com> <59E0EC53-0E30-431C-8376-52C7BFC121A8@virtualized.org> <CAFWeb9+Z7RmXEr46qx5PaUcxh2R3+HXhrZeW-8QEMX4HLt7a-w@mail.gmail.com> <589DAFCB-1BDC-4156-A2CA-179C4559A6B2@virtualized.org> <cf2152d7-8618-7ad2-b8f9-7a259ab5df19@cs.tcd.ie> <683A176C-3CE6-4866-A736-F2A7465FA5B5@rfc1035.com> <ee8291ce-855f-a5d8-e9d8-74be9f58c321@cs.tcd.ie>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/e7gKtO-porivIw1UIKxhF-7H_AA>
Subject: Re: [Add] data integrity and DNSSEC or DoH/DoT
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Aug 2019 22:14:57 -0000

Stephen,

On Aug 21, 2019, at 2:47 PM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote:
>> DNSSEC and DoH/DoT are not different paths to the same end goal of
>> data integrity. They provide different flavours of data integrity.
> 
> I don't agree that the goals are precisely the same as the
> actors involved in providing the security services differ.
> There's a lot in common, but they aren't identical.

You appear to be agreeing with Jim.

DNSSEC provides data integrity _for what the zone authority put into the zone_, regardless of how it gets to the client.

A TLS channel between a client and a resolver (DoH or DoT) provides data integrity and confidentiality (and _resolver_ origin authentication)  _for what the RESOLVER chooses to serve_.

DoH _will not help_ if the “trusted” resolver is compromised to modify the response (something I suspect concentrating the resolver function will encourage).  DNSSEC would help that particular attack.

My response to Ted that caused me to get sucked into this particular swamp (something I already regret) was merely trying to point out there is a significant difference there.

I hope that clarifies.

Regards,
-drc

v2.23.0 | Report a Bug | By Email