IETF Logo Mail Archive

Re: [Add] fixing coffee shop brokenness with DoH

Brian Dickson <brian.peter.dickson@gmail.com> Wed, 24 July 2019 14:33 UTC

Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0FED912031A for <add@ietfa.amsl.com>; Wed, 24 Jul 2019 07:33:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6wAE2aNHxj0P for <add@ietfa.amsl.com>; Wed, 24 Jul 2019 07:33:36 -0700 (PDT)
Received: from mail-ua1-x92a.google.com (mail-ua1-x92a.google.com [IPv6:2607:f8b0:4864:20::92a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 74C43120318 for <add@ietf.org>; Wed, 24 Jul 2019 07:33:36 -0700 (PDT)
Received: by mail-ua1-x92a.google.com with SMTP id j21so18552100uap.2 for <add@ietf.org>; Wed, 24 Jul 2019 07:33:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=6L+0Zm8e1dowKVynUGk7cQpfAOKTPEiVTOZSwyzT9GM=; b=pKiG8mNBUcAl5pvZcZkDZ2tBv4xcuK5XAiKSMKXZjUmTmRlJcMbZOIJDs/ByZYwpkP N3U6ht8VbRBwOyR0kjuzwOc0g1RYV+AG1ZuAqvXhj9IjRpM1V1PhavwodgNlAJqvHuit INmEJV29owwn57rIZ23Ggr+vzB8YQVEmLhHQ5wdxvaVLQJItaK5FSe6ez1aq+JB2wW9J Ny59P6qzP/F60yJm0nDKvTA5LSPGPmJZM3BNFJu2Kqd8NHMJl8M25l2Sc5KIqfWjOSnP wSGXmUqsKBxLRggoe8beeyEE+tzfWNs+KUeF2UxnRtTVdFGB2BpvxwzqNtT7kGTNo/U6 j6FA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=6L+0Zm8e1dowKVynUGk7cQpfAOKTPEiVTOZSwyzT9GM=; b=FeJQIOY0p4nOX68OTuLh1J0FOP5P5FaETSVK0gUp6GEC5LwTfnLQToe2cPwqK+GkXQ h705ma6/EvehQgg1NS+L2hfbYkcfGOCx380DnR7EqvzHZN+S5lc52DnaP7f4dUL8v9hc GxGndhREsDGInUTqw8XZ0pXxUIAQepiO4NpHzWaWfePn5F1MpYNpQz+LihxSNuHEhvjb Q0fsyMV9i+MFk9MQlwm76Qssm14JQJnvp+PKpawb7fgQ1xClHn5PXh7rj6hKi1x/2kFe cguREQg+wgsNK4WFSfmVBshmfr9Xg8jffcJBTXLYBJziCz8o7qm/kENYwnuXTYC9UbmP P/LA==
X-Gm-Message-State: APjAAAWVbtb/MlTjiJ6fkJQiYHJGs3pFgFg7kVQ8T1a8ZXNvVhEd4mOF Vrr+PJrhigauZ1/rshBWOpo67knaq+u7YKnOY49jkhumlLM=
X-Google-Smtp-Source: APXvYqzwZxBXpTY90PhUhDk2qT/lZ6qwrxZnKdbEbZC2zm1sHrxtKaajLcmdq2mJ9C50g9J5FFGjqPINcZNWNYB414g=
X-Received: by 2002:ab0:168a:: with SMTP id e10mr5959748uaf.87.1563978815586; Wed, 24 Jul 2019 07:33:35 -0700 (PDT)
MIME-Version: 1.0
References: <CAChr6Sx9TEt6CMzRRrdb-HwT_k987oW=4yF1FCbDF17zkaE2Vg@mail.gmail.com> <2D09D61DDFA73D4C884805CC7865E6114E23910C@GAALPA1MSGUSRBF.ITServices.sbc.com> <14DF8769-A817-4C06-9140-80198518244F@akamai.com> <CAChr6SzH1EycAr5n+dK5BQcG=0Zsw66qE=8Rptvq7SEoEvQQ=Q@mail.gmail.com> <E5A0DAE2-A718-41EA-B490-58ABD0F31CF2@rfc1035.com> <CABcZeBMqvZivS_Hk_2mSOAOnM+mHy1mtcwnHVFc14v_jdkgU=Q@mail.gmail.com> <4DE9B8B1-36D5-4EB5-BE84-D61C182F7372@fugue.com> <CABcZeBN+4RGWN0+xhtb-bMtSJ1B0FAU4JjRJTOSd1x_9JJZBWg@mail.gmail.com>
In-Reply-To: <CABcZeBN+4RGWN0+xhtb-bMtSJ1B0FAU4JjRJTOSd1x_9JJZBWg@mail.gmail.com>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Wed, 24 Jul 2019 10:33:23 -0400
Message-ID: <CAH1iCipMB_1mMC1ecbtSWNt4gKJie43LAETHFD59xkNMrjPdvA@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: Ted Lemon <mellon@fugue.com>, Jim Reid <jim@rfc1035.com>, "add@ietf.org" <add@ietf.org>, Rob Sayre <sayrer@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000bd4887058e6e311d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/gHmR7lW0ggwfTWtcNlwrEn1T2sk>
Subject: Re: [Add] fixing coffee shop brokenness with DoH
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Jul 2019 14:33:43 -0000

On Wed, Jul 24, 2019 at 9:15 AM Eric Rescorla <ekr@rtfm.com> wrote:

>
>
> On Wed, Jul 24, 2019 at 3:54 AM Ted Lemon <mellon@fugue.com> wrote:
>
>> On Jul 24, 2019, at 6:40 AM, Eric Rescorla <ekr@rtfm.com> wrote:
>> >> In many cases, whether you are being told the truth by your recursive
>> resolver is a less interesting property than whether you can get the
>> correct answer. For instance, if the recursive resolver replaces the A
>> record you want with NXDOMAIN even if you know that it's done so, you're
>> still blocked from going where you wanted to go.
>>
>> However, even if you are not blocked, without DNSSEC you do not know that
>> the resolver gave you the right answer.  So ideally you want both: not to
>> be blocked, and also to be able to validate the result you got.
>>
>
> Well, this is true, but in the Web context, as we move towards 100% HTTPS,
> the importance of getting the right IP starts to decrease quite a bit: if
> you get the wrong IP address, then this turns into a connection failure.
>
> -Ekr
>

This is an important assertion that requires refutation: this is incorrect.

The importance of the correct IP is essential, because of the relatively
weak system under which TLS certificates are (or can be) issued.
While individual CAs may be extremely trustworthy, there has been instances
of other CAs (retrospectively discovered as being untrustworthy) issuing
TLS certificates to parties other than the domain owner.

This is why DNSSEC, and DANE, are an important mechanism available for
strengthening certificate/browser security.

DANE allows domain owners to securely link a specific CA or specific
certificate to a domain name.

Only with DNSSEC and DANE, is it true that the IP address being wrong would
a connection failure be guaranteed to occur.

That is, in fact, one of the underpinnings for why bad actors have an
interest in altering DNS caches to provide forged IP addresses.

Thus, I assert that not only is DANE not strictly orthogonal, it is an
essential part of securing the web, along with DNSSEC.

This is true even in a 100% HTTPS environment. The security of DNS as
provided by DNSSEC is both orthogonal to, and more important than, the
privacy of DNS recursive queries, when it to achieving that 100% HTTPS
environment.

Brian

v2.23.0 | Report a Bug | By Email