IETF Logo Mail Archive

Re: [Add] fixing coffee shop brokenness with DoH

Eric Rescorla <ekr@rtfm.com> Wed, 24 July 2019 17:46 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB7A3120059 for <add@ietfa.amsl.com>; Wed, 24 Jul 2019 10:46:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Pe1a0VQGzThF for <add@ietfa.amsl.com>; Wed, 24 Jul 2019 10:46:15 -0700 (PDT)
Received: from mail-lj1-x233.google.com (mail-lj1-x233.google.com [IPv6:2a00:1450:4864:20::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 396A7120112 for <add@ietf.org>; Wed, 24 Jul 2019 10:46:15 -0700 (PDT)
Received: by mail-lj1-x233.google.com with SMTP id d24so45317523ljg.8 for <add@ietf.org>; Wed, 24 Jul 2019 10:46:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=QVCq6FuzucpQKcCHqXjE3JrIq7FRD3XGZAoOiq3Qlfs=; b=0RvWkA+jX5gtQTvPgZyBCjgtexQylnLRUMOGxuTcewYGaKgtUZ9OZkO78YKloODDdB JTTlBfK3C0WMs+QaeGLBmEhUG9u7bofIvTAIm8MFEaF0PFG+ZS/uXzOCiQCOcpv+iMjn uHUexuo2alZPtEdF9hxissWOvFGNrx3D+7IU7sihZR7LhoHHWfP4V6P/l7hUJb6Ob7ZJ rM2CxFIiO57h5mcQk/1EewX7cLA79txGRpVM0O7TNCCY3N6UgEqFIZNnZqJGnsKeGrK0 RK+ZTb9IjPRYoFAUMdVgkOq+hszcvW5+ooM96szvgHlrU8NCGWtnp+k1pe004iQV5Y2f UO8w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=QVCq6FuzucpQKcCHqXjE3JrIq7FRD3XGZAoOiq3Qlfs=; b=Zhq5xH7v7HpLHp8UDGcuJwQF4zaqFT5HDlb1sN7M35QZ7C2GJcnFfJY53CzqF51LvR 0BKdWVoIfF2IPmY+PHbWlkj0eaAAPhuMtRW/j2A2b7CmxJbY6ypa2Y9osjr+XhBMYqvF dnXG6xRUbwNdBcfXecty4FApn/2O8xVd/+DVOaC2d+XVPfETITIUpZuDmKF1IGn4B+0u +5XpmdAqQS6ZsBqVxLh3TCMKMWbgLhUU/+WwNpUBerj+uyZwUcUtXOaUW3mPPNy6U2Vi lDNIvT0YX5BQyqBqlxMxZLE2QamJUe66Q0jGGXqTmS8upmFtQ+9Pg6FSJcSTKnhiGcG2 iPng==
X-Gm-Message-State: APjAAAWSEH8an9Iyzq8SsxfAs43FPrFFFZS72lOIJIBXIqgAKOYPFFIM oFESxiTDdnQdyrLJwRZ+8WCuz07lEGJqvyW9Yu8=
X-Google-Smtp-Source: APXvYqxTISI9OPSMwu7hjLJ65FBDqvOexSnZ7qTWV2OCMjDbEJK8HacVla+X7iIPmRQnylHKhpicJqvSJLMXnKM7RyQ=
X-Received: by 2002:a2e:96d0:: with SMTP id d16mr30289778ljj.14.1563990373388; Wed, 24 Jul 2019 10:46:13 -0700 (PDT)
MIME-Version: 1.0
References: <CAChr6Sx9TEt6CMzRRrdb-HwT_k987oW=4yF1FCbDF17zkaE2Vg@mail.gmail.com> <2D09D61DDFA73D4C884805CC7865E6114E23910C@GAALPA1MSGUSRBF.ITServices.sbc.com> <14DF8769-A817-4C06-9140-80198518244F@akamai.com> <CAChr6SzH1EycAr5n+dK5BQcG=0Zsw66qE=8Rptvq7SEoEvQQ=Q@mail.gmail.com> <E5A0DAE2-A718-41EA-B490-58ABD0F31CF2@rfc1035.com> <CABcZeBMqvZivS_Hk_2mSOAOnM+mHy1mtcwnHVFc14v_jdkgU=Q@mail.gmail.com> <4DE9B8B1-36D5-4EB5-BE84-D61C182F7372@fugue.com> <CABcZeBN+4RGWN0+xhtb-bMtSJ1B0FAU4JjRJTOSd1x_9JJZBWg@mail.gmail.com> <D361E72B-3783-4E57-8F08-8B418639BB29@fugue.com> <CABcZeBP2MY3pjeZv4Q+1Kj3_GKOgVq8+OYe7im2gYvBzy=Mz7g@mail.gmail.com> <F8A56D5D-B05E-4E80-880C-60D6B550F107@fugue.com> <CABcZeBOO5yvcm=DvDjr-7v4AvVG=13Zy--j362eE0Qqp7hcRaw@mail.gmail.com> <4FC4184E-E41D-420E-A594-60ECF3CD73F1@fugue.com> <CABcZeBOjWQr1HWbGaCkpdR1S7FQUmum=by_SOYWB9OENy8Y-hA@mail.gmail.com> <7BE32238-2442-4954-B95E-1C089C8C86E7@fugue.com> <CABcZeBM8bY0bjZjgpozMULL++4v98SO-tyFnqYvG0714GqWgbw@mail.gmail.com> <CAH1iCioacfKVV14QcQ9zsNed2cDXVhJDY2wknaOzRsarK0GJcA@mail.gmail.com>
In-Reply-To: <CAH1iCioacfKVV14QcQ9zsNed2cDXVhJDY2wknaOzRsarK0GJcA@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 24 Jul 2019 10:45:37 -0700
Message-ID: <CABcZeBOMv=HdV5e9-eBoWLQhh=p6uy4OKhAqo0Q5Lgg7c91kOA@mail.gmail.com>
To: Brian Dickson <brian.peter.dickson@gmail.com>
Cc: Ted Lemon <mellon@fugue.com>, Jim Reid <jim@rfc1035.com>, "add@ietf.org" <add@ietf.org>, Rob Sayre <sayrer@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000a35e83058e70e26b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/iVnBlyy3c7fllynnMHwNNZAlY_Y>
Subject: Re: [Add] fixing coffee shop brokenness with DoH
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Jul 2019 17:46:18 -0000

On Wed, Jul 24, 2019 at 10:32 AM Brian Dickson <
brian.peter.dickson@gmail.com> wrote:

>
>
> On Wed, Jul 24, 2019 at 1:15 PM Eric Rescorla <ekr@rtfm.com> wrote:
>
>>
>>
>> On Wed, Jul 24, 2019 at 8:58 AM Ted Lemon <mellon@fugue.com> wrote:
>>
>>> There are a variety of attack scenarios to account for. DNSSEC is not
>>> useful for countering a fake NXDOMAIN attack when the attacker also
>>> controls the path and can prevent connection establishment.
>>>
>>> However, if the attacker is the resolver, and the resolver isn’t under
>>> the control of the path, then detecting a fake NXDOMAIN is useful.
>>>
>>
>> How?
>>
>
> Assumptions:
>
>    1. One resolver is controlled by the attacker
>    2. The path to the real endpoint is free from control by that same
>    attacker
>    3. Any other resolver, not controlled by that same attacker, is known
>
> This last possibility seems like a pretty narrow case. In the vast
majority of cases, clients have one path to the network.

It's a little surprising to be hearing resistance to local resolver
blocking being cited as a goal here, given that previously I've heard
complaints that DoH (which is effectively a separate path to another
resolver) is a mechanism for circumventing exactly this kind of blocking.

-Ekr



If the attacker's resolver supplies a fake NXDOMAIN, which the client
> detects via DNSSEC, then the client sees the resolver's answer as a
> SERVFAIL.
> The client then consults a different resolver, and gets a non-NXDOMAIN
> answer (validated by DNSSEC), and connects to the correct host.
> Since the attacker does not control the data path to the correct host, the
> client's connection succeeds.
>
> QED (useful).
>
> Brian
>
>

v2.23.0 | Report a Bug | By Email