IETF Logo Mail Archive

Re: [Add] data integrity and DNSSEC or DoH/DoT

Neil Cook <neil.cook@open-xchange.com> Tue, 03 September 2019 16:35 UTC

Return-Path: <neil.cook@open-xchange.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E6972120145 for <add@ietfa.amsl.com>; Tue, 3 Sep 2019 09:35:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.298
X-Spam-Level:
X-Spam-Status: No, score=-4.298 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=open-xchange.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DlcUxJ9AbFn5 for <add@ietfa.amsl.com>; Tue, 3 Sep 2019 09:35:16 -0700 (PDT)
Received: from mx4.open-xchange.com (alcatraz.open-xchange.com [87.191.39.187]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0D0341200A3 for <add@ietf.org>; Tue, 3 Sep 2019 09:35:16 -0700 (PDT)
Received: from open-xchange.com (imap.open-xchange.com [10.20.30.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx4.open-xchange.com (Postfix) with ESMTPS id F37046A27B; Tue, 3 Sep 2019 18:35:12 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=open-xchange.com; s=201705; t=1567528513; bh=uUXSPweRqb7EZCOOE8WDdZAU51FW4XBzmHq21zdeelc=; h=From:Subject:Date:In-Reply-To:Cc:To:References:From; b=U/qVXJ/UvfSVX0LnY/RrkXxNJj87PvnqKh91IjgYuH5t7W3FDqiwiZB1bSDICtVOj aqDXd9yO1ofMdWAJNEh2mUA8A3LSk1UonG7zLro/9xucVsmtKV8stY6wsefHWJszil 0mQ1mMueHkkpoaJK94+9Re3YthpUYP+tWyjT2Rb3Y6ep/OGkQpTHKxukMCAw20tw0P Z3qaz7pHYQAYSdPkLHF97tN/wQlhqFWG4ugdTl1cVnUzRJGggfqSKzcstPCZ3Gljnx Nxl9rLMNGa9YvyUDYfYkEULYdpN296Vr+EZ2hWnHpTdPgFDuOLTmvKVqHnkVy9RMMM HhnhRA4UNnlXw==
Received: from [10.20.120.231] (unknown [10.20.120.231]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by open-xchange.com (Postfix) with ESMTPSA id A25263C02F9; Tue, 3 Sep 2019 18:35:12 +0200 (CEST)
From: Neil Cook <neil.cook@open-xchange.com>
Message-Id: <245874B8-BDB9-4947-86E0-F3A739DA255F@open-xchange.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_009F9025-584F-4C99-8268-72015DDA958C"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Tue, 03 Sep 2019 18:35:11 +0200
In-Reply-To: <0B481BB1-5BF9-409F-B41D-2DFC4675450A@huitema.net>
Cc: Eric Rescorla <ekr@rtfm.com>, Jim Reid <jim@rfc1035.com>, ADD Mailing list <add@ietf.org>
To: Christian Huitema <huitema@huitema.net>
References: <A1128702-1E19-4657-9740-E84AE09992F2@piuha.net> <CABcZeBMfOTjq-8hDDoKMtJvfHUA5nC8o60zuk-2Xe-ZhfwriJQ@mail.gmail.com> <766112E1-F532-4C6B-8CA8-A096671E02EE@piuha.net> <CA+9kkMAfuOwJu8_qJTuhAY4mUwR+tVUxr+k3QFHBk3byV672Ow@mail.gmail.com> <A7EA862E-8E80-40E3-834D-E628988C0A24@virtualized.org> <CAFWeb9KT=2JL0oHUgJ2WMcduR3na+hP2QncvRR4YurmqsAWxTA@mail.gmail.com> <59E0EC53-0E30-431C-8376-52C7BFC121A8@virtualized.org> <CAFWeb9+Z7RmXEr46qx5PaUcxh2R3+HXhrZeW-8QEMX4HLt7a-w@mail.gmail.com> <589DAFCB-1BDC-4156-A2CA-179C4559A6B2@virtualized.org> <cf2152d7-8618-7ad2-b8f9-7a259ab5df19@cs.tcd.ie> <683A176C-3CE6-4866-A736-F2A7465FA5B5@rfc1035.com> <CABcZeBPmWYBKcKhjTUBLw62xJT=OXbp3v6MZ+8Gtr=gFmQ-g6A@mail.gmail.com> <E40CC478-BBA1-4DA9-8F6A-FE1782E0F27E@rfc1035.com> <CABcZeBMnG_HJHYrGpQD1LWWNi8zuhAm=0Uy2HNRRmhYS9PsCtg@mail.gmail.com> <06613304-C325-4BA4-AB6F-32D79DFCECA0@open-xchange.com> <CABcZeBMr6WtzbyPPA6W1Da0A9bUoowMVucbBf5K0BQgqZrNdwg@mail.gmail.com> <F66D555F-7533-4B42-A036-016345F7 65A7@open-xchange.com> <0B481BB1-5BF9-409F-B41D-2DFC4675450A@huitema.net>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/kVMmI2OWbAZDtFQQyV-RvSXNlpE>
X-Mailman-Approved-At: Wed, 04 Sep 2019 09:04:43 -0700
Subject: Re: [Add] data integrity and DNSSEC or DoH/DoT
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Sep 2019 16:35:19 -0000


> On 3 Sep 2019, at 18:16, Christian Huitema <huitema@huitema.net> wrote:
> 
>  
> 
> On Sep 3, 2019, at 7:34 AM, Neil Cook <neil.cook=40open-xchange.com@dmarc.ietf.org <mailto:neil.cook=40open-xchange.com@dmarc.ietf.org>> wrote:
> 
>> 
>> 
>>> On 3 Sep 2019, at 15:46, Eric Rescorla <ekr@rtfm.com <mailto:ekr@rtfm.com>> wrote:
>>> 
>>> It’s not entirely  useless. The problem it does solve is giving the user a better experience when a site is blocked for resolvers that support this extended Error Code. Currently for HTTPS the user will end up with a TLS connection error of some kind (or a blank page in some browsers). If a resolver returns a “blocked/censored/prohibited” response, then the browser can tell the user that the web page was blocked with an informative message. Assuming this becomes the default behaviour for non-malicious resolvers then I think it will a good signal for distinguishing  "this is malware blocking" from "this resolver is malicious”.
>>> 
>>> I'm not following. Suppose that we add an error code that says "this site has malware". Now, I operate a resolver which is malicious in the sense that it wishes to block a certain form of content (say, access to the IETF) but don't want the people whose content I am blocking is being blocked for that reason. So, instead I return "this site has malware".
>>> 
>>> My point here is that a code of this type only tells you what the resolver *asserts* the reason it blocked it is, it doesn't necessarily tell you what the actual reason that the content was blocked.
>>> 
>> 
>> Ok yes I understand. The blocking reason wouldn’t be that useful in the general case of not knowing whether a resolver was malicious. However I think the fact that the resolver is telling you that the content is blocked is still useful, no matter what the reason for the blocking is, for the reason described above. For example in your use-case, the user would see “this site is blocked by the DNS resolver” (or whatever) rather than “TLS connection error” which would be the case today.
> 
> Is there a way to explain how the message is blocked? Such as, "this domain is listed as malware in RBZ malware.example.net <http://malware.example.net/>." Information like that would allow the client to make an informed decision.
> 

The proposal as it’s currently specified doesn’t allow further granularity. Also Eric’s point is that you can’t trust the reason the resolver gives you, so this wouldn’t be useful. Assuming the client did trust the resolver however it may be useful;  although I’m not sure how the client would make an “informed decision” - I mean, what can the client do except try a different resolver perhaps? 

Neil Cook
neil.cook@open-xchange.com

-------------------------------------------------------------------------------------
Open-Xchange AG, Rollnerstr. 14, 90408 Nuremberg, District Court Nuremberg HRB 24738
Managing Board: Rafael Laguna de la Vera, Carsten Dirks, Michael Knapstein, Stephan Martin 
Chairman of the Board: Richard Seibt

European Office: 
Open-Xchange GmbH, Olper Huette 5f, D-57462 Olpe, Germany, District Court Siegen, HRB 8718 
Managing Director: Frank Hoberg

US Office: 
Open-Xchange. Inc., 530 Lytton Avenue, Palo Alto, CA 94301, USA 
-------------------------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email