IETF Logo Mail Archive

Re: [Add] What to do in this potential working group

Brian Dickson <brian.peter.dickson@gmail.com> Wed, 21 August 2019 19:03 UTC

Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D21B212099B for <add@ietfa.amsl.com>; Wed, 21 Aug 2019 12:03:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jubxpp5AZ5Dj for <add@ietfa.amsl.com>; Wed, 21 Aug 2019 12:03:35 -0700 (PDT)
Received: from mail-vs1-xe35.google.com (mail-vs1-xe35.google.com [IPv6:2607:f8b0:4864:20::e35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0977B120993 for <add@ietf.org>; Wed, 21 Aug 2019 12:03:35 -0700 (PDT)
Received: by mail-vs1-xe35.google.com with SMTP id m62so2068788vsc.8 for <add@ietf.org>; Wed, 21 Aug 2019 12:03:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=3934PqE4R3ak4dag75ItXyrxtasT2CEMrU8VDWIVaQA=; b=ULyoKrKI76T35DDcWcSY3fkIJmx2a2dbxr/INmkuSMfC/Ja2Ckk2+fYTBc2BNPJbAg S0LTfjXU5IpF4XSAOumMGIMRwS1pT+5I3zIXCkIzFp4XzPOfCJmeqbLpudHar4dJ7y9S o1AJtUc0Mco6sg/cGg1tDFBeWZPr+KVWmegni63AtIFGO/UIUjLyeWaFNDi8afq0EweZ 7ifha9Rr4DglnTt52yQyG9hVvEhMhjABhomEhkOpIv4wHGdQOKKe8IAnM/uatpvl0Pz8 VOerk+ZPuRMZMMYIzq1FeAyx1veM5nUe7M2IvqfrXQLbLbsBFdak06U0891y7KxCHkrj esQA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=3934PqE4R3ak4dag75ItXyrxtasT2CEMrU8VDWIVaQA=; b=RtrK9Fqdk2NB/DbprLvOXEc/te84T2R8kia0xd6yYpzgVPJF/hW1MOm7Tce2LJcZBt ZhD1Ku+IkNvYZeYmlsUfc2sDpl7LkKATq2EiNOGMD4Yw85SlCalJoGkZo1asQgqmO1mH Knf649ZH1oi40wmHiItJSv3myAONJEyZh5It09lkVewtrkhK+RxKzvG8vpTPsGS4dXRY gpNI8vLmKjC1JmUV37pNE7N5U6xQuQdx6GEnNyUnVUzwKwV3hSfPWpHSUTG6QI99L5UD tAOCKiwZLj9s28Az8pkat7xgCO/29/y7S0SO/wGN7GnY59gAHRr37JiE3J/T/X9OqCum ZqPA==
X-Gm-Message-State: APjAAAV/79vz2nZSK2EyMmQ7MoGDAc3Hw2ztweO/iAzq8G1eMspjvvJD GaTDEAxOnuqgoCrSDiq55ZKhnQlkqhDWrG6eXTs=
X-Google-Smtp-Source: APXvYqzGA9T1iJ61rwmOXXby7y/Y+tGoxZ4GrfpLDYlKpD39wqzgmINCB4nLLfeVZ6K3o3d7Tf3lJNxYyM7FnCNgxuQ=
X-Received: by 2002:a67:f043:: with SMTP id q3mr21208161vsm.219.1566414213851; Wed, 21 Aug 2019 12:03:33 -0700 (PDT)
MIME-Version: 1.0
References: <A1128702-1E19-4657-9740-E84AE09992F2@piuha.net> <CABcZeBMfOTjq-8hDDoKMtJvfHUA5nC8o60zuk-2Xe-ZhfwriJQ@mail.gmail.com> <766112E1-F532-4C6B-8CA8-A096671E02EE@piuha.net> <CA+9kkMAfuOwJu8_qJTuhAY4mUwR+tVUxr+k3QFHBk3byV672Ow@mail.gmail.com> <A7EA862E-8E80-40E3-834D-E628988C0A24@virtualized.org> <CAFWeb9KT=2JL0oHUgJ2WMcduR3na+hP2QncvRR4YurmqsAWxTA@mail.gmail.com> <59E0EC53-0E30-431C-8376-52C7BFC121A8@virtualized.org>
In-Reply-To: <59E0EC53-0E30-431C-8376-52C7BFC121A8@virtualized.org>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Wed, 21 Aug 2019 15:03:08 -0400
Message-ID: <CAH1iCiqp0YuQ=duqfpwFXcaK_Ar2PW9od-gvRKSxafj=tnP4Gg@mail.gmail.com>
To: David Conrad <drc@virtualized.org>
Cc: Alec Muffett <alec.muffett@gmail.com>, ADD Mailing list <add@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000c9afc30590a53a58"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/n1nP3EWnavdsCwgjMCx3DyzOirM>
Subject: Re: [Add] What to do in this potential working group
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Aug 2019 19:03:37 -0000

On Wed, Aug 21, 2019 at 2:17 PM David Conrad <drc@virtualized.org> wrote:

> Alec,
>
> On Aug 21, 2019, at 11:06 AM, Alec Muffett <alec.muffett@gmail.com> wrote:
>
> On Wed, 21 Aug 2019, 18:59 David Conrad, <drc@virtualized.org> wrote:
>
>> The only way to truly ensure a trustworthy answer is to protect the
>> actual answer. Which is what DNSSEC does.
>>
> Fortunately we do not have to wait for DNSSEC in order to get answers from
> the people from whom we wish them supplied, privately and untampered-with,
> which is the whole point of DNS over HTTPS.
>
>
> As mentioned, this is not the traditional answer for what is “trustworthy”
> when it comes to DNS data: instead of trusting the zone owner (more
> specifically, the holder to the zone signing key), you are trusting the
> resolver operator.
>
> The data is ONLY private between the end user and the resolver operator.
> It is NOT private to the resolver operator (something people have been
> repeatedly pointing out) nor is it private between the resolver operator
> and the authorities.
>
> Further, you cannot ensure to the end user that the “trusted” resolver
> operator has not tampered with the data, be it due to court order, internal
> attack, software bugs, etc.
>

It is probably useful to highlight the impact of "local policy", especially
with respect to trust anchors.
For example, it might be the case that a given resolver operator has been
compelled to install (and use) some additional trust anchor(s).

Under that resolver operator's local policy, it is possible that the
validity of a given DNS answer from an authority, only due the use of an
additional trust anchor.

In that circumstance, a validating stub would actually determine that the
DNS answer it received from that resolver is BOGUS.

The resolver operator might not be directly involved in modification of the
DNS answer and signatures. For example, there could be a state actor in the
same jurisdiction as the operator and the respective court. The additional
trust anchor presumably would have been used by the state actor for signing
the substituted data. (This would be analogous to the root CA thing being
used for TLS MITM ongoing somewhere.)

Since a resolver operator's data is mostly cached, and cached based on
DNSSEC validity if they validate, such state actions scale extremely well.
This is a significant reason that DNSSEC was designed from the ground up
for client (stub) validation: trust, but verify.

Note: Having multiple resolver operators to choose from helps this
situation, but ONLY if the stub does local validation, and if the
jurisdictions for those operators was different.  The stub treats the
invalid data as a failure, and uses the other provider. This only occurs if
the failure to validate is detected by the stub, by local validation.

NB: recursive-to-authoritative is not encrypted, and on-path attackers can
modify the data. DNSSEC enables detection of this tampering via validation
on signed data, modulo the trust anchor(s) in use.

Brian


>
> Again, DNS over HTTPS protects the data channel. It does NOT protect the
> data.
>
> Regards,
> -drc
>
>

v2.23.0 | Report a Bug | By Email