Re: [Add] data integrity and DNSSEC or DoH/DoT
Eric Rescorla <ekr@rtfm.com> Thu, 22 August 2019 07:01 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A1EB12007A for <add@ietfa.amsl.com>; Thu, 22 Aug 2019 00:01:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cu_oaJ5zbHWR for <add@ietfa.amsl.com>; Thu, 22 Aug 2019 00:00:59 -0700 (PDT)
Received: from mail-lj1-x22d.google.com (mail-lj1-x22d.google.com [IPv6:2a00:1450:4864:20::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 404D4120059 for <add@ietf.org>; Thu, 22 Aug 2019 00:00:59 -0700 (PDT)
Received: by mail-lj1-x22d.google.com with SMTP id x4so4504013ljj.6 for <add@ietf.org>; Thu, 22 Aug 2019 00:00:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=YtG/Df1vAkHF8b09w6XsBLcm64I/q3Qr8MUx5nlWNnA=; b=OW+0SVui6lnXmRVGWbYis52vyE7HAJ348F8pLOzqt14uYEeQavFmBz/0sc5S3mngBF sjQFLocVD7fKTh8FxAYwuxYrERpcMpQ0WEV18yw6tdsNb8UuCczIMHK6/mxlG1HrZb6W o/dgIAVQoGazd3sWOyN4Dy/qLUniH34Pi2W/J5JxadiTlVtvXzALC8pddc2pVlnwh4j7 2+2X+OB6jtCFKwXHaIfckIondzwgsZR0YsNMU/WyPIWor14Dj5XnLonNq2SiV8sy7eaZ MPXqLZa0kJmLOqfO3ftrxmChMbPWj+BdqDq81XyrejKu/Ee38d2Nkqrakfmiiq0USgox LHcQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=YtG/Df1vAkHF8b09w6XsBLcm64I/q3Qr8MUx5nlWNnA=; b=KV8Ej93EUBDhoefqJlK5npvadw+A35S6r3zbIYjCIeP5/6Px3wMdLtb1g1CKaQvrlI aRKaJGxmyh2ZQn+DvUIM4O6NNotNdOFNK/8ExiA9pBbEPQaz7dsSSE/InOdrB0zmbaC8 Vl/d01Qysoa6iOgv0W0S0VhuzsgOf4IBPSvMC7cgTRAtZQjU9pGYa7srafJVY6d3u7f4 OWkCDUpuZFaSat+aRWK0BrSlDn4VyI6I8SLR7FYSY3/485L2Ck7ordVB0QW95OKuGomR lwMlRcuvuvC9msD+jl//OuuM8g8Zy+Dcpgn+I8pFCoR9nu5otK72PkFuyDLeTx28n2dQ keGQ==
X-Gm-Message-State: APjAAAUb3fg6C/HriUgiaUqfLysd93vcIYTFEy2/DDMqF0pszVAucFNN QLmynuBPmI66l5VX7AVqBhengUX2PE2SbbcELHNvWX2iWZM=
X-Google-Smtp-Source: APXvYqwDZaG+Dz8CQrs+mWiQ6fG078qNsga52tRR1p/ZWUsJkRhePRJvktCemdlqg1zaweJJZxjEUJbsUWYPzlqxW7s=
X-Received: by 2002:a2e:5c43:: with SMTP id q64mr8262935ljb.14.1566457257575; Thu, 22 Aug 2019 00:00:57 -0700 (PDT)
MIME-Version: 1.0
References: <A1128702-1E19-4657-9740-E84AE09992F2@piuha.net> <CABcZeBMfOTjq-8hDDoKMtJvfHUA5nC8o60zuk-2Xe-ZhfwriJQ@mail.gmail.com> <766112E1-F532-4C6B-8CA8-A096671E02EE@piuha.net> <CA+9kkMAfuOwJu8_qJTuhAY4mUwR+tVUxr+k3QFHBk3byV672Ow@mail.gmail.com> <A7EA862E-8E80-40E3-834D-E628988C0A24@virtualized.org> <CAFWeb9KT=2JL0oHUgJ2WMcduR3na+hP2QncvRR4YurmqsAWxTA@mail.gmail.com> <59E0EC53-0E30-431C-8376-52C7BFC121A8@virtualized.org> <CAFWeb9+Z7RmXEr46qx5PaUcxh2R3+HXhrZeW-8QEMX4HLt7a-w@mail.gmail.com> <589DAFCB-1BDC-4156-A2CA-179C4559A6B2@virtualized.org> <cf2152d7-8618-7ad2-b8f9-7a259ab5df19@cs.tcd.ie> <683A176C-3CE6-4866-A736-F2A7465FA5B5@rfc1035.com>
In-Reply-To: <683A176C-3CE6-4866-A736-F2A7465FA5B5@rfc1035.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 22 Aug 2019 08:00:21 +0100
Message-ID: <CABcZeBPmWYBKcKhjTUBLw62xJT=OXbp3v6MZ+8Gtr=gFmQ-g6A@mail.gmail.com>
To: Jim Reid <jim@rfc1035.com>
Cc: Stephen Farrell <stephen.farrell@cs.tcd.ie>, ADD Mailing list <add@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000064d74b0590af4050"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/qOZ3b1_YH6eY4MuSRgqbCZ1ZtPo>
Subject: Re: [Add] data integrity and DNSSEC or DoH/DoT
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Aug 2019 07:01:02 -0000
On Wed, Aug 21, 2019 at 10:43 PM Jim Reid <jim@rfc1035.com> wrote: > > > > On 21 Aug 2019, at 22:13, Stephen Farrell <stephen.farrell@cs.tcd.ie> > wrote: > > > > IMO you're both right but not quite using super-precise terminology:-) > > > > ... > > > > So yep, both give data integrity, just differently. > > If we’re being super-precise, that’s not quite right either Stephen. :-) > > DNSSEC and DoH/DoT are not different paths to the same end goal of data > integrity. They provide different flavours of data integrity. > This I agree with. > DNSSEC validation means you get the truth, the whole truth and nothing but > the truth regardless of your choice of resolver or the transport path > between you and that resolver. DoH and DoT offer no protection at all from > a lying resolver - you’re just guaranteed to receive precisely whatever > lies or truth that resolver sends. So in effect you somehow decide to > “trust” a TRR and hope for the best. In some cases, that may well be good > enough. In others, perhaps not. > I'd like to push on this slightly, if I may. I certainly agree that from a cryptographic perspective, DNSSEC allows you to evaluate whether or not the records that you receive are those which were provisioned (modulo typos, key expiry, etc.). However, as has been observed here a number of times, there are many cases where the resolver desires to elide certain records (e.g., for malware filtering) or to redirect you to some other location (e.g., captive portals). So from a systems perspective it seems like things are more complicated. Suppose that I receive a bogus response to my A record query, how am I to usefully distinguish "this is malware blocking" from "this resolver is malicious"? -Ekr > > -- > Add mailing list > Add@ietf.org > https://www.ietf.org/mailman/listinfo/add >
- [Add] What to do in this potential working group Jari Arkko
- Re: [Add] What to do in this potential working gr… Eric Orth
- Re: [Add] What to do in this potential working gr… Jari Arkko
- Re: [Add] What to do in this potential working gr… Eric Rescorla
- Re: [Add] What to do in this potential working gr… Jim Reid
- Re: [Add] What to do in this potential working gr… Vittorio Bertola
- Re: [Add] What to do in this potential working gr… Jari Arkko
- Re: [Add] What to do in this potential working gr… Eric Vyncke (evyncke)
- Re: [Add] What to do in this potential working gr… Ted Lemon
- Re: [Add] What to do in this potential working gr… Jim Reid
- Re: [Add] What to do in this potential working gr… Ted Lemon
- Re: [Add] What to do in this potential working gr… Tommy Jensen
- Re: [Add] What to do in this potential working gr… Jari Arkko
- Re: [Add] What to do in this potential working gr… Eric Rescorla
- Re: [Add] What to do in this potential working gr… Ray Bellis
- Re: [Add] What to do in this potential working gr… Eric Rescorla
- Re: [Add] What to do in this potential working gr… Ray Bellis
- Re: [Add] What to do in this potential working gr… Eric Rescorla
- Re: [Add] What to do in this potential working gr… Ted Hardie
- Re: [Add] What to do in this potential working gr… David Conrad
- Re: [Add] What to do in this potential working gr… Alec Muffett
- Re: [Add] What to do in this potential working gr… Ted Hardie
- Re: [Add] What to do in this potential working gr… David Conrad
- Re: [Add] What to do in this potential working gr… Brian Dickson
- Re: [Add] What to do in this potential working gr… Brian Dickson
- Re: [Add] What to do in this potential working gr… Stephen Farrell
- Re: [Add] What to do in this potential working gr… Ted Hardie
- Re: [Add] What to do in this potential working gr… Alec Muffett
- Re: [Add] What to do in this potential working gr… Stephen Farrell
- Re: [Add] What to do in this potential working gr… David Conrad
- Re: [Add] What to do in this potential working gr… Rob Sayre
- Re: [Add] What to do in this potential working gr… Jari Arkko
- Re: [Add] What to do in this potential working gr… Stephen Farrell
- Re: [Add] What to do in this potential working gr… Alec Muffett
- Re: [Add] What to do in this potential working gr… Ted Hardie
- Re: [Add] What to do in this potential working gr… Adam Roach
- Re: [Add] What to do in this potential working gr… Ted Hardie
- Re: [Add] What to do in this potential working gr… David Conrad
- Re: [Add] What to do in this potential working gr… Rob Sayre
- Re: [Add] What to do in this potential working gr… Stephen Farrell
- Re: [Add] What to do in this potential working gr… Alec Muffett
- Re: [Add] What to do in this potential working gr… David Conrad
- [Add] data integrity and DNSSEC or DoH/DoT Jim Reid
- Re: [Add] What to do in this potential working gr… Rob Sayre
- Re: [Add] data integrity and DNSSEC or DoH/DoT Stephen Farrell
- Re: [Add] data integrity and DNSSEC or DoH/DoT David Conrad
- Re: [Add] data integrity and DNSSEC or DoH/DoT Rob Sayre
- Re: [Add] data integrity and DNSSEC or DoH/DoT Stephen Farrell
- Re: [Add] Unstated assumptions in What to do in t… John Levine
- Re: [Add] data integrity and DNSSEC or DoH/DoT Brian Dickson
- Re: [Add] What to do in this potential working gr… Patrik Fältström
- Re: [Add] What to do in this potential working gr… Patrik Fältström
- Re: [Add] What to do in this potential working gr… Rob Sayre
- Re: [Add] What to do in this potential working gr… Eric Rescorla
- Re: [Add] What to do in this potential working gr… Martin Thomson
- Re: [Add] data integrity and DNSSEC or DoH/DoT Eric Rescorla
- Re: [Add] What to do in this potential working gr… Eric Rescorla
- Re: [Add] What to do in this potential working gr… Jari Arkko
- Re: [Add] What to do in this potential working gr… Daniel Stenberg
- Re: [Add] What to do in this potential working gr… Jari Arkko
- Re: [Add] data integrity and DNSSEC or DoH/DoT Stephen Farrell
- Re: [Add] What to do in this potential working gr… Ray Bellis
- Re: [Add] What to do in this potential working gr… Martin J. Dürst
- Re: [Add] What to do in this potential working gr… Stephen Farrell
- Re: [Add] What to do in this potential working gr… Vittorio Bertola
- Re: [Add] What to do in this potential working gr… Eric Rescorla
- Re: [Add] What to do in this potential working gr… Ralf Weber
- Re: [Add] data integrity and DNSSEC or DoH/DoT Ralf Weber
- Re: [Add] data integrity and DNSSEC or DoH/DoT Willem Toorop
- Re: [Add] data integrity and DNSSEC or DoH/DoT Jim Reid
- Re: [Add] What to do in this potential working gr… Rubens Kuhl
- Re: [Add] data integrity and DNSSEC or DoH/DoT Paul Wouters
- Re: [Add] What to do in this potential working gr… Paul Wouters
- Re: [Add] data integrity and DNSSEC or DoH/DoT Livingood, Jason
- Re: [Add] What to do in this potential working gr… Livingood, Jason
- Re: [Add] What to do in this potential working gr… Livingood, Jason
- Re: [Add] What to do in this potential working gr… Livingood, Jason
- Re: [Add] What to do in this potential working gr… Adam Roach
- Re: [Add] What to do in this potential working gr… Eric Rescorla
- Re: [Add] data integrity and DNSSEC or DoH/DoT Eric Rescorla
- Re: [Add] data integrity and DNSSEC or DoH/DoT Rob Sayre
- Re: [Add] data integrity and DNSSEC or DoH/DoT Jim Reid
- Re: [Add] What to do in this potential working gr… Vittorio Bertola
- Re: [Add] data integrity and DNSSEC or DoH/DoT Eric Rescorla
- Re: [Add] data integrity and DNSSEC or DoH/DoT Brian Dickson
- Re: [Add] data integrity and DNSSEC or DoH/DoT Jim Reid
- Re: [Add] data integrity and DNSSEC or DoH/DoT Eric Rescorla
- Re: [Add] data integrity and DNSSEC or DoH/DoT Neil Cook
- Re: [Add] data integrity and DNSSEC or DoH/DoT Neil Cook
- Re: [Add] data integrity and DNSSEC or DoH/DoT Neil Cook
- Re: [Add] data integrity and DNSSEC or DoH/DoT Paul Wouters
- Re: [Add] data integrity and DNSSEC or DoH/DoT Christian Huitema
- Re: [Add] data integrity and DNSSEC or DoH/DoT Christian Huitema
- Re: [Add] data integrity and DNSSEC or DoH/DoT Brian Dickson
- Re: [Add] data integrity and DNSSEC or DoH/DoT Andrew Campling
- Re: [Add] data integrity and DNSSEC or DoH/DoT Vittorio Bertola
- Re: [Add] data integrity and DNSSEC or DoH/DoT Paul Wouters
- Re: [Add] data integrity and DNSSEC or DoH/DoT Vittorio Bertola
- Re: [Add] data integrity and DNSSEC or DoH/DoT Alec Muffett
- Re: [Add] data integrity and DNSSEC or DoH/DoT Alec Muffett