IETF Logo Mail Archive

Re: [Add] fixing coffee shop brokenness with DoH

Ted Lemon <mellon@fugue.com> Wed, 24 July 2019 15:58 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 476DE12013B for <add@ietfa.amsl.com>; Wed, 24 Jul 2019 08:58:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v5yXOfuke55v for <add@ietfa.amsl.com>; Wed, 24 Jul 2019 08:58:39 -0700 (PDT)
Received: from mail-qt1-x82a.google.com (mail-qt1-x82a.google.com [IPv6:2607:f8b0:4864:20::82a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 101A21200B3 for <add@ietf.org>; Wed, 24 Jul 2019 08:58:38 -0700 (PDT)
Received: by mail-qt1-x82a.google.com with SMTP id w17so1661890qto.10 for <add@ietf.org>; Wed, 24 Jul 2019 08:58:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=RUlYCCqmTUQKAhNuO0buskGODyVBUsirebklev9PqIY=; b=Ou7UcNSDRIIk0UZqdRL/nyYxyh0VT+FvCUwWE9eR7RD4bpj+aDeYWwQkI+1MqtFeCi Oz4LGWPUIxlj0NnTfszu62ziNa7Uxw/5myu0v/jP9XwqCmRMXbvXzNZ750XEkvb/nAZt Df0yTJFDNGdhWImgPL3Q1SbPoQsdSYonkoAeiDtLKmxIazgNJuTvjYc2INDPcRNdAGts KWyAARCTRttqz7EBqNu2P0GGv6X9d1/vFJ4zUF5GwFYCf7KDPWz10pbKcWF9uuGw0SKu H2iZXQ7CumC3pHq1ag8znpF0ihvBOMv8pY/opO+odrfFSGr+CJH+xElcC+eR7FO5cE4z pQhA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=RUlYCCqmTUQKAhNuO0buskGODyVBUsirebklev9PqIY=; b=W9v18EoLsoauynNycA+diAsnWVrAd2xUWnQsWQ9/xfiCPuqMTABedl7JWXgiQT4lWS PPzCFJP9crjd/3drpqogoO2QT6JDxCQYtF6bzMl+Lw8h5XBrxlJmaxyRtFQQf2XON7AL MErHom0I8whhHw1cdPaamujbGJq+nHZ1mXLAO9bX8LZo9IvpzsoHGKyv7Cb7WBRxFDbT CvnZ1h3i7tXQh1MwsEyVREp6a8qQqt4yTkHhHJfl3fYeRFstT+bqhvG3EeiAbpX6l+qG c0+fmSAF96zSAM3zs5E4QIakDFRp9VpVFTJ5fEGP1Lxr6wYDHpRVf92XFQn8YzTxSaGb NNaw==
X-Gm-Message-State: APjAAAWDLLI1316jHKbZqcrsTU/mckp5vARFH78UitqDA9lQhqcyh8iR ppSCCLNQ1oXUWeOy7JDuagIsJ58mPmP12Q==
X-Google-Smtp-Source: APXvYqzqwTvtgWmIXeN3TDZaM80uXE1OcdORguiNulRKKanGw2XXF3ITt2nGt8h23dQtzQndsv4yOw==
X-Received: by 2002:a0c:8321:: with SMTP id j30mr3606396qva.171.1563983917853; Wed, 24 Jul 2019 08:58:37 -0700 (PDT)
Received: from ?IPv6:2001:67c:1232:144:e499:b675:19fb:320b? ([2001:67c:1232:144:e499:b675:19fb:320b]) by smtp.gmail.com with ESMTPSA id u1sm25982093qth.21.2019.07.24.08.58.37 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 24 Jul 2019 08:58:37 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail-26DD618C-C620-48A5-9604-5778BD42C604"
Mime-Version: 1.0 (1.0)
From: Ted Lemon <mellon@fugue.com>
X-Mailer: iPhone Mail (16G77)
In-Reply-To: <CABcZeBOjWQr1HWbGaCkpdR1S7FQUmum=by_SOYWB9OENy8Y-hA@mail.gmail.com>
Date: Wed, 24 Jul 2019 11:58:36 -0400
Cc: Jim Reid <jim@rfc1035.com>, "add@ietf.org" <add@ietf.org>, Rob Sayre <sayrer@gmail.com>
Content-Transfer-Encoding: 7bit
Message-Id: <7BE32238-2442-4954-B95E-1C089C8C86E7@fugue.com>
References: <CAChr6Sx9TEt6CMzRRrdb-HwT_k987oW=4yF1FCbDF17zkaE2Vg@mail.gmail.com> <2D09D61DDFA73D4C884805CC7865E6114E23910C@GAALPA1MSGUSRBF.ITServices.sbc.com> <14DF8769-A817-4C06-9140-80198518244F@akamai.com> <CAChr6SzH1EycAr5n+dK5BQcG=0Zsw66qE=8Rptvq7SEoEvQQ=Q@mail.gmail.com> <E5A0DAE2-A718-41EA-B490-58ABD0F31CF2@rfc1035.com> <CABcZeBMqvZivS_Hk_2mSOAOnM+mHy1mtcwnHVFc14v_jdkgU=Q@mail.gmail.com> <4DE9B8B1-36D5-4EB5-BE84-D61C182F7372@fugue.com> <CABcZeBN+4RGWN0+xhtb-bMtSJ1B0FAU4JjRJTOSd1x_9JJZBWg@mail.gmail.com> <D361E72B-3783-4E57-8F08-8B418639BB29@fugue.com> <CABcZeBP2MY3pjeZv4Q+1Kj3_GKOgVq8+OYe7im2gYvBzy=Mz7g@mail.gmail.com> <F8A56D5D-B05E-4E80-880C-60D6B550F107@fugue.com> <CABcZeBOO5yvcm=DvDjr-7v4AvVG=13Zy--j362eE0Qqp7hcRaw@mail.gmail.com> <4FC4184E-E41D-420E-A594-60ECF3CD73F1@fugue.com> <CABcZeBOjWQr1HWbGaCkpdR1S7FQUmum=by_SOYWB9OENy8Y-hA@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/wOSg_fJuy8XaG8kpQ53kY3u4ZK0>
Subject: Re: [Add] fixing coffee shop brokenness with DoH
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Jul 2019 15:58:41 -0000

There are a variety of attack scenarios to account for. DNSSEC is not useful for countering a fake NXDOMAIN attack when the attacker also controls the path and can prevent connection establishment.

However, if the attacker is the resolver, and the resolver isn’t under the control of the path, then detecting a fake NXDOMAIN is useful. 

Sent from my iPhone

> On Jul 24, 2019, at 11:20 AM, Eric Rescorla <ekr@rtfm.com> wrote:
> 
> 
> 
>> On Wed, Jul 24, 2019 at 8:18 AM Ted Lemon <mellon@fugue.com> wrote:
>>> On Jul 24, 2019, at 11:10 AM, Eric Rescorla <ekr@rtfm.com> wrote:
>>> Sure. The case of interest here is that you have a client which wants to connect to domain A and the resolver (or a network attacker) wants to stop them.
>>> 
>>> In the case where A is not DNSSEC signed, the attacker just sends NXDOMAIN, which the client accepts and refuses to connect.
>>> 
>>> In the case where A *is* DNSSEC signed, the attacker can also inject an NXDOMAIN. DNSSEC of course won't validate, but the client still doesn't have an IP address to connect to, so it's only recourse is to error out. Now, it can show the user a different error than it did for NXDOMAIN, but these errors tend to be fairly generic anyway (Firefox, for instance, shows "Hmm. We’re having trouble finding that site."), so from the user perspective these aren't really very different.
>> 
>> Ah, I see where the disconnect is.   Yes, if the resolver and the network are controlled by the same entity, then DNSSEC doesn’t help you to get a connection.
>> 
>> However, if you are able to tunnel to a resolver that is not controlled by the network operator, then this equivalence no longer exists.   In this case, DNSSEC is useful for validating the NXDOMAIN, because the network operator is not cooperating with the resolver operator.
> 
> I'm sorry, I think I'm confused. Where do you think the attacker is positioned?
> 
> -Ekr
>

v2.23.0 | Report a Bug | By Email