Re: [dane] Behavior in the face of no answer?
Andrew Sullivan <ajs@anvilwalrusden.com> Fri, 04 May 2012 19:44 UTC
Return-Path: <ajs@anvilwalrusden.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix)
with ESMTP id 06EA521E8042 for <dane@ietfa.amsl.com>;
Fri, 4 May 2012 12:44:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.63
X-Spam-Level:
X-Spam-Status: No, score=-2.63 tagged_above=-999 required=5 tests=[AWL=-0.031,
BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id do5jYUVmrMvB for
<dane@ietfa.amsl.com>; Fri, 4 May 2012 12:44:38 -0700 (PDT)
Received: from mail.yitter.info (mail.yitter.info [208.86.224.201]) by
ietfa.amsl.com (Postfix) with ESMTP id EB1E121E8029 for <dane@ietf.org>;
Fri, 4 May 2012 12:44:37 -0700 (PDT)
Received: from mail.yitter.info (69-196-144-227.dsl.teksavvy.com
[69.196.144.227]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(No client certificate requested) by mail.yitter.info (Postfix) with ESMTPSA
id 62DD81ECB41C for <dane@ietf.org>; Fri, 4 May 2012 19:44:37 +0000 (UTC)
Date: Fri, 4 May 2012 15:44:35 -0400
From: Andrew Sullivan <ajs@anvilwalrusden.com>
To: dane@ietf.org
Message-ID: <20120504194132.GF7394@mail.yitter.info>
References: <20120504021044.GB4560@mail.yitter.info>
<B25C977F-6B4E-458C-879D-A36EDB94DA75@icsi.berkeley.edu>
<20120504023602.GA4683@mail.yitter.info>
<CABcZeBO93n_C5detefBcOjAoswe2inGKDj65gQPDQmREyGnhAw@mail.gmail.com>
<20120504112922.GB4929@mail.yitter.info>
<CABcZeBPTTa07iUHo9XL5WrHGMYHwaQzs6xYtiF25O4Jek8E3RQ@mail.gmail.com>
<20120504144426.GD4929@mail.yitter.info>
<CABcZeBOM_0L42Rng75AsVda9u4G=FH8=OB8Qg=nQpL-BzRoBuQ@mail.gmail.com>
<20120504165512.GC7394@mail.yitter.info>
<CABcZeBO4zRSa=JexqZ8uw7o26tM4SZk2GDivTAWD5ZF1pZR9Og@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CABcZeBO4zRSa=JexqZ8uw7o26tM4SZk2GDivTAWD5ZF1pZR9Og@mail.gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [dane] Behavior in the face of no answer?
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>,
<mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>,
<mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 May 2012 19:44:39 -0000
On Fri, May 04, 2012 at 11:59:25AM -0700, Eric Rescorla wrote: > I'm sorry, I think we're still talking past each other. If you treat > non-response > the same way as you treat a validated empty RRSET, then a network > attacker can get the same effect (i.e., no DANE checks) by simple > suppressing DNS resolution. I likely wasn't clear enough. I was not advocating treating non-response that way. I was saying that "non-response" and "an empty answer" (i.e. an empty answer section in the DNS response) are not to be treated the same; somewhere else in the discussion it seemed that they were being collapsed. I believe it is possible to get a useful response that has nothing in the Answer, Authority, and Additional sections only if you trust your upstream, you trust the connection somehow, you set CD=0, and you get AD=1 on the response. In that case, I believe it is a legitimate NODATA response (though I don't know of any implementation that works this way), and it is validated. It means there is no TLSA record at that owner name, just like if you used CD=1 and got back an answer with (say) an NSEC3 record in the Authority. If I sound tentative, it's because I haven't in the last 48 hours walked through the relevant RFCs in order to be perfectly sure that this is what a NODATA response looks like for a non-validated security-aware stub relying on upstream validation. But I think this is right. In any case, if all of those necessary conditions aren't satisfied, then the answer is either bogus or indeterminate and you should react accordingly. This is already covered in the existing draft. Best, A -- Andrew Sullivan ajs@anvilwalrusden.com
- [dane] Behavior in the face of no answer? Eric Rescorla
- Re: [dane] Behavior in the face of no answer? Nicholas Weaver
- Re: [dane] Behavior in the face of no answer? Paul Hoffman
- Re: [dane] Behavior in the face of no answer? Andrew Sullivan
- Re: [dane] Behavior in the face of no answer? Paul Wouters
- Re: [dane] Behavior in the face of no answer? Eric Rescorla
- Re: [dane] Behavior in the face of no answer? Eric Rescorla
- Re: [dane] Behavior in the face of no answer? Martin Rex
- Re: [dane] Behavior in the face of no answer? Paul Hoffman
- Re: [dane] Behavior in the face of no answer? Paul Wouters
- Re: [dane] Behavior in the face of no answer? Andrew Sullivan
- Re: [dane] Behavior in the face of no answer? Andrew Sullivan
- Re: [dane] Behavior in the face of no answer? Nicholas Weaver
- Re: [dane] Behavior in the face of no answer? Andrew Sullivan
- Re: [dane] Behavior in the face of no answer? Martin Rex
- Re: [dane] Behavior in the face of no answer? Eric Rescorla
- Re: [dane] Behavior in the face of no answer? Andrew Sullivan
- Re: [dane] Behavior in the face of no answer? Andrew Sullivan
- Re: [dane] Behavior in the face of no answer? Nicholas Weaver
- Re: [dane] Behavior in the face of no answer? Andrew Sullivan
- Re: [dane] Behavior in the face of no answer? Eric Rescorla
- Re: [dane] Behavior in the face of no answer? Nicholas Weaver
- Re: [dane] Behavior in the face of no answer? Andrew Sullivan
- Re: [dane] Behavior in the face of no answer? Eric Rescorla
- Re: [dane] Behavior in the face of no answer? Tom Ritter
- Re: [dane] Behavior in the face of no answer? Warren Kumari
- Re: [dane] Behavior in the face of no answer? Eric Rescorla
- Re: [dane] Behavior in the face of no answer? Eric Rescorla
- Re: [dane] Behavior in the face of no answer? Adam Langley
- Re: [dane] Behavior in the face of no answer? Paul Hoffman
- Re: [dane] Behavior in the face of no answer? Andrew Sullivan
- Re: [dane] Behavior in the face of no answer? Andrew Sullivan
- Re: [dane] Behavior in the face of no answer? Martin Rex
- Re: [dane] Behavior in the face of no answer? Paul Wouters
- Re: [dane] Behavior in the face of no answer? Paul Wouters
- Re: [dane] Behavior in the face of no answer? Paul Wouters
- Re: [dane] Behavior in the face of no answer? Paul Wouters
- Re: [dane] Behavior in the face of no answer? Eric Rescorla
- Re: [dane] Behavior in the face of no answer? Martin Rex
- Re: [dane] Behavior in the face of no answer? Eric Rescorla
- Re: [dane] Behavior in the face of no answer? Eric Rescorla
- Re: [dane] Behavior in the face of no answer? Martin Rex
- Re: [dane] Behavior in the face of no answer? Andrew Sullivan
- Re: [dane] Behavior in the face of no answer? Eric Rescorla
- Re: [dane] Behavior in the face of no answer? Paul Wouters
- Re: [dane] Behavior in the face of no answer? Andrew Sullivan
- Re: [dane] Behavior in the face of no answer? Nicholas Weaver
- Re: [dane] Behavior in the face of no answer? Andrew Sullivan
- Re: [dane] Behavior in the face of no answer? Yoav Nir
- Re: [dane] Behavior in the face of no answer? Paul Wouters
- Re: [dane] Behavior in the face of no answer? Yoav Nir
- Re: [dane] Behavior in the face of no answer? Ondrej Mikle
- Re: [dane] Behavior in the face of no answer? Warren Kumari
- Re: [dane] Behavior in the face of no answer? Nicholas Weaver
- Re: [dane] Behavior in the face of no answer? Paul Hoffman
- Re: [dane] Behavior in the face of no answer? Nicholas Weaver
- Re: [dane] Behavior in the face of no answer? Paul Hoffman
- Re: [dane] Behavior in the face of no answer? Adam Langley
- Re: [dane] Behavior in the face of no answer? Nicholas Weaver
- Re: [dane] Behavior in the face of no answer? Andrew Sullivan
- Re: [dane] Behavior in the face of no answer? Paul Hoffman
- Re: [dane] Behavior in the face of no answer? Nicholas Weaver
- Re: [dane] Behavior in the face of no answer? John Gilmore
- Re: [dane] Behavior in the face of no answer? Yoav Nir
- Re: [dane] Behavior in the face of no answer? Martin Rex
- Re: [dane] Behavior in the face of no answer? Andrew Sullivan
- Re: [dane] Behavior in the face of no answer? Tony Finch
- Re: [dane] Behavior in the face of no answer? Tony Finch
- Re: [dane] Behavior in the face of no answer? Paul Wouters
- Re: [dane] Behavior in the face of no answer? Paul Wouters
- Re: [dane] Behavior in the face of no answer? Tony Finch
- Re: [dane] Behavior in the face of no answer? Scott Schmit
- Re: [dane] Behavior in the face of no answer? Paul Wouters
- Re: [dane] Behavior in the face of no answer? Ondrej Mikle
- Re: [dane] Behavior in the face of no answer? Tony Finch
- Re: [dane] Behavior in the face of no answer? Ondrej Mikle
- Re: [dane] Behavior in the face of no answer? John Gilmore
- Re: [dane] Behavior in the face of no answer? Nicholas Weaver
- Re: [dane] Behavior in the face of no answer? Paul Wouters
- Re: [dane] Behavior in the face of no answer? Paul Hoffman
- Re: [dane] Behavior in the face of no answer? Eric Rescorla
- Re: [dane] Behavior in the face of no answer? Paul Wouters
- Re: [dane] Behavior in the face of no answer? Eric Rescorla
- Re: [dane] Behavior in the face of no answer? Paul Wouters
- Re: [dane] Behavior in the face of no answer? Eric Rescorla
- Re: [dane] Behavior in the face of no answer? Paul Wouters
- Re: [dane] Behavior in the face of no answer? Andrew Sullivan
- Re: [dane] Behavior in the face of no answer? Andrew Sullivan
- Re: [dane] Behavior in the face of no answer? Eric Rescorla
- Re: [dane] Behavior in the face of no answer? Paul Wouters
- Re: [dane] Behavior in the face of no answer? Andrew Sullivan
- Re: [dane] Behavior in the face of no answer? Andrew Sullivan
- Re: [dane] Behavior in the face of no answer? Andrew Sullivan
- Re: [dane] Behavior in the face of no answer? Nicholas Weaver
- Re: [dane] Behavior in the face of no answer? Martin Rex
- Re: [dane] Behavior in the face of no answer? Eric Rescorla
- Re: [dane] Behavior in the face of no answer? Martin Rex
- Re: [dane] Behavior in the face of no answer? Eric Rescorla
- Re: [dane] Behavior in the face of no answer? Martin Rex
- Re: [dane] Behavior in the face of no answer? Eric Rescorla
- Re: [dane] Behavior in the face of no answer? Paul Hoffman
- Re: [dane] Behavior in the face of no answer? Warren Kumari
- Re: [dane] Behavior in the face of no answer? Nicholas Weaver
- Re: [dane] Behavior in the face of no answer? Warren Kumari
- Re: [dane] Behavior in the face of no answer? Martin Rex
- Re: [dane] Behavior in the face of no answer? Eric Rescorla
- Re: [dane] Behavior in the face of no answer? Warren Kumari
- Re: [dane] Behavior in the face of no answer? Warren Kumari
- Re: [dane] Behavior in the face of no answer? John Gilmore
- Re: [dane] Behavior in the face of no answer? John Gilmore
- [dane] Network errors ARE attacks - on the end-to… John Gilmore
- Re: [dane] Behavior in the face of no answer? Mark Andrews
- Re: [dane] Behavior in the face of no answer? Martin Rex
- Re: [dane] Network errors ARE attacks - on the en… Martin Rex
- Re: [dane] Network errors ARE attacks - on the en… Yoav Nir
- Re: [dane] Network errors ARE attacks - on the en… Henry Story
- Re: [dane] Network errors ARE attacks - on the en… Henry Story
- Re: [dane] Network errors ARE attacks - on the en… SM
- Re: [dane] Network errors ARE attacks - on the en… Michael Richardson
- Re: [dane] Network errors ARE attacks - on the en… Andrew Sullivan
- Re: [dane] Behavior in the face of no answer? Eric Rescorla
- Re: [dane] Behavior in the face of no answer? Paul Wouters
- Re: [dane] Network errors ARE attacks - on the en… Mark Andrews
- Re: [dane] Network errors ARE attacks - on the en… Warren Kumari
- Re: [dane] Network errors ARE attacks - on the en… Phillip Hallam-Baker