[dane] Behavior in the face of no answer?
Eric Rescorla <ekr@rtfm.com> Thu, 03 May 2012 21:56 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix)
with ESMTP id 0021521F84DA for <dane@ietfa.amsl.com>;
Thu, 3 May 2012 14:56:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.977
X-Spam-Level:
X-Spam-Status: No, score=-102.977 tagged_above=-999 required=5
tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1,
USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n3EgRM2kQ5S7 for
<dane@ietfa.amsl.com>; Thu, 3 May 2012 14:56:07 -0700 (PDT)
Received: from mail-vx0-f172.google.com (mail-vc0-f172.google.com
[209.85.220.172]) by ietfa.amsl.com (Postfix) with ESMTP id 49B2E21F84D5 for
<dane@ietf.org>; Thu, 3 May 2012 14:56:07 -0700 (PDT)
Received: by vcbfo1 with SMTP id fo1so1975298vcb.31 for <dane@ietf.org>;
Thu, 03 May 2012 14:56:06 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=20120113;
h=mime-version:x-originating-ip:from:date:message-id:subject:to
:content-type:x-gm-message-state;
bh=RcDYMEAriRYQnpQdskGBurx8ePMvnWdKngQFhjwW0ng=;
b=gErkLtPa3j2OeclfJn5uBCJBgvgEASCBxwjkNGB5k2pUCAVhqSOUre1wcvK5MrFpKv
E14+Gz/ax75IhBj5T0O4VtjNjmb26MxheuLuuqMlhJdBY1NlyB3+B/Eeul2XRXpLx4tz
qyK0R4h5EaW27Ke+6lcO//RoIH3VKwXVgIlrB6zpN7xJAtTKRE/T65NncVDGQggAvbQQ
Z9IXDzmktRsS8t2LddnO9RzTdtHCuSbUEEOSwM6YQeovkEqv8NfFsTxzwwX3+MtJVTKn
1uULrPN9cgdwkwSrlQambRyJExI02vXi6hdCkz8UX2ZtBJFhrL1Dtb8aj/CZ9Y6oKcpr QCDg==
Received: by 10.52.172.194 with SMTP id be2mr1766198vdc.60.1336082166664;
Thu, 03 May 2012 14:56:06 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.52.19.233 with HTTP; Thu, 3 May 2012 14:55:24 -0700 (PDT)
X-Originating-IP: [205.248.100.252]
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 3 May 2012 14:55:24 -0700
Message-ID: <CABcZeBMY26xrfvAx=UsYN2XnuONZ2vPy9tNwHQALudd=yQDvgA@mail.gmail.com>
To: dane@ietf.org
Content-Type: text/plain; charset=ISO-8859-1
X-Gm-Message-State: ALoCoQnGIJNknOd+uDq/F8cu55CiK0YUz+Y/zlvsvH9KDeTPKEpayrNpCy0eRTEqIl3cB1+MvdKO
Subject: [dane] Behavior in the face of no answer?
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>,
<mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>,
<mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 May 2012 21:56:08 -0000
I've been reading -20 and I'm not sure I understand the behavior that section 4.1 is supposed to say. Consider the following case: I am trying to connect for the first time to https://www.example.com/, which is signed. I go to retrieve the TLSA record, but when I do so, the request times out. What do I do? There seem to be two options: (a) Treat this as a hard failure and abort the connection. (b) Treat this as if I have an empty TLSA response and continue with ordinary TLS. I claim that the right response from a security perspective is clearly (a): hard fail. If you agree with me, then jump to "2. DOCUMENT TEXT" below. If not, keep reading. 1. SECURITY ANALYSIS The basic security setting in which CA constraints and service certificate constraints are useful is one in which: (a) The attacker has a valid certificate for the target domain, but not the same as the certificate issued to the real server. (b) The attacker has enough control of the network to get the victim to connect to his server. Generally, (b) means that the attacker is on-path to the client or the server. What makes DANE work is that it provides an independent cryptographically verifiable check on the server certificate, thus excluding the attacker's certificate. Even if the attacker can force traffic to him, then, the certificate won't be acceptable. If the attacker can force you to ignore the information in DANE, then DANE offers minimal security guarantees. If clients treat TLSA RR requests without responses (i.e., timeouts) as if they were empty TLSA responses and continue with TLS as usual, then any attacker who can block DNS responses (i.e., anyone who is on-path to the victim, at least) can downgrade you to ordinary TLS. So, I think it follows that non-responses (or SERVFAILS or any other resolver error) must be treated as hard failures and cause aborts. Note that the security context for DANE is different from that of many DNS contexts, because in many such contexts, non-response means you just don't resolve so you fail hard anyway. But here, you fail to a weaker security position. 2. DOCUMENT TEXT As I said above, I find the document kind of hard to read on this point. S 4.1 refers to the RFC 4033 definitions and says that Bogus must be hard-failed and that Insecure and Indeterminate must be treated as if there were empty TLSA sets and you continue with TLS. So, the question is whether non-response is Bogus or not. Here's what 4033 says (http://tools.ietf.org/html/rfc4033#section-5) Bogus: The validating resolver has a trust anchor and a secure delegation indicating that subsidiary data is signed, but the response fails to validate for some reason: missing signatures, expired signatures, signatures with unsupported algorithms, data missing that the relevant NSEC RR says should be present, and so forth. But in this case we don't have an invalid response, but instead a non-response, so its not clear to me this falls into Bogus. I'm not steeped in all the DNSSEC lore, so maybe there is a wide agreement that nonresponse == bogus, but I don't get that clearly out of the document. IMO, DANE would benefit from stating this clearly. -Ekr
- [dane] Behavior in the face of no answer? Eric Rescorla
- Re: [dane] Behavior in the face of no answer? Nicholas Weaver
- Re: [dane] Behavior in the face of no answer? Paul Hoffman
- Re: [dane] Behavior in the face of no answer? Andrew Sullivan
- Re: [dane] Behavior in the face of no answer? Paul Wouters
- Re: [dane] Behavior in the face of no answer? Eric Rescorla
- Re: [dane] Behavior in the face of no answer? Eric Rescorla
- Re: [dane] Behavior in the face of no answer? Martin Rex
- Re: [dane] Behavior in the face of no answer? Paul Hoffman
- Re: [dane] Behavior in the face of no answer? Paul Wouters
- Re: [dane] Behavior in the face of no answer? Andrew Sullivan
- Re: [dane] Behavior in the face of no answer? Andrew Sullivan
- Re: [dane] Behavior in the face of no answer? Nicholas Weaver
- Re: [dane] Behavior in the face of no answer? Andrew Sullivan
- Re: [dane] Behavior in the face of no answer? Martin Rex
- Re: [dane] Behavior in the face of no answer? Eric Rescorla
- Re: [dane] Behavior in the face of no answer? Andrew Sullivan
- Re: [dane] Behavior in the face of no answer? Andrew Sullivan
- Re: [dane] Behavior in the face of no answer? Nicholas Weaver
- Re: [dane] Behavior in the face of no answer? Andrew Sullivan
- Re: [dane] Behavior in the face of no answer? Eric Rescorla
- Re: [dane] Behavior in the face of no answer? Nicholas Weaver
- Re: [dane] Behavior in the face of no answer? Andrew Sullivan
- Re: [dane] Behavior in the face of no answer? Eric Rescorla
- Re: [dane] Behavior in the face of no answer? Tom Ritter
- Re: [dane] Behavior in the face of no answer? Warren Kumari
- Re: [dane] Behavior in the face of no answer? Eric Rescorla
- Re: [dane] Behavior in the face of no answer? Eric Rescorla
- Re: [dane] Behavior in the face of no answer? Adam Langley
- Re: [dane] Behavior in the face of no answer? Paul Hoffman
- Re: [dane] Behavior in the face of no answer? Andrew Sullivan
- Re: [dane] Behavior in the face of no answer? Andrew Sullivan
- Re: [dane] Behavior in the face of no answer? Martin Rex
- Re: [dane] Behavior in the face of no answer? Paul Wouters
- Re: [dane] Behavior in the face of no answer? Paul Wouters
- Re: [dane] Behavior in the face of no answer? Paul Wouters
- Re: [dane] Behavior in the face of no answer? Paul Wouters
- Re: [dane] Behavior in the face of no answer? Eric Rescorla
- Re: [dane] Behavior in the face of no answer? Martin Rex
- Re: [dane] Behavior in the face of no answer? Eric Rescorla
- Re: [dane] Behavior in the face of no answer? Eric Rescorla
- Re: [dane] Behavior in the face of no answer? Martin Rex
- Re: [dane] Behavior in the face of no answer? Andrew Sullivan
- Re: [dane] Behavior in the face of no answer? Eric Rescorla
- Re: [dane] Behavior in the face of no answer? Paul Wouters
- Re: [dane] Behavior in the face of no answer? Andrew Sullivan
- Re: [dane] Behavior in the face of no answer? Nicholas Weaver
- Re: [dane] Behavior in the face of no answer? Andrew Sullivan
- Re: [dane] Behavior in the face of no answer? Yoav Nir
- Re: [dane] Behavior in the face of no answer? Paul Wouters
- Re: [dane] Behavior in the face of no answer? Yoav Nir
- Re: [dane] Behavior in the face of no answer? Ondrej Mikle
- Re: [dane] Behavior in the face of no answer? Warren Kumari
- Re: [dane] Behavior in the face of no answer? Nicholas Weaver
- Re: [dane] Behavior in the face of no answer? Paul Hoffman
- Re: [dane] Behavior in the face of no answer? Nicholas Weaver
- Re: [dane] Behavior in the face of no answer? Paul Hoffman
- Re: [dane] Behavior in the face of no answer? Adam Langley
- Re: [dane] Behavior in the face of no answer? Nicholas Weaver
- Re: [dane] Behavior in the face of no answer? Andrew Sullivan
- Re: [dane] Behavior in the face of no answer? Paul Hoffman
- Re: [dane] Behavior in the face of no answer? Nicholas Weaver
- Re: [dane] Behavior in the face of no answer? John Gilmore
- Re: [dane] Behavior in the face of no answer? Yoav Nir
- Re: [dane] Behavior in the face of no answer? Martin Rex
- Re: [dane] Behavior in the face of no answer? Andrew Sullivan
- Re: [dane] Behavior in the face of no answer? Tony Finch
- Re: [dane] Behavior in the face of no answer? Tony Finch
- Re: [dane] Behavior in the face of no answer? Paul Wouters
- Re: [dane] Behavior in the face of no answer? Paul Wouters
- Re: [dane] Behavior in the face of no answer? Tony Finch
- Re: [dane] Behavior in the face of no answer? Scott Schmit
- Re: [dane] Behavior in the face of no answer? Paul Wouters
- Re: [dane] Behavior in the face of no answer? Ondrej Mikle
- Re: [dane] Behavior in the face of no answer? Tony Finch
- Re: [dane] Behavior in the face of no answer? Ondrej Mikle
- Re: [dane] Behavior in the face of no answer? John Gilmore
- Re: [dane] Behavior in the face of no answer? Nicholas Weaver
- Re: [dane] Behavior in the face of no answer? Paul Wouters
- Re: [dane] Behavior in the face of no answer? Paul Hoffman
- Re: [dane] Behavior in the face of no answer? Eric Rescorla
- Re: [dane] Behavior in the face of no answer? Paul Wouters
- Re: [dane] Behavior in the face of no answer? Eric Rescorla
- Re: [dane] Behavior in the face of no answer? Paul Wouters
- Re: [dane] Behavior in the face of no answer? Eric Rescorla
- Re: [dane] Behavior in the face of no answer? Paul Wouters
- Re: [dane] Behavior in the face of no answer? Andrew Sullivan
- Re: [dane] Behavior in the face of no answer? Andrew Sullivan
- Re: [dane] Behavior in the face of no answer? Eric Rescorla
- Re: [dane] Behavior in the face of no answer? Paul Wouters
- Re: [dane] Behavior in the face of no answer? Andrew Sullivan
- Re: [dane] Behavior in the face of no answer? Andrew Sullivan
- Re: [dane] Behavior in the face of no answer? Andrew Sullivan
- Re: [dane] Behavior in the face of no answer? Nicholas Weaver
- Re: [dane] Behavior in the face of no answer? Martin Rex
- Re: [dane] Behavior in the face of no answer? Eric Rescorla
- Re: [dane] Behavior in the face of no answer? Martin Rex
- Re: [dane] Behavior in the face of no answer? Eric Rescorla
- Re: [dane] Behavior in the face of no answer? Martin Rex
- Re: [dane] Behavior in the face of no answer? Eric Rescorla
- Re: [dane] Behavior in the face of no answer? Paul Hoffman
- Re: [dane] Behavior in the face of no answer? Warren Kumari
- Re: [dane] Behavior in the face of no answer? Nicholas Weaver
- Re: [dane] Behavior in the face of no answer? Warren Kumari
- Re: [dane] Behavior in the face of no answer? Martin Rex
- Re: [dane] Behavior in the face of no answer? Eric Rescorla
- Re: [dane] Behavior in the face of no answer? Warren Kumari
- Re: [dane] Behavior in the face of no answer? Warren Kumari
- Re: [dane] Behavior in the face of no answer? John Gilmore
- Re: [dane] Behavior in the face of no answer? John Gilmore
- [dane] Network errors ARE attacks - on the end-to… John Gilmore
- Re: [dane] Behavior in the face of no answer? Mark Andrews
- Re: [dane] Behavior in the face of no answer? Martin Rex
- Re: [dane] Network errors ARE attacks - on the en… Martin Rex
- Re: [dane] Network errors ARE attacks - on the en… Yoav Nir
- Re: [dane] Network errors ARE attacks - on the en… Henry Story
- Re: [dane] Network errors ARE attacks - on the en… Henry Story
- Re: [dane] Network errors ARE attacks - on the en… SM
- Re: [dane] Network errors ARE attacks - on the en… Michael Richardson
- Re: [dane] Network errors ARE attacks - on the en… Andrew Sullivan
- Re: [dane] Behavior in the face of no answer? Eric Rescorla
- Re: [dane] Behavior in the face of no answer? Paul Wouters
- Re: [dane] Network errors ARE attacks - on the en… Mark Andrews
- Re: [dane] Network errors ARE attacks - on the en… Warren Kumari
- Re: [dane] Network errors ARE attacks - on the en… Phillip Hallam-Baker