IETF Logo Mail Archive

Re: [dane] Behavior in the face of no answer?

Eric Rescorla <ekr@rtfm.com> Fri, 04 May 2012 19:00 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D4F621F8669 for <dane@ietfa.amsl.com>; Fri, 4 May 2012 12:00:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.977
X-Spam-Level:
X-Spam-Status: No, score=-102.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8Ixbb-2iq2zT for <dane@ietfa.amsl.com>; Fri, 4 May 2012 12:00:06 -0700 (PDT)
Received: from mail-vx0-f172.google.com (mail-vc0-f172.google.com [209.85.220.172]) by ietfa.amsl.com (Postfix) with ESMTP id 34B4C21F865B for <dane@ietf.org>; Fri, 4 May 2012 12:00:06 -0700 (PDT)
Received: by vcbfo1 with SMTP id fo1so2707742vcb.31 for <dane@ietf.org>; Fri, 04 May 2012 12:00:05 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-originating-ip:in-reply-to:references:from:date :message-id:subject:to:cc:content-type:content-transfer-encoding :x-gm-message-state; bh=ZegA+U3jCsavBBKIuEWHpvN3A0qj9hmPrxx1dCHHNm8=; b=WCAjTi85IQELfcnB+0ppoj3bN3UnFhBh0dVLw7eCqr9VpAlCsUjVGzVIwnaz/+MKjk 9uwBZgvr7kZj/KRdV0/KnvPkeRE8ZMwP+q/zHC2uM3fgBLu4FyUFB2VqjoEYJTT1l97e SPH1+qWQdz/IfeHHp2JJuDrsj2h3ar9nS4hYvt2FrIYeDps2qs9wwXjPuakzo0mcdqN8 eRxLL8FhmgBQVYkk/qzKCcL90+6wNOulnQG4Yt22po0OJ4BogsDdgtiwWh7awFj6MFAk 0Si4BlvHicCDUiBztV5PxabnSFiIXSx25pynPvPDVUf0VXyNU85OqoKn60nGNdVkn70b NDCQ==
Received: by 10.52.74.69 with SMTP id r5mr2672971vdv.110.1336158005741; Fri, 04 May 2012 12:00:05 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.52.19.233 with HTTP; Fri, 4 May 2012 11:59:25 -0700 (PDT)
X-Originating-IP: [63.245.220.224]
In-Reply-To: <20120504165512.GC7394@mail.yitter.info>
References: <20120503223745.GC1804@mail.yitter.info> <CABcZeBMFV8oiZJfAY1fZ_0bBQWa=q6aBL65AS+W5gBuKmPnwOg@mail.gmail.com> <20120504021044.GB4560@mail.yitter.info> <B25C977F-6B4E-458C-879D-A36EDB94DA75@icsi.berkeley.edu> <20120504023602.GA4683@mail.yitter.info> <CABcZeBO93n_C5detefBcOjAoswe2inGKDj65gQPDQmREyGnhAw@mail.gmail.com> <20120504112922.GB4929@mail.yitter.info> <CABcZeBPTTa07iUHo9XL5WrHGMYHwaQzs6xYtiF25O4Jek8E3RQ@mail.gmail.com> <20120504144426.GD4929@mail.yitter.info> <CABcZeBOM_0L42Rng75AsVda9u4G=FH8=OB8Qg=nQpL-BzRoBuQ@mail.gmail.com> <20120504165512.GC7394@mail.yitter.info>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 4 May 2012 11:59:25 -0700
Message-ID: <CABcZeBO4zRSa=JexqZ8uw7o26tM4SZk2GDivTAWD5ZF1pZR9Og@mail.gmail.com>
To: Andrew Sullivan <ajs@anvilwalrusden.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
X-Gm-Message-State: ALoCoQkLOXf/yDfQCk1ea/drxNhL1ka97lqDs1w4r50lbtpDlbPik2txNWkKOtNCw2oo1OQtUdGv
Cc: dane@ietf.org
Subject: Re: [dane] Behavior in the face of no answer?
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 May 2012 19:00:08 -0000

On Fri, May 4, 2012 at 9:55 AM, Andrew Sullivan <ajs@anvilwalrusden.com> wrote:
> On Fri, May 04, 2012 at 08:10:40AM -0700, Eric Rescorla wrote:
>> > we usually call "NODATA".  The case I mentioned yesterday, where AD is
>> > set and the upstream doesn't give you the DNSSEC data and you have a
>> > NODATA response is, AFAICT, just a case where there is no TLSA RRset
>> > and shouldn't result in TLS failure.
>>
>> But the problem is that this is indistinguishable from the case where there
>> *was* a TLSA RRSET and you have a network attacker.
>
> It certainly isn't.  If you're depending on your upstream validator,
> you need to trust it.  If you don't trust it, don't depend on the
> upstream, in which case you're not going to offload validation.
>
> A NODATA answer is _not_ just like "no response at all" if the answer
> passed validation, and if it didn't pass the the specification already
> covers this case.

I'm sorry, I think we're still talking past each other. If you treat
non-response
the same way as you treat a validated empty RRSET, then a network
attacker can get the same effect (i.e., no DANE checks) by simple
suppressing DNS resolution.

-Ekr

v2.8.7 | Report a Bug | By Email