IETF Logo Mail Archive

Re: [dane] Behavior in the face of no answer?

Eric Rescorla <ekr@rtfm.com> Tue, 15 May 2012 04:51 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3691321F8800 for <dane@ietfa.amsl.com>; Mon, 14 May 2012 21:51:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.88
X-Spam-Level:
X-Spam-Status: No, score=-102.88 tagged_above=-999 required=5 tests=[AWL=0.097, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TmOqmwonerEJ for <dane@ietfa.amsl.com>; Mon, 14 May 2012 21:51:18 -0700 (PDT)
Received: from mail-vb0-f44.google.com (mail-vb0-f44.google.com [209.85.212.44]) by ietfa.amsl.com (Postfix) with ESMTP id 0F80521F87FB for <dane@ietf.org>; Mon, 14 May 2012 21:51:15 -0700 (PDT)
Received: by vbbez10 with SMTP id ez10so6876448vbb.31 for <dane@ietf.org>; Mon, 14 May 2012 21:51:15 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-originating-ip:in-reply-to:references:from:date :message-id:subject:to:cc:content-type:x-gm-message-state; bh=g/WnzCrwus2eqoqSl++cpQvvHtTneJGn7D4X/Kfv5p8=; b=hj1/mIhy8yAyiyiLgvVc55DrnugaJviJ+kpqE7Igi8IDfo/q3ZoWBBVNYniD7cJGBX mhwxrjf+JhGIfLN+aaf5VvSnUG/jRyFtvOeWxWwM9K88PyLuOqbk2O9IN0SpSNCvYCfj r8BAr9rMBSNOX0wcoS5RSWM8d0C8204QTO4de6ZrtYGwOHEBIgizFimPcDyLs0Jad/Du /jNDTSyuNvUy11YKf6jodk+E2NUyPvwGyG6ZhU5oi0WyyMnSukG02n+NpS/mPvr/tQUK l+bFvGvjN1+LWPt125lGX1PFr+h+QXCmTZ1u5Vgdp9gaoeiPiRgxl/Dsue0oRJvQlltl eE2g==
Received: by 10.52.100.229 with SMTP id fb5mr5146132vdb.102.1337057475295; Mon, 14 May 2012 21:51:15 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.52.35.209 with HTTP; Mon, 14 May 2012 21:50:35 -0700 (PDT)
X-Originating-IP: [74.95.2.173]
In-Reply-To: <alpine.LFD.2.02.1205142352010.10990@bofh.nohats.ca>
References: <CABcZeBMY26xrfvAx=UsYN2XnuONZ2vPy9tNwHQALudd=yQDvgA@mail.gmail.com> <643D87CD-D01E-47B8-82E5-D3F57D50C80B@vpnc.org> <alpine.LFD.2.02.1205142229552.10990@bofh.nohats.ca> <CABcZeBMS9cJ3m6JwJED7XAqdsF=zbTUUU_o3-opiZvqMyr7mdw@mail.gmail.com> <alpine.LFD.2.02.1205142352010.10990@bofh.nohats.ca>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 14 May 2012 21:50:35 -0700
Message-ID: <CABcZeBNz_unAYc8i9roDnQurx3hUDjza8BpgwTsLCSRj5aQjNw@mail.gmail.com>
To: Paul Wouters <paul@cypherpunks.ca>
Content-Type: text/plain; charset=ISO-8859-1
X-Gm-Message-State: ALoCoQnrvgonvkgXavjZbmVjK3ysfF9x4yr4e3MfYknld9kpQ+rQXARIT+ImoCktaSLkBYwZv/ov
Cc: Paul Hoffman <paul.hoffman@vpnc.org>, dane@ietf.org
Subject: Re: [dane] Behavior in the face of no answer?
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 May 2012 04:51:19 -0000

On Mon, May 14, 2012 at 9:23 PM, Paul Wouters <paul@cypherpunks.ca> wrote:
> On Mon, 14 May 2012, Eric Rescorla wrote:
>
>> I don't think this is what we want.. There appear to be five relevant
>> states:
>>
>> * secure, bogus, indeterminate, or insecure [specified in section 4.1]
>> * no response, DNS error, etc. [the state in question here]
>
>
> We had these discussions before, where there is a disagreement about
> some cases where you are not getting some responses and what state it
> is supposed to be. I'm not sure we all agreed in the end - I thought
> some people argued that "indeterminate" does not really exist.

Well, it's a listed category in 4033. If it's a null category, that's fine.


>> The relevant point here is that in the case where you were expecting
>> DNSSEC but you get some error in the last category
>
>
> if you expect a dnssec signed answer (eg because you have a validated
> parental DS) but you did not,

Did not what? The case in question is that you get no answer or an
ICMP response or something.


> the reseult is what? bogus? But if there
> might be a zone cut in between the parental DS you have (eg the root)
> and the zone, it is indeterminate? I think for TLSA, these should both
> be treated the same, as bogus.

Yes, I tend to agree, but it's clear that there's not consensus on this
point, so I'm focusing on describing the technical situation.

>
>> to get security benefit from restrictive modes, you must treat that as
>> if it were bogus. That's different from cases where you weren't
>> expecting DNSSEC (insecure, indeterminate), and therefore you
>> should just be ignoring the TLSA records.
>
>
> You cannot know when you were NOT expecting DNSSEC unless you do DNSSEC
> and you a get a validated anwser that leads to an end of the trust chain
> before it reaches the domain you were interested in. So an attacker
> would also prevent you from knowing that.

Yes, that's true, but I'm not sure I see the relevance. Obviously, under
non-attack conditions you would expect to see this with some frequency.


> And if you know a domain is
> insecure, you don't even need to query for TLSA records, unless your
> model assumes a full validator logic built into the browser, as opposed
> to using a trusted validator on localhost.

Which after all, might happen.


> Are we expecting browsers to just query for TLSA records and ignore
> those received without AD bit? Or are we expecting them to implement
> full resolver logic?

Personally, I expect browsers to not query for TLSA records at all,
for the reasons that AGL indicated earlier.



> Right now, a browser can just query for TLSA records to its local
> resolver, and make a decision based on the AD bit. If any filtering
> of DNSSEC is taking place, the local resolver should be returning
> SERVFAIL. Do we want the browser to extract more details with CD? Or
> should they just hard/soft fail based on their local settings? Should
> they find out if this would be "bogus" or "indeterminate", or is there
> no point?

I don't understand any of this. Even if you trust your resolver, there
are certainly ways for an attacker to suppress the response, so it's
always going to be the case that you need to know what to do
when you get no response. This is true whether the browser has
validation logic or not.


>>> I'm also not sure why the statement is limited to certficate usage 0 and
>>> 1. Is that because you assume no PKIX alternatives are available and
>>> thus it always has to abort for insecure/indeterminate?
>>
>>
>> The security logic is different for restrictive records and additive
>> records.
>> Say that you're not willing to hard fail on TLSA failures but you're
>> willing
>> to suppress error warnings if you get resolvable records of type 2 and 3.
>> Then you are getting security benefit for those records, but you're not
>> getting any security benefit if type 0 or 1 records exist.
>
>
> Now I'm completely lost. Usage 0 and 1 is for pinning PKIX, so if you
> want to use TLSA to avoid rogue CA's, you can't suppress those error
> warnings. It's really the same as disabling TLSA.

Yes, hence my original post.

Once again, *I* think it's silly to implement TLSA and then act in a way
that allows an attacker to force you back to the posture you would
have been in if you didn't implement TLSA. However, apparently
there is no consensus on that point. What we're discussing now
(at the chair's request) is how to characterize the security implications
of that implementation choice.

-Ekr

v2.8.7 | Report a Bug | By Email