Re: [dane] An AD bit discussion
Petr Spacek <pspacek@redhat.com> Thu, 27 February 2014 13:15 UTC
Return-Path: <pspacek@redhat.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A87D1A026D for <dane@ietfa.amsl.com>; Thu, 27 Feb 2014 05:15:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.049
X-Spam-Level:
X-Spam-Status: No, score=-6.049 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.547, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IGIHOnTUXd6M for <dane@ietfa.amsl.com>; Thu, 27 Feb 2014 05:15:22 -0800 (PST)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by ietfa.amsl.com (Postfix) with ESMTP id C807D1A021A for <dane@ietf.org>; Thu, 27 Feb 2014 05:15:22 -0800 (PST)
Received: from int-mx01.intmail.prod.int.phx2.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s1RDFJJc026599 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for <dane@ietf.org>; Thu, 27 Feb 2014 08:15:20 -0500
Received: from pspacek.brq.redhat.com (pspacek.brq.redhat.com [10.34.4.156]) by int-mx01.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id s1RDFHVK024821 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO) for <dane@ietf.org>; Thu, 27 Feb 2014 08:15:19 -0500
Message-ID: <530F3A64.2000001@redhat.com>
Date: Thu, 27 Feb 2014 14:15:16 +0100
From: Petr Spacek <pspacek@redhat.com>
Organization: Red Hat
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: dane@ietf.org
References: <alpine.LFD.2.10.1402260845520.3528@bofh.nohats.ca> <m3txbly9ui.fsf@carbon.jhcloos.org> <alpine.LFD.2.10.1402261930400.3528@bofh.nohats.ca> <20140227022347.GC73737@mx1.yitter.info> <20140227031628.B4A1610765F9@rock.dv.isc.org> <20140227034723.GA73861@mx1.yitter.info> <20140227041753.3509810773A8@rock.dv.isc.org> <20140227044213.GO21390@mournblade.imrryr.org> <alpine.LFD.2.10.1402270015320.6180@bofh.nohats.ca> <20140227054617.GP21390@mournblade.imrryr.org>
In-Reply-To: <20140227054617.GP21390@mournblade.imrryr.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.67 on 10.5.11.11
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/jQCfm37Nw-fu-0HIg9KsR9ktS_I
Subject: Re: [dane] An AD bit discussion
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Feb 2014 13:15:25 -0000
On 27.2.2014 06:46, Viktor Dukhovni wrote: > On Thu, Feb 27, 2014 at 12:29:57AM -0500, Paul Wouters wrote: >>> So likely RedHat should proceed with extensions to resolv.conf to >>> express the trust status of the nameserver list, and improvements >>> to libresolv. The default stub-resolver policy can reasonably be Note that we don't want to hack resolvers in Red Hat's software. We really want to reach a consensus about this problem so we (Red Hat) can work upstream with stub-resolver developers to add support for the new behavior as designed here. Please do not limit the discussion to glibc/libresolv/ldns/anything else. We are interested in resolver-behavior in general not in one particular implementation. >>> non-trust of all nameservers (typically from DHCP). >> >> But it is so much better for all server installs to just install a >> validating resolver, point resolv.conf to localhost, and use the DHCP >> obtained DNS servers (or admin configured DNS servers) as forwarders. >> >> Then all applications can trust the AD bit. That's a simply a reality >> that's possible today. Even upgrading machines to this is not that hard. > > Yes, up-thread, this my ideal future world too. Sure, this is ideal, it is absolutely clear that (local) validating resolver is the best option (when possible). Now we need to discuss 'a temporary solution' for the case where a validating resolver is not available for whatever reason. Please let's concentrate on following situation: - Crypto libraries like GnuTLS/OpenSSL/NSS have DANE support compiled and enabled by default out-of-the-box. - GnuTLS/OpenSSL/NSS libraries use AD bit as received from stub-resolver. - A random application (e.g. Firefox/Thunderbird/offlineimap) use DANE-enabled crypto library and have no clue about DNSSEC. (That is what we want, right? Just use it without modifying all crypto-enabled applications in the world!) - The whole set is running on machine with plain stub-resolver without validator. Result => It is completely insecure because attacker can use DANE for effective man-in-the-middle attack: The crypto library will trust to fake TLSA records because attacker send fake TLSA record with AD=1. One opinion is 'use a new shiny API for DNS and do not hack existing resolver APIs' and the other option is to 'do validation yourself'. I'm afraid that this do not belong to category 'temporary solution'. It can take too long to design API, then to develop libraries and then *to convince application developers to use this new API*. I definitely agree that old resolver from BIND8 is "not the best" but we have to count with existing applications. It is easier to push small patches like - res_init() + res_init_trusted() It is *much much* harder to push patches rewriting code related to DNS to some completely new library. We want to add DANE support to existing applications not only to new ones. The proposed approach with a new initialization call (*for example* res_init_trusted()) have two (desired) side-effects: - It prevents an application relaying on AD bit from running on old system which does not guarantee trustworthiness of the AD bit. Otherwise we would have to invent some way how to check at run-time that special handling for AD bit is supported. (Think about cases where application was compiled on newer system and somebody tries to run it on older system etc.) - It doesn't affect applications which do not care/do not use new initialization call. For example current software like Postfix or OpenSSH client will 'just work' without any change. AD bit will be handled in special way only if the resolver library is initialized with the new call. >> That's why I'm not really in favour of adding legacy to glibc or >> resolv.conf. Especially because there are also so few applications that >> actually do anything with AD bits, plus we are still working on API and The main idea is 'to make DNSSEC easy for application developers - today'. It doesn't surprise me that very few applications use AD bit because nowadays it requires adding a new configuration option "resolver is un/trusted" to the application. It is not easy neither for programmer nor for administrator. >> DNSOP documents on how to improve/secure the DNS transport for talking >> to remote servers. I'm sorry, this also sounds like a long-term plan. We are looking for something workable today. The plan is to push DANE support as much as possible and as soon as possible - not to wait (potentially long time) for standardization and adoption of new APIs etc. > But what to do when things are not ideal, perhaps because someone > disagrees with our ideal. How do we let them assert that AD should > be trusted? > > One could always trust AD, and leave up to the platform vendor and > system administrator to make it so. Or one could default to not > trust AD unless resolv.conf says so, and the out-of-the-box > "experience" could be made to include a 127.1 nameserver and the > the right new predicate in /etc/resolv.conf, and glue to have DHCP > tweak forwarders (subject to relevant DHCP configuration) rather > than mess with resolv.conf (much better for reasons beyond DNSSEC > IMHO). > > Then it is up to adventurous administrators to mess this up. Some > will want to bless "remote" resolvers, that we might not want > to bless by default. > > As to the question of whether always trusting AD when the recursive > resolvers are not "secure" is OK? I don't know. Depends what > applications do with that trust. Please see the example with DANE-enabled crypto library above. Have a nice day! -- Petr^2 Spacek
- Re: [dane] An AD bit discussion Paul Wouters
- [dane] An AD bit discussion Paul Wouters
- Re: [dane] An AD bit discussion Mark Andrews
- Re: [dane] An AD bit discussion Ondřej Surý
- Re: [dane] An AD bit discussion Viktor Dukhovni
- Re: [dane] An AD bit discussion Viktor Dukhovni
- Re: [dane] An AD bit discussion Petr Spacek
- Re: [dane] An AD bit discussion Petr Spacek
- Re: [dane] An AD bit discussion Viktor Dukhovni
- Re: [dane] An AD bit discussion Tony Finch
- Re: [dane] An AD bit discussion Viktor Dukhovni
- Re: [dane] An AD bit discussion Petr Spacek
- Re: [dane] An AD bit discussion Viktor Dukhovni
- Re: [dane] An AD bit discussion Olafur Gudmundsson
- Re: [dane] An AD bit discussion Tony Finch
- Re: [dane] An AD bit discussion Tony Finch
- Re: [dane] An AD bit discussion Viktor Dukhovni
- Re: [dane] An AD bit discussion Tony Finch
- Re: [dane] An AD bit discussion Wiley, Glen
- Re: [dane] An AD bit discussion James Cloos
- Re: [dane] An AD bit discussion Viktor Dukhovni
- Re: [dane] An AD bit discussion Andreas Schulze
- Re: [dane] An AD bit discussion Mark Andrews
- Re: [dane] An AD bit discussion Viktor Dukhovni
- Re: [dane] An AD bit discussion Mark Andrews
- Re: [dane] An AD bit discussion Viktor Dukhovni
- Re: [dane] An AD bit discussion Paul Wouters
- Re: [dane] An AD bit discussion Viktor Dukhovni
- Re: [dane] An AD bit discussion Mark Andrews
- Re: [dane] An AD bit discussion Viktor Dukhovni
- Re: [dane] An AD bit discussion Andrew Sullivan
- Re: [dane] An AD bit discussion Mark Andrews
- Re: [dane] An AD bit discussion Andrew Sullivan
- Re: [dane] An AD bit discussion Mark Andrews
- Re: [dane] An AD bit discussion Andrew Sullivan
- Re: [dane] An AD bit discussion Mark Andrews
- Re: [dane] An AD bit discussion Viktor Dukhovni
- Re: [dane] An AD bit discussion Paul Wouters
- Re: [dane] An AD bit discussion Viktor Dukhovni
- Re: [dane] An AD bit discussion Petr Spacek
- Re: [dane] An AD bit discussion Viktor Dukhovni
- Re: [dane] An AD bit discussion (correction) Viktor Dukhovni
- Re: [dane] An AD bit discussion Paul Wouters
- Re: [dane] An AD bit discussion Paul Wouters
- Re: [dane] An AD bit discussion Viktor Dukhovni
- Re: [dane] An AD bit discussion Tony Finch
- Re: [dane] An AD bit discussion Petr Spacek
- Re: [dane] An AD bit discussion (correction) Petr Spacek
- Re: [dane] An AD bit discussion (+concerns from g… Petr Spacek
- Re: [dane] An AD bit discussion (correction) Viktor Dukhovni
- Re: [dane] An AD bit discussion (+concerns from g… Viktor Dukhovni
- Re: [dane] An AD bit discussion Viktor Dukhovni
- Re: [dane] An AD bit discussion (correction) Viktor Dukhovni
- [dane] Proposal: AD bit handling in stub-resolver… Petr Spacek
- Re: [dane] An AD bit discussion Michael Richardson
- Re: [dane] An AD bit discussion Simo Sorce
- Re: [dane] An AD bit discussion Michael Richardson
- Re: [dane] An AD bit discussion Michael Richardson
- Re: [dane] An AD bit discussion Simo Sorce
- Re: [dane] An AD bit discussion Michael Richardson
- Re: [dane] An AD bit discussion Michael Richardson
- Re: [dane] Proposal: AD bit handling in stub-reso… Viktor Dukhovni
- Re: [dane] An AD bit discussion Florian Weimer
- Re: [dane] An AD bit discussion Mark Andrews
- Re: [dane] An AD bit discussion Petr Spacek
- Re: [dane] An AD bit discussion Mark Andrews
- Re: [dane] An AD bit discussion Petr Spacek