IETF Logo Mail Archive

Re: [dane] Behavior in the face of no answer?

Andrew Sullivan <ajs@anvilwalrusden.com> Fri, 04 May 2012 02:36 UTC

Return-Path: <ajs@anvilwalrusden.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 47E5821F8595 for <dane@ietfa.amsl.com>; Thu, 3 May 2012 19:36:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.633
X-Spam-Level:
X-Spam-Status: No, score=-2.633 tagged_above=-999 required=5 tests=[AWL=-0.034, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zOjXglY16zBP for <dane@ietfa.amsl.com>; Thu, 3 May 2012 19:36:14 -0700 (PDT)
Received: from mail.yitter.info (mail.yitter.info [208.86.224.201]) by ietfa.amsl.com (Postfix) with ESMTP id 6E5BC21F8594 for <dane@ietf.org>; Thu, 3 May 2012 19:36:14 -0700 (PDT)
Received: from mail.yitter.info (69-196-144-227.dsl.teksavvy.com [69.196.144.227]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.yitter.info (Postfix) with ESMTPSA id 5A42E1ECB41C for <dane@ietf.org>; Fri, 4 May 2012 02:36:13 +0000 (UTC)
Date: Thu, 3 May 2012 22:36:02 -0400
From: Andrew Sullivan <ajs@anvilwalrusden.com>
To: dane@ietf.org
Message-ID: <20120504023602.GA4683@mail.yitter.info>
References: <CABcZeBMY26xrfvAx=UsYN2XnuONZ2vPy9tNwHQALudd=yQDvgA@mail.gmail.com> <0526D60A-3F1B-4C55-9796-256BC2556AAB@vpnc.org> <20120503223745.GC1804@mail.yitter.info> <CABcZeBMFV8oiZJfAY1fZ_0bBQWa=q6aBL65AS+W5gBuKmPnwOg@mail.gmail.com> <20120504021044.GB4560@mail.yitter.info> <B25C977F-6B4E-458C-879D-A36EDB94DA75@icsi.berkeley.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <B25C977F-6B4E-458C-879D-A36EDB94DA75@icsi.berkeley.edu>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [dane] Behavior in the face of no answer?
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 May 2012 02:36:15 -0000

On Thu, May 03, 2012 at 07:14:33PM -0700, Nicholas Weaver wrote:
> 
> An IN-path adversary doesn't need to manipulate the A or AAAA records to get you to connect to their server.
> 

Ah, ok, so we're talking about someone who can both intercept and
redirect your connection to a target address and block DNS responses
from getting to you but who cannot re-engineer DNS responses for you
(obviously, because it'd fail at the root trust anchor).  Ok, now I
get it.

> Since the adversaries of concern are likely to be in-path, not just
> on-path, this is a serious concern and DANE when it can't get the
> record it MUST hard fail lest it be useless in the face on an
> in-path attacker, which is critical since the goal of all this
> cryptomagic is to deal with in-path attackers.

Surely this is a matter of local policy?  That is, it's probably a
pretty good idea if it fails, and if you know what you are doing you
probably want to say "fail if I can't get a TLSA response at all"; but
during deployment and roll-out (as someone already argued up-thread)
this is simply an unrealistic requirement: people are going to be
behind broken devices for some years now, and a protocol-required hard
fail requirement will either be ignored or else will delay deployment
until we complete upgrading the Internet.  I suggest while we are
waiting for that, we might want to work on DNS2 and TLS2.  If that's
not enough, I'm sure we can find some more windmills.  Alternatively,
we could just let people fall back to the infrastructure we have.

Note that there remain _plenty_ of DNS servers deployed in the wild
which, if you ask them for an RRTYPE they don't know about, spit up
with NOTIMP, SERVFAIL, and all manner of other crappy nonsense.  (We
were just having a bunfight about that over in SPFBIS a month or two
ago.)  Turning off TLS for anyone whose client knows about TLSA, but
who is trying to go to a service offered by someone employing a broken
DNS server like this, is not reasonable.

Speaking as an operator, I can tell you that if the protocol says
"hard fail if I don't get a TLSA answer", I will tell all my customers
not to use TLSA; the alternative is to make my customers mad at me the
day someone's connection from some crappy hotel network fails.  I'd
hate to be put in that position.

A

-- 
Andrew Sullivan
ajs@anvilwalrusden.com

v2.8.7 | Report a Bug | By Email