IETF Logo Mail Archive

Re: [dns-privacy] [Ext] Threat Model

Paul Ebersman <list-dns-privacy@dragon.net> Sat, 09 November 2019 01:51 UTC

Return-Path: <list-dns-privacy@dragon.net>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C6CA51200FB for <dns-privacy@ietfa.amsl.com>; Fri, 8 Nov 2019 17:51:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X84ww9nMFre9 for <dns-privacy@ietfa.amsl.com>; Fri, 8 Nov 2019 17:51:11 -0800 (PST)
Received: from mail.dragon.net (mail.dragon.net [IPv6:2001:4f8:3:36::235]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 67FC81200C4 for <dns-privacy@ietf.org>; Fri, 8 Nov 2019 17:51:11 -0800 (PST)
Received: from fafnir.remote.dragon.net (localhost [IPv6:::1]) by mail.dragon.net (Postfix) with ESMTP id B9ADF37401CB; Fri, 8 Nov 2019 17:51:08 -0800 (PST)
Received: by fafnir.remote.dragon.net (Postfix, from userid 501) id 020CF192A4A6; Fri, 8 Nov 2019 20:51:33 -0500 (EST)
Received: from fafnir.local (localhost [127.0.0.1]) by fafnir.remote.dragon.net (Postfix) with ESMTP id F0897192A4A5; Fri, 8 Nov 2019 20:51:33 -0500 (EST)
From: Paul Ebersman <list-dns-privacy@dragon.net>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
cc: "dns-privacy@ietf.org" <dns-privacy@ietf.org>
In-reply-to: <59bdad3f-8b92-c8f5-5e85-a062957227a2@cs.tcd.ie>
References: <CABcZeBMQEJ=LE8ATQYnJj59srsK47hf4HT3BMMg3X2crVfSUXQ@mail.gmail.com> <alpine.DEB.2.20.1911042035571.29247@grey.csi.cam.ac.uk> <CAH1iCioH86q1CX7A+F8ON4uzpGqipUy8m3iczyNqSKirAsYBQg@mail.gmail.com> <alpine.LRH.2.21.1911041652450.5093@bofh.nohats.ca> <CABcZeBOtY3saJe5DWTu=Jqy5guqdoKPKSR+XYddbvxwxKsxmig@mail.gmail.com> <CAHw9_iKaeT0VEjZfoCi9Nddc+VBBj0JHWDHv+=g3xzvb6L+Nvg@mail.gmail.com> <alpine.LRH.2.21.1911050941090.30046@bofh.nohats.ca> <CAHw9_i+MxMCd7dDO7N0-hc1SDjvBeoLoUvbg4JWDzXyjR0u4xQ@mail.gmail.com> <CAHw9_iKhaA9Nb+eH92YfzdepU90_DgLyS-ZDaMAehKOFO0ksEA@mail.gmail.com> <FC51D8EC-5ADC-4415-82EB-C6C6E4E8D84A@fl1ger.de> <F0DD4028-2404-4232-90F8-E9937877C261@nohats.ca> <b7108cff-0e50-d168-aa49-2626eb83ee22@cs.tcd.ie> <d465d9e5-5a9f-8968-8f73-1493ec5f2c36@icann.org> <alpine.LRH.2.21.1911081633490.9092@bofh.nohats.ca> <CA+nkc8D1uvc9+TRcyOY=jg3MmC33QjtVNPkLyo1bnE _syVp=2A@mail.gmail.com> <B969DDFB-1680-4D76-80F1-1EC04DC8926A@nohats.ca> <59bdad3f-8b92-c8f5-5e85-a062957227 a2@cs.tc d.ie>
Comments: In-reply-to Stephen Farrell <stephen.farrell@cs.tcd.ie> message dated "Sat, 09 Nov 2019 00:17:32 +0000."
X-Mailer: MH-E 7.4.2; nmh 1.7.1; XEmacs 21.4 (patch 22)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <87311.1573264293.1@fafnir.local>
Date: Fri, 08 Nov 2019 20:51:33 -0500
Message-Id: <20191109015134.020CF192A4A6@fafnir.remote.dragon.net>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/5bWt5l3f8cu_ZGQ5ps0swDCfvIE>
Subject: Re: [dns-privacy] [Ext] Threat Model
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 09 Nov 2019 01:51:13 -0000

stephen> It seems odd that you're telling someone what they ought not be
stephen> worried about. Wouldn't it be better to be convincing that
stephen> there's nothing to worry about?  (E.g. via stats.)

It's a few years out of date but this has actually improved. I was on
the DNS team at comcast. I've confirmed that this is still more or less
what they see.

For 500-600 billion queries per day, 1-2 dozen DNSSEC related failures
per month (modulo a few folks in .mil or .gov that have NTAs for long
standing failures). That's with validation on all queries.

That's in the below noise range. I wish I had packet drop rates in that
range. ;)

v2.23.0 | Report a Bug | By Email