IETF Logo Mail Archive

Re: [dns-privacy] [Ext] Threat Model

Brian Dickson <brian.peter.dickson@gmail.com> Wed, 06 November 2019 17:45 UTC

Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EA4431200B4 for <dns-privacy@ietfa.amsl.com>; Wed, 6 Nov 2019 09:45:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jjOy5dARlnlQ for <dns-privacy@ietfa.amsl.com>; Wed, 6 Nov 2019 09:45:41 -0800 (PST)
Received: from mail-vs1-xe2a.google.com (mail-vs1-xe2a.google.com [IPv6:2607:f8b0:4864:20::e2a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3832E120090 for <dns-privacy@ietf.org>; Wed, 6 Nov 2019 09:45:41 -0800 (PST)
Received: by mail-vs1-xe2a.google.com with SMTP id w25so16568065vso.4 for <dns-privacy@ietf.org>; Wed, 06 Nov 2019 09:45:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=1MDlPrQJ748ZSLmb0eQeZTAHbiyuzw91CrA96vuYw9Y=; b=dgCT2dS/NrHsuE8NTqwsJQ17xv7AhvUAsDdbT3WHTrMKiR45iakfYJV8X21HM8lpI5 bY/F9B3K1I2ITltN6SJ43o3fhovxNiGECOzzTcjUrDSkbRIUev2YzTy/njDQQ0a9yKgv AUF39Ltubs/4LToz213Z6C7OkAgWwvwp73LdDr6A5d1Bb7kZnbqB0AibphkLGlOw1sUm c9+Q85w8iO0Lmx/Gjhrp3JoOfMhIn6l8cKkaxFm5sW4w0Hw+S/GuZLYCWuTjDrYt+OcK zw4Fa0IFWL03gKmGpMxIIs5pCkJoOXRr1l/XpO75Hztv4qkY0B+rpaCy9vrLtIbixNS6 Xsgg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=1MDlPrQJ748ZSLmb0eQeZTAHbiyuzw91CrA96vuYw9Y=; b=OLzUsZcw/UnUMBMFQTA/S2dhEGMR49Uf5xfPkSP2N+o45/adhQuowk7etXgAHYasE2 4jrYUsMqgvgO/NTW8//sqakpKapFLwi9em432PB6EI3MyEAF9FvaTq85IbcRcqnpderj gq7I+PZQtQRxrUTi8pot51BeTbQ2IifbJH/tol9K1uFaRk+bUxBM4hz9jqsLgQy3ga04 Daszl13FYGx4w0UkwwwfYrxQtP+1LPzX7z3cHX1XMKJlV4mA5OQ4WVgoIqRnKuQ/NaaI wyJHZtrukIqGdxF0AZh3tXSZwehFBxtJapX9s8Q6VkebwK9ebfTt4899AEO/PxET3ZtX JiTw==
X-Gm-Message-State: APjAAAX2qC/Xen3WwLLRQOnEC302zzFQAi9dwdqiydNmyqt+CpNGOLNh WAOVwLbrrm0aWJJkwgi8p/wzHr77Cf51jLyHOUw=
X-Google-Smtp-Source: APXvYqw4UpO8kJogxJ1mB2gNI5+aV66YXbXwAeSPpfW83gJRkVY553M9DAy1o3ALfllyA/MNewFyuIKf8OziR4oQgk0=
X-Received: by 2002:a67:f744:: with SMTP id w4mr2014247vso.219.1573062340210; Wed, 06 Nov 2019 09:45:40 -0800 (PST)
MIME-Version: 1.0
References: <CABcZeBMQEJ=LE8ATQYnJj59srsK47hf4HT3BMMg3X2crVfSUXQ@mail.gmail.com> <CABcZeBMFDbATVRvJvvs5b4giQ=0B82i76ahv-ffDgWJOzqZccw@mail.gmail.com> <CAHw9_i+e8veeAz+KYXjvchmjKJz6OZHX1pEYx_Tvs8n5xnfBnQ@mail.gmail.com> <6D6233DC-4D7C-45BC-9D4E-08E6E882C1A5@nohats.ca> <alpine.DEB.2.20.1911042035571.29247@grey.csi.cam.ac.uk> <CAH1iCioH86q1CX7A+F8ON4uzpGqipUy8m3iczyNqSKirAsYBQg@mail.gmail.com> <alpine.LRH.2.21.1911041652450.5093@bofh.nohats.ca> <CABcZeBOtY3saJe5DWTu=Jqy5guqdoKPKSR+XYddbvxwxKsxmig@mail.gmail.com> <CAHw9_iKaeT0VEjZfoCi9Nddc+VBBj0JHWDHv+=g3xzvb6L+Nvg@mail.gmail.com> <alpine.LRH.2.21.1911050941090.30046@bofh.nohats.ca> <CAHw9_i+MxMCd7dDO7N0-hc1SDjvBeoLoUvbg4JWDzXyjR0u4xQ@mail.gmail.com> <CAHw9_iKhaA9Nb+eH92YfzdepU90_DgLyS-ZDaMAehKOFO0ksEA@mail.gmail.com> <FC51D8EC-5ADC-4415-82EB-C6C6E4E8D84A@fl1ger.de> <F0DD4028-2404-4232-90F8-E9937877C261@nohats.ca> <b7108cff-0e50-d168-aa49-2626eb83ee22@cs.tcd.ie> <d465d9e5-5a9f-8968-8f73-1493ec5f2c36@icann.org> <CAH1iCioO6NBpYkjzCX+vBTXVTFK9zH0KZULt3tQsA3ov8UBpiA@mail.gmail.com> <CA+9kkMDArqq=hjmMz-VoEBH5cTLqTenoYnk2wVOviwngXb7z4g@mail.gmail.com>
In-Reply-To: <CA+9kkMDArqq=hjmMz-VoEBH5cTLqTenoYnk2wVOviwngXb7z4g@mail.gmail.com>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Wed, 06 Nov 2019 09:45:28 -0800
Message-ID: <CAH1iCiqK9NkFhae2_Q+kQ9Dg_zNXSibHzEkhfQ166KAaV69rEg@mail.gmail.com>
To: Ted Hardie <ted.ietf@gmail.com>
Cc: Paul Hoffman <paul.hoffman@icann.org>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ff73820596b11d92"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/6G1CWpRODakrKVOr0StTLJyZGYY>
Subject: Re: [dns-privacy] [Ext] Threat Model
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Nov 2019 17:45:44 -0000

On Wed, Nov 6, 2019 at 9:31 AM Ted Hardie <ted.ietf@gmail.com> wrote:

> In-line.
>
> On Wed, Nov 6, 2019 at 9:05 AM Brian Dickson <
> brian.peter.dickson@gmail.com> wrote:
>
>>
>>
>> On Wed, Nov 6, 2019 at 8:21 AM Paul Hoffman <paul.hoffman@icann.org>
>> wrote:
>>
>>> Given that we are (still supposedly) talking about requirements and not
>>> solutions, I would be unhappy with a requirement that prevents a resolver
>>> that is not validating from being able to use encrypted transport to
>>> authoritative servers. Any protocol we develop for ADoT capability
>>> discovery should prevent downgrade attacks but should also work fine for
>>> resolvers that do not validate.
>>>
>>
>> Why?
>>
>> Or rather, let me put together a straw-man to attack.
>>
>> Suppose the requirement (for the protocol for establishing the encrypted
>> transport for actual ADoT or for discovery of ADoT parameters) was that
>> *for this record* the record must be signed and must be validated, but that
>> it placed no broader requirement on validation.
>>
>
> It seems odd to have the code and operations to do this on both signing
> and validation , but then use it intermittently.  That seems both hard to
> reason about and difficult to explain.
>

I was interested in Paul's reason for "do not validate", as to whether it
was the concerns of generally validating everything, versus having the code
and operations that do the validation.
I.e., is it the concern about some zones having signing errors, independent
from the ADoT thing?

More recent operational results have show vastly improved levels of correct
operation of DNSSEC, and many fewer problems showing up, although I don't
track that myself and don't have references handy.
(I think there was a thread recently on one of the relevant lists to that
effect, though.)
I.e. I don't think aversion to validation generally is rational, but I also
don't like all-or-nothing when it comes to validation. I see this as likely
being an MTI (mandatory to implement) thing, with knobs to allow operators
to disable (against "medical" advice, as it were).



>
>
>
>> I.e. TSLA for cert validation for the TLS connections used, which would
>> require DNSSEC validation (mandatory per DANE RFCs).
>>
>> That would mean resolvers that don't validate *generally*, but do follow
>> the protocol (and validate very specific records) would would fine. Would
>> that be an unhappy-making requirement, or would you be okay with that
>> hair-splitting on validation?
>>
>
> I don’t think this would be something to recommend, personally.
>

Exactly, you have very clearly made my point for me between your two
comments. :-)


>
> Ted
>
>>
>> Given that presumably *some* changes would need to be made to resolvers
>> for ADoT, IMHO the particulars of *what* changes should all be open to
>> discussion.
>>
>> Brian
>> _______________________________________________
>> dns-privacy mailing list
>> dns-privacy@ietf.org
>> https://www.ietf.org/mailman/listinfo/dns-privacy
>>
>

v2.23.0 | Report a Bug | By Email