Re: [dns-privacy] DOTPIN, TLSA, and DiS
Brian Dickson <brian.peter.dickson@gmail.com> Fri, 20 November 2020 20:15 UTC
Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 10A3C3A10B0 for <dns-privacy@ietfa.amsl.com>; Fri, 20 Nov 2020 12:15:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JadzHhFQ8ULt for <dns-privacy@ietfa.amsl.com>; Fri, 20 Nov 2020 12:15:08 -0800 (PST)
Received: from mail-vs1-xe31.google.com (mail-vs1-xe31.google.com [IPv6:2607:f8b0:4864:20::e31]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DE5C63A10A4 for <dprive@ietf.org>; Fri, 20 Nov 2020 12:15:07 -0800 (PST)
Received: by mail-vs1-xe31.google.com with SMTP id l22so5689095vsa.4 for <dprive@ietf.org>; Fri, 20 Nov 2020 12:15:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=8fYzMcQTNVo3K6BU9rs03nF/9kXVgqAAY5gxv7rYes8=; b=NKNOzrRmcK+t4Aqlfs7/VSRkxmSKA3B+u8n38p1+Aegfq/EyTTcvLDvnvdOw625Fmg diqKzAnMspJK+kpmjQ64IFm99lFKxqedAWRRpP6gqe6BDhE2RyZmNyrK2LftF71y7sLB 3cNusVFWHr5jlbkqdcJ6bMlgileviIVK6omGEXfv7/yXuhE6+24fxJDYb6pCyiX02O05 OU6l4iKdaniQ73TfunYex8lxZh5T0izoqEiw9ipD77Hit3K9vWfXsjcVgSr509o5bu7h yh6/VC7OZXCCdm2JwljCHlOdLYcDK0qAw2nbpFewfv6quD79Qidgrq1kyMXFhLg1CJKs crpg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=8fYzMcQTNVo3K6BU9rs03nF/9kXVgqAAY5gxv7rYes8=; b=E+45qNgPTDQe+kZl0mkf9kTK0ywkY156jFCFrQLr/EovrtpWTrJsnisQU3on/XppRE g9OKX9KObst66M1eHVHV1oxoR79ilR532+7g5ey+W17ncBAU9Dlz7wkLfFnXvEw1GkVO EpFp54uhkrFvNzQ5P/6wqczW0QxThU3qS9NzYGstLjOrAEPGVIPWKdzmQi6ApFVzUJMt Qm+naerVrJpn9pOlaBq7mDEeqSDtrb7yCFzAu2KRbY33HWStTwTxbuchThOhXTnbx54W aVfSYK0VVDorjuU+mvbXt8qRKshciCvKty6SqtTMbkD+syJtfV3Vd//Iyi6z73nKKKWU GAew==
X-Gm-Message-State: AOAM531tnpnFnahN+7MMgwirV8clG6f/dSHCt0Gtjn1XNwF/R85iWaMW iUzQXplDbwO/DE5mnbCpkK4mXHDppMrBTxlhtFY1hvvxs8Q=
X-Google-Smtp-Source: ABdhPJxneb73FfODgBWXvxJFXMQIl3MUs37A4mbLZBbv6jHSfJgU6t+Ip0hBhDE9/Ir11Mp0c+AAu78+GbfQiTKFswA=
X-Received: by 2002:a05:6102:22fb:: with SMTP id b27mr14764416vsh.49.1605903306843; Fri, 20 Nov 2020 12:15:06 -0800 (PST)
MIME-Version: 1.0
References: <196c57a1f39d73fdbf0e7ee0c597bec2bec94148.camel@powerdns.com> <a4e2f776-91b6-f825-03f9-8287e7b29509@nic.cz>
In-Reply-To: <a4e2f776-91b6-f825-03f9-8287e7b29509@nic.cz>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Fri, 20 Nov 2020 12:14:55 -0800
Message-ID: <CAH1iCipHHUDp3RBO4zaYCpcqyx6GQcLxTW4Fj8-psFpYmYf81g@mail.gmail.com>
To: Vladimír Čunát <vladimir.cunat+ietf@nic.cz>
Cc: Peter van Dijk <peter.van.dijk@powerdns.com>, dprive@ietf.org
Content-Type: multipart/alternative; boundary="00000000000025eb5205b48f8013"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/Apw5wUSDKKSnkXb6h1XU6pLYl4E>
Subject: Re: [dns-privacy] DOTPIN, TLSA, and DiS
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Nov 2020 20:15:10 -0000
On Fri, Nov 20, 2020 at 11:47 AM Vladimír Čunát <vladimir.cunat+ietf@nic.cz> wrote: > On 11/19/20 2:05 PM, Peter van Dijk wrote: > > 1. auth operators publish TLSA records for their NSes > > 2. the registry, while generating zone files, queries for those TLSA > records > > 3. from the found TLSA records, the registry generates DOTPIN DSes > > 4. the DOTPIN DSes are published alongside the domain owner's NSes, > DSes, and perhaps the DiS > > Intriguing but isn't it unnecessarily complicated? If we assume that > DiS-like is possible, I'd rather replace the DOTPIN-related parts by > some simple flag that tells if the zone's policy is to avoid cleartext. > > I.e., in comparison with today, the parent side would additionally sign: > (a) the NS set - e.g. via DiS; that's because signing certs directly has > those scalability issues > (b) and this "policy flag" in some way (say, yet another DS alg like > DiS, but there are other ways). > The reasons are that I believe we want a possibility of downgrade > resistance. > > More details: the rest of the trust chain could be TLSA or something > similar on those NSs, looked up separately by a supporting resolver, > assuming these can again be DNSSEC-validated (for now let me avoid > trying to define the case when they can't). Maybe this "policy flag" > could be more than binary, too, e.g. allowing to indicate that the NSs > may support DoT but it's OK if the supporting resolver isn't strict - > and a third case might mean that resolvers shouldn't even attempt a > secure transport (as optimization). Of course, it's still not as nice > as I'd like it (but maybe no perfect solution exists anyway), e.g.: > - the TLSA lookup would add latency (at least I expect its TTL high > enough to amortize for larger NSs), and > - there are edge cases like privacy being hard for zones containing > those TLSA records (circular dependencies; I expect we can sacrifice > privacy of those TLSAs at least), and > - it again assumes abusing DS - that's avoidable in theory but it may be > too difficult to make the parent-side sign and return the necessary > information in other ways (soon-ish). > > In retrospect I see that what I wrote is very similar to Manu's "Do9" > except for replacing WebPKI by TLSA, with all their pros and cons: > > https://datatracker.ietf.org/meeting/104/materials/slides-104-dprive-dot-for-insecure-delegations-01 > > I think we (the three of us and maybe Tony Finch, if not the whole DNS community) may be converging on a design that will, I believe, work. I just checked on something that was nagging at me: Is there a way to secure the NS set without requiring the delegated zone to be signed? I believe the answer is "yes", at least assuming implementers follow RFC 4035 correctly. In section 5.2, the Nth paragraph reads: " If the validator does not support any of the algorithms listed in an authenticated DS RRset, then the resolver has no supported authentication path leading from the parent to the child. The resolver should treat this case as it would the case of an authenticated NSEC RRset proving that no DS RRset exists, as described above." So, using a new algorithm for whatever we do, should be 100% backward compatible. The assumption is any resolver supporting the new algorithm does so correctly, and that any resolver that does not support the new algorithm does the right thing (treat like unsigned). This means the design can be as simple as "put stuff in an apex DNSKEY record with a new algorithm)", plus put the corresponding DS (hash of DNSKEY elements that DS uses) in the parent zone, is sufficient. Note that for TLDs, the mechanism for this would be EPP sending of DS (or DNSKEY), and/or using the CDS/CDNSKEY mechanisms. There is likely use cases for separate new algorithms for protected delegation items NS, A, and AAAA, all of which would be non-authoritative (and thus not signed by the parent, but if encoded this way in a DNSKEY, hashed as a DS, and signed indirectly by the parent, achieve equivalency on protection). Time to test some stuff and do some POC coding, and collaborate on a draft with some folks. Yay! Brian
- [dns-privacy] DOTPIN, TLSA, and DiS Peter van Dijk
- Re: [dns-privacy] DOTPIN, TLSA, and DiS Vladimír Čunát
- Re: [dns-privacy] DOTPIN, TLSA, and DiS Brian Dickson
- Re: [dns-privacy] DOTPIN, TLSA, and DiS Vladimír Čunát
- Re: [dns-privacy] DOTPIN, TLSA, and DiS Peter van Dijk
- Re: [dns-privacy] DOTPIN, TLSA, and DiS Peter van Dijk
- Re: [dns-privacy] DOTPIN, TLSA, and DiS Ilari Liusvaara
- Re: [dns-privacy] DNSPKI, not WebPKI Paul Hoffman