Re: [dns-privacy] review of draft-ietf-dprive-dtls-and-tls-profiles-11: we should revert DNSSEC validation requirement
Antoine Germanos <antoine.germanos@hotmail.com> Sat, 02 December 2017 18:25 UTC
Return-Path: <antoine.germanos@hotmail.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 04E1A12871F for <dns-privacy@ietfa.amsl.com>; Sat, 2 Dec 2017 10:25:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.924
X-Spam-Level:
X-Spam-Status: No, score=-3.924 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FORGED_HOTMAIL_RCVD2=0.874, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-2.8, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=hotmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vQ7iv9JpfO4d for <dns-privacy@ietfa.amsl.com>; Sat, 2 Dec 2017 10:25:06 -0800 (PST)
Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-oln040092065042.outbound.protection.outlook.com [40.92.65.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2C32D126B6E for <dns-privacy@ietf.org>; Sat, 2 Dec 2017 10:25:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=vEYtnn61J0TiFjJ94pCUnvUpU+MByDM4yJoLHj31h5c=; b=m7Qjsu4CLMN5b8YHNOm09ejH2TEdF/9F+wUawMEBacS8la5e1RdPERfahOVl8vAe9z2blWMtCWT1VKB8kdjBe4U7XrCGzv2M+Dwxiile5IGtJ9vkW+XIEHWk7T6dIXX53G1VQOZ4F5rTZlZYAgLvNSaRmpiDDwc4A/bdf2dA+7GsUZvGbgp1QEErzZEHySmtUjDGRMsSzqaXxjEhVxP+y2DY3gz9kaOToOXjlWtek+XZAIZlZaeE4W+xtyNI3uRPT5PL+bgfuV4otm61gutfFmOIdvbLtCHK0kTsTzlnqlLqZBu3dLwSMaBB9M/s1JUza3IKKPpVqNdWIAHQgadjlg==
Received: from HE1EUR01FT062.eop-EUR01.prod.protection.outlook.com (10.152.0.60) by HE1EUR01HT078.eop-EUR01.prod.protection.outlook.com (10.152.0.223) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.20.239.4; Sat, 2 Dec 2017 18:25:02 +0000
Received: from AM5PR0401MB2627.eurprd04.prod.outlook.com (10.152.0.56) by HE1EUR01FT062.mail.protection.outlook.com (10.152.1.16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.20.239.4 via Frontend Transport; Sat, 2 Dec 2017 18:25:02 +0000
Received: from AM5PR0401MB2627.eurprd04.prod.outlook.com ([fe80::fdc6:9f14:3f14:2557]) by AM5PR0401MB2627.eurprd04.prod.outlook.com ([fe80::fdc6:9f14:3f14:2557%18]) with mapi id 15.20.0282.007; Sat, 2 Dec 2017 18:25:02 +0000
From: Antoine Germanos <antoine.germanos@hotmail.com>
To: "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Thread-Topic: review of draft-ietf-dprive-dtls-and-tls-profiles-11: we should revert DNSSEC validation requirement
Thread-Index: AQHTa5reJUBmsYefUk64coYcmb33rA==
Date: Sat, 02 Dec 2017 18:25:02 +0000
Message-ID: <AM5PR0401MB2627ACF48FEB762ACC7536ED993E0@AM5PR0401MB2627.eurprd04.prod.outlook.com>
References: <mailman.2032.1509369115.4117.dns-privacy@ietf.org>
In-Reply-To: <mailman.2032.1509369115.4117.dns-privacy@ietf.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-incomingtopheadermarker: OriginalChecksum:60A35A295D28941C20DB8E9D546D138F6053D7D5ED9AF29575C0703C4F00FA6E; UpperCasedChecksum:F6E8B8E3E6E49C1B0B57AF65BC6B39D92D02D7780ACF0BA7FBE459B4318CFDF9; SizeAsReceived:7215; Count:46
x-ms-exchange-messagesentrepresentingtype: 1
x-tmn: [OtUUSIlsgNjzzy+cRNAZ3N+J33QTZQ5W]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; HE1EUR01HT078; 6:rETjXogJvIXA9zFueuwaMtgNB1j9VqxDzNeeuf8mcUQvUCgoKrntAsVWL3J7vQ1maotCMv3UbilPek1d6W+EXJIeRLT40H+LAgZOaF5nYF6LhCa2cQIX/Hp0zdAcuDsQqctqeAqYIGig79lHupDaIbkv9l+jWTfAYzUXH6B+Uzn1Uc03sAjCdDAEmYY1sQARtODlkgri1Tsk+7kyI2qyp8E7YFPRqOoJ8bPvp5zTsZaZvS5c82cZ8j1Iur/h/np8vf0OBI+x19Z4ePi9ea+9YuC8fXoEwX3mqCaQDoRZUpS3gzm7XXz6IZcPpzg/WOr6LlaBXMPUyqzb9OmN3RiuIUgs7Zl68Ges9NvgMFFGo0s=; 5:iX4NWXxCIk+My4cLe1UY3Ing5rICMTD1NfMKO0gUEXD6uYgZ0PuCuP2Ww3zOZpMmXds+ZpPSgqTLH/xyViBniwm1E7YFVMfLKRc5zXVGpy7C5xZYIFQLXduXzF+4f41KyNLrQDV7o0n28OTZj4sai72LPwquXPS8eECkap2EA6o=; 24:13aY10V9Py0lm+1jRFSxELeI17CfkC6koscXMyAMz7e7bNholgDqnn664B4tNScCoWmn6leVExLnVX4/DcKIXIn8RIOG8G/3rnJUNnXfH6M=; 7:spIvufFH7CRi22mdTLpriEZsUsqkLfyNJlai6iBYupJOqupFlEdmXgNfPirzmeHo7cBYRUw/th7ADZtbNd0xCcq1UzLyQEpo/uibgz1Z5+dOVwzAG4evBXdIdO/PIn0Ww94cjMRNmvu9HgX0eQK2I63EhdrpAeAeQLOOx3YVqRJcC7wuxmfMIcHgMnQZd7tBt2PWJkPpVr5tFSLzmAAyrBouMWXPvY93IFGMjQWwWQOP8G/eiPfoZwkog5/2RD1i
x-incomingheadercount: 46
x-eopattributedmessage: 0
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(201702061074)(5061506573)(5061507331)(1603103135)(2017031320274)(2017031324274)(2017031323274)(201702181274)(2017031322404)(1603101448)(1601125374)(1701031045); SRVR:HE1EUR01HT078;
x-ms-exchange-slblob-mailprops: 7FNIAzWC7ToQqwY5raG0FbGbLiD0O7fhEuzC7RaXo7wtUNpOwumFrubv66J6eo/OERMfFOdmcKJRBhR7E7D4mRyIi028xVjyvH2rHpeaJ199FKha0JuQ6euxJyVu3HkmwpowRl8TGghWLUS5njWQhgZCNv1WICTTTOrEh7xD1jwbC2hhuNBeSGnXSyPCGJ83FCWNxANLEXpjbS+VNUx7TooKCQaHxpJQsnmTWLs8A3jwpLAFxc9vnb9FD8nZ+zbx4/x7mDCwoCznwv7wsRhi3rjUS2XNC1naA9BZPQT0IMPtRQNq6/vzWB3AfXaYHeCLSMptKL3vrQIrHQDhDxuCRT30aod/PVCC9QeGzIJecZuY2ECExWVzEdnwbs0mFZHYTQxVeBf7C0i5C1DFtgwF9wi1eGNY6afusk+ZMLNTL6ct/0S+LzQRAqkfy3A8josnNhb4tAlgB0qL3nWqdrGfIvVN26l+fK2aSZpSMNpYoOESOvIzxfXgim2XC5DHZU5oCsvV8bmgQkwcf0V3aJvWVksssy4sf74jIHAmo3U40aEq4L0kSL48SSuqiq0x6l3XHodcenquuqvVmI6c7vR6hVK5VBLOM7iA3DsT8g0wGayc2e47QyzmVko7bfOdogJ6ERO9eqeMVaEdDR3GE+5rYY2bEJQQ9xUNVXaJQaqgJj2gQfu9F323WKprQN+lzyn6jA/EyP6mNDNuT2v1IYnxVLVq3Z5+gVx/RaEx1N7wxI95i/wdG7X2B3gwHZgTAIPMVrBDU17iyKB8SCMKJWV0Z8/tWyFVPgYRycVowCeUQzR2T5KD8xx3bXPXdlyD1CoCvfjjSImhkFIQrFEUM79XO/f5Y6iWuufkwgiuUBn4BhdAmHDlm73ftwdxI0WsExjqS80HUFERoLJecACdIPPVycoM1tfmdSN8vR9kD2TSydccFDAGEG8V2inuyRUo9wiRqVI57kAXI1TqSQrrE7TXgDnIlfTmbXO5kpvcVy1Cmj1qrvZit1YEMS8UlPMPU9k3Gn1Utvcd5xbsB8EVYhKr35i8+YPaBrZj9z3BJQzkifM+p1Q/34jLpck2kt6Nqw1KgYgRd5wGkgw=
x-ms-traffictypediagnostic: HE1EUR01HT078:
x-ms-office365-filtering-correlation-id: 3094dc2c-2e35-4eec-01fc-08d539b200d3
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(444000031); SRVR:HE1EUR01HT078; BCL:0; PCL:0; RULEID:(100000803101)(100110400095); SRVR:HE1EUR01HT078;
x-forefront-prvs: 0509245D29
x-forefront-antispam-report: SFV:NSPM; SFS:(7070007)(98901004); DIR:OUT; SFP:1901; SCL:1; SRVR:HE1EUR01HT078; H:AM5PR0401MB2627.eurprd04.prod.outlook.com; FPR:; SPF:None; LANG:;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_AM5PR0401MB2627ACF48FEB762ACC7536ED993E0AM5PR0401MB2627_"
MIME-Version: 1.0
X-OriginatorOrg: hotmail.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 3094dc2c-2e35-4eec-01fc-08d539b200d3
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Dec 2017 18:25:02.3271 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Internet
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1EUR01HT078
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/D88v-74QyQY3Nw7-PEVUVuyWzX4>
Subject: Re: [dns-privacy] review of draft-ietf-dprive-dtls-and-tls-profiles-11: we should revert DNSSEC validation requirement
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 02 Dec 2017 18:25:11 -0000
A N T O I N E G E R M A N O S On Oct 30, 2017, at 3:12 PM, "dns-privacy-request@ietf.org<mailto:dns-privacy-request@ietf.org>" <dns-privacy-request@ietf.org<mailto:dns-privacy-request@ietf.org>> wrote: Send dns-privacy mailing list submissions to dns-privacy@ietf.org<mailto:dns-privacy@ietf.org> To subscribe or unsubscribe via the World Wide Web, visit https://www.ietf.org/mailman/listinfo/dns-privacy or, via email, send a message with subject or body 'help' to dns-privacy-request@ietf.org<mailto:dns-privacy-request@ietf.org> You can reach the person managing the list at dns-privacy-owner@ietf.org<mailto:dns-privacy-owner@ietf.org> When replying, please edit your Subject line so it is more specific than "Re: Contents of dns-privacy digest..." Today's Topics: 1. Re: review of draft-ietf-dprive-dtls-and-tls-profiles-11: we should revert DNSSEC validation requirement (Paul Wouters) 2. Re: review of draft-ietf-dprive-dtls-and-tls-profiles-11: we should revert DNSSEC validation requirement (Paul Wouters) 3. Re: review of draft-ietf-dprive-dtls-and-tls-profiles-11: we should revert DNSSEC validation requirement (Daniel Kahn Gillmor) 4. Re: review of draft-ietf-dprive-dtls-and-tls-profiles-11: we should revert DNSSEC validation requirement (Stephen Farrell) 5. Re: review of draft-ietf-dprive-dtls-and-tls-profiles-11: we should revert DNSSEC validation requirement (Sara Dickinson) ---------------------------------------------------------------------- Message: 1 Date: Mon, 30 Oct 2017 07:17:19 -0400 (EDT) From: Paul Wouters <paul@nohats.ca<mailto:paul@nohats.ca>> To: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com<mailto:TirumaleswarReddy_Konda@McAfee.com>> Cc: Ben Schwartz <bemasc@google.co<mailto:bemasc@google.com>TirumaleswarReddy_Konda@McAfee.com<mailto:TirumaleswarReddy_Konda@McAfee.com>m<mailto:bemasc@google.com>>, Daniel Kahn Gillmor <dkg@fifthhorseman.net<mailto:dkg@fifthhorseman.net>>, "dns-privacy@ietf.org<mailto:dns-privacy@ietf.org>" <dns-privacy@ietf.org<mailto:dns-privacy@ietf.org>> Subject: Re: [dns-privacy] review of draft-ietf-dprive-dtls-and-tls-profiles-11: we should revert DNSSEC validation requirement Message-ID: <alpine.LRH.2.21.1710300713260.22012@bofh.nohats.ca<mailto:alpine.LRH.2.21.1710300713260.22012@bofh.nohats.ca>> Content-Type: text/plain; charset=US-ASCII; format=flowed On Mon, 30 Oct 2017, Konda, Tirumaleswar Reddy wrote: An active attacker can drop DNS messages with DNSSEC records The same attacker can block TLS to 8.8.8.8 set the CD bit in the DNS query, AD bit in the DNS response That will do nothing to validating DNS servers, as they don't use those bits for anything. clear the DNSSEC OK bit in the DNS query That will return a BOGUS answer and will be detected as DoS attack. or strip the DNSSEC data from the DNS response to disable DNSSEC (Section https://tools.ietf.org/html/rfc3225). That will return a BOGUS or INDETERMINATE answer and will be detected as DoS attack. You have not shown any actual active attack against DNSSEC. You have only shown denial of service attaks by packet mangling/dropping. All of that applies equally to TLS. Paul ------------------------------ Message: 2 Date: Mon, 30 Oct 2017 07:19:36 -0400 (EDT) From: Paul Wouters <paul@nohats.ca<mailto:paul@nohats.ca>> To: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com<mailto:TirumaleswarReddy_Konda@McAfee.com>> Cc: Ben Schwartz <bemasc@google.com<mailto:bemasc@google.com>>, "dns-privacy@ietf.org<mailto:dns-privacy@ietf.org>" <dns-privacy@ietf.org<mailto:dns-privacy@ietf.org>>, Daniel Kahn Gillmor <dkg@fifthhorseman.net<mailto:dkg@fifthhorseman.net>> Subject: Re: [dns-privacy] review of draft-ietf-dprive-dtls-and-tls-profiles-11: we should revert DNSSEC validation requirement Message-ID: <alpine.LRH.2.21.1710300718030.22012@bofh.nohats.ca<mailto:alpine.LRH.2.21.1710300718030.22012@bofh.nohats.ca>> Content-Type: text/plain; charset=US-ASCII; format=flowed On Mon, 30 Oct 2017, Konda, Tirumaleswar Reddy wrote: draft-ietf-dprive-dtls-and-tls-profiles-11: we should revert DNSSEC validation requirement Just to be clear. DNSSEC provides authentication of data. TLS provides privacy of data. Both are needed so I am against this proposed change to remove DNSSEC validation as a requirement. DNSSEC is part of the core DNS. It's not a cherry. Paul ------------------------------ Message: 3 Date: Mon, 30 Oct 2017 13:31:04 +0100 From: Daniel Kahn Gillmor <dkg@fifthhorseman.net<mailto:dkg@fifthhorseman.net>> To: Paul Wouters <paul@nohats.ca<mailto:paul@nohats.ca>>, "Konda\, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com<mailto:TirumaleswarReddy_Konda@McAfee.com>> Cc: Ben Schwartz <bemasc@google.com<mailto:bemasc@google.com>>, "dns-privacy\@ietf.org" <dns-privacy@ietf.org<mailto:dns-privacy@ietf.org>> Subject: Re: [dns-privacy] review of draft-ietf-dprive-dtls-and-tls-profiles-11: we should revert DNSSEC validation requirement Message-ID: <87fua0ddh3.fsf@fifthhorseman.net<mailto:87fua0ddh3.fsf@fifthhorseman.net>> Content-Type: text/plain; charset="us-ascii" On Mon 2017-10-30 07:19:36 -0400, Paul Wouters wrote: Just to be clear. DNSSEC provides authentication of data. TLS provides privacy of data. Both are needed so I am against this proposed change to remove DNSSEC validation as a requirement. DNSSEC is part of the core DNS. It's not a cherry. I'm not claiming that no clients should implement DNSSEC validation. I would be happy if every client did so. Please don't mistake this as a generic judgement on DNSSEC. It's about one particular situation where hard-fail is a bad idea. In particular, the situation under discussion is what clients should do in the event of a DNSSEC validation failure of an opportunistic "meta-query". As a reminder, the "opportunistic meta-query" is the best-effort lookup of the IP address(es) of the preferred DNS privacy resolver, under either Strict or Opportunistic profiles. In either profile, the meta-query itself is opportunistic -- it's an attempt to find some channel to the preferred resolver. But let's look at the two profiles separately: a) under the opportunistic profile, dropping the response to an opportunistic meta-query in the event of a DNSSEC validation failure transforms a loss of privacy into a DoS. This does not meet the stated goal of the opportunistic profile, "maximum chance of DNS service". b) under the strict profile, dropping the response to an opportunistic meta-query in the event of a DNSSEC validation failure will result in the same outcome (DoS) where the response to the meta-query comes from an attacker, because the attacker couldn't have provided a valid TLS endpoint in the first place. But in the scenario where DNSSEC either isn't available, or is misconfigured, it converts a successful connection attempt into a DoS. This is a net loss for the user. Put more simply: Opportunistic meta-queries are opportunistic. Encouraging or requiring hard-fail to DNSSEC validation of an opportunistic meta-query just amounts to a reduction of service, and provides no security or privacy improvements that i can see. If the goal is to enforce corroborative authentication of the DNS privacy server (e.g. via both DNSSEC and the X.509 cartel), i welcome a writeup of a "Extra Strict" profile that adds a DNSSEC validation requirement to the Strict profile. But that's not this draft. --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 832 bytes Desc: not available URL: <https://mailarchive.ietf.org/arch/browse/dns-privacy/attachments/20171030/5b0072ba/attachment.asc> ------------------------------ Message: 4 Date: Mon, 30 Oct 2017 13:09:39 +0000 From: Stephen Farrell <stephen.farrell@cs.tcd.ie<mailto:stephen.farrell@cs.tcd.ie>> To: Daniel Kahn Gillmor <dkg@fifthhorseman.net<mailto:dkg@fifthhorseman.net>>, dns-privacy@ietf.org<mailto:dns-privacy@ietf.org> Subject: Re: [dns-privacy] review of draft-ietf-dprive-dtls-and-tls-profiles-11: we should revert DNSSEC validation requirement Message-ID: <7edaeaf5-c2df-910a-cc8e-0528b4ac0950@cs.tcd.ie<mailto:7edaeaf5-c2df-910a-cc8e-0528b4ac0950@cs.tcd.ie>> Content-Type: text/plain; charset="utf-8" Hiya, On 28/10/17 04:40, Daniel Kahn Gillmor wrote: Furthermore, i believe that the proposal in draft-11 of making DNSSEC validation of metaqueries a MUST for the opportunistic profile is *actively harmful* to the stated goal of the opportunistic profile (i.e., "maximum chance of DNS service"). I just re-read the draft. I agree that requiring DNSSEC validation of anything to succeed when using the opportunistic profile is a bad plan. Requiring an attempt at DNSSEC validation is fine, but given only a small percentage of the DNS is signed, and DPRIVE won't IMO drive that to a much bigger figure, (or at least not for a long time) it makes no sense to put such a barrier in the way of use of opportunistic security. Cheers, S. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: <https://mailarchive.ietf.org/arch/browse/dns-privacy/attachments/20171030/c43666ae/attachment.asc> ------------------------------ Message: 5 Date: Mon, 30 Oct 2017 13:11:41 +0000 From: Sara Dickinson <sara@sinodun.com<mailto:sara@sinodun.com>> To: Daniel Kahn Gillmor <dkg@fifthhorseman.net<mailto:dkg@fifthhorseman.net>> Cc: dns-privacy@ietf.org<mailto:dns-privacy@ietf.org> Subject: Re: [dns-privacy] review of draft-ietf-dprive-dtls-and-tls-profiles-11: we should revert DNSSEC validation requirement Message-ID: <73F186C6-1F35-40B0-8C36-D4F011D11344@sinodun.com<mailto:73F186C6-1F35-40B0-8C36-D4F011D11344@sinodun.com>> Content-Type: text/plain; charset="utf-8" On 28 Oct 2017, at 04:40, Daniel Kahn Gillmor <dkg@fifthhorseman.net<mailto:dkg@fifthhorseman.net>> wrote: Hey DPRIVE folks-- Apologies for the delay, and that this message is so long. I've tried to reconstruct this discussion around draft-ietf-dprive-dtls-and-tls-profiles-11 as best i can, and my analysis follows. If i've misundertood or misanalyzed something, please let me know. Summary ------- I do not believe that DNSSEC validation is warranted as a mitigation against an active attacker in the context of an opportunistic metaquery, regardless of whether the client ultimately intends to follow either the Strict or Opportunistic profile. Furthermore, i believe that the proposal in draft-11 of making DNSSEC validation of metaqueries a MUST for the opportunistic profile is *actively harmful* to the stated goal of the opportunistic profile (i.e., "maximum chance of DNS service?). I like the reorganization and re-wording of the "Usage Profiles" section in draft-11, and think we should keep it. But i think the other changes between draft-10 and draft-11 are unwarranted and should be reverted. Hi dkg, Thanks for the feedback, I agree with the bulk of your analysis with the exception of one part (see below). Therefore I?d argue not to revert the changes to section 7.2 completely since I really do think a description there of the trade-offs of DNSSEC validation are warranted regardless of the final decision on the requirement, even if it ends up just being a MAY (although I would like to see SHOULD as a minimum for opportunistic). I can also recognise the implementation overhead, however this is required for only one of the 3 cases of how the client may be provisioned: * IP address only (no meta-query required) * IP address and ADN (no meta-query required) * ADN only (meta-query required) So it is for the case where a client was directly and securely configured with just the ADN of a server it expects to provide privacy. If a client doesn?t want to implement DNSSEC then it can always restrict the opportunistic profile to requiring one of the first 2 configurations. Analysis -------- AIUI, the scenario under discussion is: * A DNS client (following either the strict or the opportunistic profile) * using opportunistic meta-queries to find the desired DNS resolver * in the face of an active attacker We already know that an attacker capable of filtering the client's *outbound* traffic can cause a denial of service (for clients following the strict profile) or loss of privacy (for clients following the opportunistic profile, because they fall back to cleartext) simply by dropping outbound connections to *anywhere* TCP port 853. Likewise, We also know that an attacker capable of filtering the client's *inbound* traffic can cause a denial of service (strict clients) or loss of privacy (opportunistic clients) simply by dropping inbound connections from any TCP port 853. But the introduction of an opportunistically-secured meta-query introduces a DoS attack (strict clients) or loss of privacy (opportunistic clients) that can be achieved by a weaker attacker. Since we're talking about an attacker that is *not* in control of the network, the following analysis assumes that the the network provides "legitimate" DHCP service, which is supposed to point the client to a "legitimate" standard DNS resolver (which may or may not be privacy-enabled, but is sufficient for answering an opportunistic metaquery correctly). In particular, the attacker needs only one of the following two capabilities: (a) Controlling the "legitimate" DHCP server, or detecting the client's DHCP request and racing the "legitimate" DHCP server to return a DHCP response (this allows the attacker to set the resolver used by the client for its opportunistic metaquery), or (b) Controlling the "legitimate" DNS resolver, or detecting the client's opportunistic metaquery and racing the "legitimate" DNS resolver to provide a malicious DNS response. In either case, the result is that the attacker has poisoned the client's meta-cache -- its best guess at the location of the desired privacy-enabled DNS resolver. A poisoned meta-cache results in a DoS for clients in "Strict" mode because the attacker's answering DNS resolver at the learned address cannot authenticate. A poisoned meta-cache results in a loss of privacy for clients in "Opportunistic" mode because they will connect without authentication to the attacker's answering DNS resolver. Have i got that right? DNSSEC validation does not mitigate this attack. Regardless of the profile, the client has four options when it discovers that the response to the metadata query was forged (or at any rate is not validatable). It can: (0) ignore the response, resulting in a DoS regardless of profile, or (1) ignore the validation failure, and try connecting to the proposed address anyway (resulting in a DoS for strict clients because the server does not validate, or a loss of privacy for opportunistic clients), or (2) retry the metaquery (in the hopes that their attacker is in class "b" and not in full control of the "legitimate" DNS resolver) and maybe the legitimate DNS response will come in, or (3) abort the network connection and retry DHCP (in the hopes that the attacker is in class "a" and not in full control of the "legitimate" DHCP server) and maybe the legitimate DHCP response will come in. Choice 0 is the same outcome as the non-DNSSEC-validating scenario for strict clients (no mitigation), Agreed - DNSSEC validation just provides earlier detection for Strict clients and *strictly worse* for opportunistic clients, because it converts a loss of privacy to a DoS, which is in direct opposition to the stated goal of the opportunistic profile. I?d disagree that connecting to a server for which the meta-query response failed DNSSEC validation results in _just_ a loss of privacy for Opportunistic in this case. If the answer was BOGUS then it seems reasonable to assume the server is not legitimate and so connecting also results in the clients' entire DNS service being controlled by the attacker. Take the case where the DNS server from DHCP really is legitimate. The fact that the meta-query answer _could_ be spoofed provides a vector for an opportunistic client to be directed to an attackers' DNS server. Note that this attack is not possible on a ?normal? client that directly uses the DHCP provided server, the attacker has to attack each individual query. My concern here is that without DNSSEC validation of the re-direct Opportunistic clients have an additional risk of this kind of attack than ?normal? ones. Also this is only a guaranteed DoS for the case where there is only a single server configured. If there are multiple servers then the attacker must spoof the meta-query answers for _all_ the servers to achieve DoS. If it only spoofs one then the client can still get service. So one way to look at the trade-off seems to be is it worse that an attacker can block your DNS service or gets an extra chance to control all your DNS answers? I think you are arguing that for opportunistic the latter is preferable because a principle of Opportunistic is that it shouldn?t fail? If the WG decided that to be the case then it needs to be clear in the document this choice comes with an additional risk (and yet still not guarantee of privacy). Choice 1 is exactly the same outcome as the non-DNSSEC-validating scenario for all clients. (no mitigation) Choices 2 and 3 are interesting thought experiments, but are not directly contemplated in the draft (and i think they would be a distraction from the goal of the draft -- this draft is not "how to do staged opportunistic fallback in the face of an arbitrarily corrupt network"), so i won't go into them here. At best, DNSSEC validation of the metaquery could be used to provide additional reporting information to any client-internal auditing/reporting or other defensive measures; but again, this draft should not go into those in any detail. Background ---------- To be clear about where this analysis is coming from, my rule of thumb for these two profiles is: * Strict Do whatever you can to connect to the preferred privacy-enabled resolver, but don't actually send queries unless you're sure you have authenticated the server. * Opportunistic Do whatever you can to connect to the preferred privacy-enabled resolver, but go ahead and send your queries to it anyway, even if it cannot be authenticated. Note that both modes can report (e.g., to a local system auditor/monitor/policy-agent) any failures or errors they encounter. But Strict mode will fail closed (DoS), and Opportunistic mode will fail open (loss of privacy). To be clear: the client is *locally configured* to be either in Strict or Opportunistic mode. Orthogonally, it is also locally configured with some server authentication information. If its locally-configured server authentication information is of the form "ADN" only, then -- even when configured in Strict mode -- it will do an Opportunistic DNS resolution of the address of the desired resolver. This is the "opportunistic meta-query". So i guess i'm still DISCUSSing ekr's DISCUSS, which is an unfortunate state for the draft to be in. :( Technically his DISCUSS was on a different topic (SPKI handling) as Stephane pointed out, this was an issue that came out of a separate comment he made. Sara. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: Message signed with OpenPGP URL: <https://mailarchive.ietf.org/arch/browse/dns-privacy/attachments/20171030/68d89dc6/attachment.asc> ------------------------------ Subject: Digest Footer _______________________________________________ dns-privacy mailing list dns-privacy@ietf.org<mailto:dns-privacy@ietf.org> https://www.ietf.org/mailman/listinfo/dns-privacy ------------------------------ End of dns-privacy Digest, Vol 44, Issue 12 *******************************************
- [dns-privacy] review of draft-ietf-dprive-dtls-an… Daniel Kahn Gillmor
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Ben Schwartz
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Konda, Tirumaleswar Reddy
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Paul Wouters
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Konda, Tirumaleswar Reddy
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Paul Wouters
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Paul Wouters
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Daniel Kahn Gillmor
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Stephen Farrell
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Sara Dickinson
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Stephane Bortzmeyer
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Paul Hoffman
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Daniel Kahn Gillmor
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Paul Hoffman
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Stephen Farrell
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Sara Dickinson
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Antoine Germanos
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Paul Wouters
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Sara Dickinson
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Paul Hoffman
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Stephen Farrell
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Sara Dickinson
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Sara Dickinson
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Konda, Tirumaleswar Reddy
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Daniel Kahn Gillmor
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Antoine Germanos