IETF Logo Mail Archive

Re: [dns-privacy] [Ext] Threat Model

David Conrad <drc@virtualized.org> Sun, 03 November 2019 15:38 UTC

Return-Path: <drc@virtualized.org>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0EBBA1200CC for <dns-privacy@ietfa.amsl.com>; Sun, 3 Nov 2019 07:38:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=virtualized-org.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aMYl728_xqKM for <dns-privacy@ietfa.amsl.com>; Sun, 3 Nov 2019 07:37:59 -0800 (PST)
Received: from mail-qt1-x833.google.com (mail-qt1-x833.google.com [IPv6:2607:f8b0:4864:20::833]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 85D591200EF for <dns-privacy@ietf.org>; Sun, 3 Nov 2019 07:37:59 -0800 (PST)
Received: by mail-qt1-x833.google.com with SMTP id u22so20057633qtq.13 for <dns-privacy@ietf.org>; Sun, 03 Nov 2019 07:37:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=virtualized-org.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc:message-id:references :to; bh=16cSvTjEGOPMMgBpQpeDcqEzTOEXrmN8egyg8yD0rIc=; b=uB2KBAqB1yqa3GxINLmdzF/aQEWD/dp2NkV3lOwYoI36gHwUyOMCou05hm/gpOFxU3 znwUk37jqxAUOEIPTFg4sChj+OvhweUDImlbR5FGsodLy2BrZ/gMB0jU7esDfvKr2xmO MXU09GEoRCLtgQ0QXKGyvlq95arefidM7SEO5qzzaTyfhN6WXepsQDZoZpXBSCBOl71C t4Jcqw/oUC76CRG5O3jfpDaBVp+uOtFp4nkSV4ZtGo1hEeVpReMqqsUE98ZsxyfqF4S5 1Udm5faE1ttGODZHoKK+bG6Np8QZn5eTC0ZQUIshU8W9mNA4SZRfqIpth1/fVRwCA/Z1 rP4w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=16cSvTjEGOPMMgBpQpeDcqEzTOEXrmN8egyg8yD0rIc=; b=gxpWlPSJFUc5ne7pbftKo9LjUGXeB3PwgPxhN/axdJqcCbvk30XCFZeI1CstJb5qms nYh/i2i+3blMINJdLXHK9luhDVbyvGQa44ptc3/gJKewXstYBZkCcFxAoAfDDdmK71r1 i2XN9OuzP56vCfjFJLPtxEd/m/cnvJAjUT3m+gyHG0Utb0VW/BYVvUWr6aVblz0okKbX Qrz6GSkxkffoU2cCRL5FzG5ehWvEn2TH8kFX2ZipqwGX4LvRw20jNa4VXb9CCa5NPQe/ EXosDBFQLCbyCmMV59zLiouLRQuRRNChodlkhw+nzCba39/QZYNbTZzSp8JJzxK/oXuE MM0w==
X-Gm-Message-State: APjAAAWeQxMA8Mu+UGjHXsYf1bUOV8lMEGnSRVE2nsQgwvcMtuKeZ77G JPqBBkvYE6YgRiEteydOAZcSI6kKrE8=
X-Google-Smtp-Source: APXvYqxvLpZQf/sG9hIdgEcfYvIJLSRLTDj/ACnkLxv+QMPj+vOn0lj9OHFGqKWHsej8Tt7FiEi29Q==
X-Received: by 2002:a0c:fecc:: with SMTP id z12mr5162203qvs.189.1572795478484; Sun, 03 Nov 2019 07:37:58 -0800 (PST)
Received: from ?IPv6:2620:f:8000:210:741c:84d5:3f12:8a44? ([2620:f:8000:210:741c:84d5:3f12:8a44]) by smtp.gmail.com with ESMTPSA id l20sm3409076qtq.78.2019.11.03.07.37.57 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 03 Nov 2019 07:37:57 -0800 (PST)
Content-Type: multipart/signed; boundary="Apple-Mail=_585CDDD1-82B4-4020-ACC4-F3E88771F716"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: David Conrad <drc@virtualized.org>
In-Reply-To: <CAHw9_i+e8veeAz+KYXjvchmjKJz6OZHX1pEYx_Tvs8n5xnfBnQ@mail.gmail.com>
Date: Sun, 03 Nov 2019 10:37:56 -0500
Cc: "dns-privacy@ietf.org" <dns-privacy@ietf.org>
X-Mailbutler-Message-Id: D1605014-A682-4993-8FD0-5CCE48030675
Message-Id: <FD3D9307-C298-4AB6-B205-F5079F006B30@virtualized.org>
References: <CABcZeBMQEJ=LE8ATQYnJj59srsK47hf4HT3BMMg3X2crVfSUXQ@mail.gmail.com> <1a70035e-edef-a3f4-ea91-52409ba37828@icann.org> <CABcZeBPAtvf3RU2gKWzyTaNwd6NBGsBuxq+n6r0W6-2RCnivSA@mail.gmail.com> <17189d1a-7689-f68d-6fe3-8d704af614a3@icann.org> <CABcZeBOhSYvqPyDcm9zbMYRc03DmPcCKYTYE-uC54=Mm9HMcnQ@mail.gmail.com> <99ee8cd4-9418-2d64-57fd-487b4f2c3a1a@cs.tcd.ie> <CABcZeBOBFFi=dA_XEzhkYvRU6kzvND5CMQcMoyriYusDH0RbKQ@mail.gmail.com> <CAHw9_iLz5No-SKa74To03ida3DHfeKY58CrJFJpLph8FsvzNQQ@mail.gmail.com> <CABcZeBMFDbATVRvJvvs5b4giQ=0B82i76ahv-ffDgWJOzqZccw@mail.gmail.com> <CAHw9_i+e8veeAz+KYXjvchmjKJz6OZHX1pEYx_Tvs8n5xnfBnQ@mail.gmail.com>
To: Warren Kumari <warren@kumari.net>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/EndkdDpZM_px_OSVLOnoFigz9Gw>
Subject: Re: [dns-privacy] [Ext] Threat Model
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 03 Nov 2019 15:38:02 -0000

Warren,

On Nov 3, 2019, at 7:27 AM, Warren Kumari <warren@kumari.net> wrote:
> Can you expand on this? Is the convention that if I see x-dot.example.com <http://x-dot.example.com/>, then I should expect DoT?
> 
> Yup, that’s it exactly.
> 
> As a DNS person, encoding semantics into the name makes me twitch, and I’m concerned we eventually end up with:
> x-dot-doh-ipv4-and-IPv6-I-also-support-tcp-far-our-in-the-uncharted-backwaters-of-the-western-spiral-arm.example.com <http://x-dot-doh-ipv4-and-ipv6-i-also-support-tcp-far-our-in-the-uncharted-backwaters-of-the-western-spiral-arm.example.com/>, but as a pragmatic and deployment it seem to work.
> 
> A suitably positioned *active* attacker could probably still cause a downgrade (because glue isn’t signed), but it requires much more work on the attackers part than:
> deny I do any any 853
> permit ip any any
> 
> This also gives us the opportunity for a bikeshed discussion re: what label to use :-)

Oh! Bikeshedding! Yay! You could do x-<ldh-encoded bit string of binary options indicating support for various transport technologies>.example.com!

What’s the emoji for tongue-in-cheek again?

Regards,
-drc

v2.23.0 | Report a Bug | By Email