IETF Logo Mail Archive

Re: [dns-privacy] Registry framework for draft-ietf-dprive-early-data

Ben Schwartz <bemasc@google.com> Wed, 22 July 2020 19:45 UTC

Return-Path: <bemasc@google.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D26D93A081B for <dns-privacy@ietfa.amsl.com>; Wed, 22 Jul 2020 12:45:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.599
X-Spam-Level:
X-Spam-Status: No, score=-17.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QObmkfG7wJDR for <dns-privacy@ietfa.amsl.com>; Wed, 22 Jul 2020 12:45:29 -0700 (PDT)
Received: from mail-wm1-x333.google.com (mail-wm1-x333.google.com [IPv6:2a00:1450:4864:20::333]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C7E263A0029 for <dns-privacy@ietf.org>; Wed, 22 Jul 2020 12:45:28 -0700 (PDT)
Received: by mail-wm1-x333.google.com with SMTP id 17so3122656wmo.1 for <dns-privacy@ietf.org>; Wed, 22 Jul 2020 12:45:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=nJlorGoLFQ6r8XT7x9aZkBfvbZ5ZT30Wqb0eQyglCe4=; b=j85VhXCuvawonsOBvoKSZdz0qcjtWus68nQE0S39ogTEIQFNcP2tKRZ17y3kzBrKpA ydvj/y1u3BnwwkdI92C644526o1JwfDc2u/SgyKAJhrC3s3Vrsr7jVV3XatoBhssoUSF 6uHO6Fi2UJVw2YwXKULDP5eZVrJNr4+twoOdbCnKa7Ef7GJyP/iKNUapY/u3MYldh0rn PObzKRudTi76+gwgEqGO4rQ3uPjEuFngDH2F0DXb8v8aHeWudFdi0KeUnOjXGHp8ZSkJ vZ31vqvoK9Oy7FJpY8E9Clq1kXU4UYLTFC+PSjJ7gb0FrWsp85hN1gSqdTrGwx38NVX/ jUOQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=nJlorGoLFQ6r8XT7x9aZkBfvbZ5ZT30Wqb0eQyglCe4=; b=U1AXcrgnlbotnSqUejmEpbVkO/UJXgaxCAsHPR1BMduBTlr/6BCKK3Ev7cDy1Fosb4 QmDuhcLT18GgUh3u0MbOo/Nihdu0cTBLqg/+wcS7sIT12/C+WCDwPoqifdch522q5Eqf ZdRImm0VtlnKsV68Ck48sPOEPuM5PfeaD/MJ5ihDLcGsWJ3/mVHById5HL+2gY4mYNZp TEF4yanOU6JhHMznyzN5PQTzXs0JGHSanB51vU8ySwHhhDL3G+ZBhIG8S1mT6ZYsFvNs Q03pCHIdj3n9QpxIZ2vKi2U9DHLxnP3fO8omuZvEW120V1XAssQhuBO0y1qdsesoehZZ fAiA==
X-Gm-Message-State: AOAM530X/COOLDBpcSiVq8idIcXfBdhfJRIezKogn/aPdKlE00K8uTjO 47PJ5zSJJdRKEUqbz8ArMxoWR/z2TZeCjUNcNDukfH0j
X-Google-Smtp-Source: ABdhPJzjXUbWZTq4n/Ct4ZCShFiOugYdaRCmd6TGJ3ROySRKpolEdriOTzqrCSIG2kJrrc/Hz+sq9jWwJduGdCKJv3E=
X-Received: by 2002:a1c:4183:: with SMTP id o125mr1007514wma.101.1595447126967; Wed, 22 Jul 2020 12:45:26 -0700 (PDT)
MIME-Version: 1.0
References: <d812edb8-b3b3-d1db-13e8-8da9a945516d@innovationslab.net> <20200722192652.GA486629@LK-Perkele-VII>
In-Reply-To: <20200722192652.GA486629@LK-Perkele-VII>
From: Ben Schwartz <bemasc@google.com>
Date: Wed, 22 Jul 2020 15:45:15 -0400
Message-ID: <CAHbrMsAwtDRj_4AeY8Q_Qxu9=vht6bO99oc+0eYEwbSXZHHyLQ@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: Brian Haberman <brian@innovationslab.net>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="0000000000004a1c8105ab0cfb93"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/FYQGp2d9QrhsxeBqv13AvRQqy7w>
Subject: Re: [dns-privacy] Registry framework for draft-ietf-dprive-early-data
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Jul 2020 19:45:31 -0000

On Wed, Jul 22, 2020 at 3:37 PM Ilari Liusvaara <ilariliusvaara@welho.com>
wrote:

> However, this does not make any of them safe, only that none is
> specially unsafe. With recursives, bad things happen if network
> attacker can replay 0-RTT data after cache expiry. At worst, this can
> completely compromise the query contents.


The "near-resolver" attacker you're describing can already compromise the
query contents of any query that misses the cache, so I think this
vulnerability is unavoidable, and we should not regard it as in-scope.
ADoT upgrade would be a suitable mitigation, but restricting 0-RTT is not
sufficient.

v2.23.0 | Report a Bug | By Email