IETF Logo Mail Archive

Re: [dns-privacy] review of draft-ietf-dprive-dtls-and-tls-profiles-11: we should revert DNSSEC validation requirement

"Paul Hoffman" <paul.hoffman@vpnc.org> Mon, 30 October 2017 14:46 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C6E413FA1A for <dns-privacy@ietfa.amsl.com>; Mon, 30 Oct 2017 07:46:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N39sVVbYRdyZ for <dns-privacy@ietfa.amsl.com>; Mon, 30 Oct 2017 07:46:48 -0700 (PDT)
Received: from mail.proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E95A913FA15 for <dns-privacy@ietf.org>; Mon, 30 Oct 2017 07:46:46 -0700 (PDT)
Received: from [169.254.173.149] (50-1-51-141.dsl.dynamic.fusionbroadband.com [50.1.51.141]) (authenticated bits=0) by mail.proper.com (8.15.2/8.14.9) with ESMTPSA id v9UEjMf2062940 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 30 Oct 2017 07:45:23 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: mail.proper.com: Host 50-1-51-141.dsl.dynamic.fusionbroadband.com [50.1.51.141] claimed to be [169.254.173.149]
From: Paul Hoffman <paul.hoffman@vpnc.org>
To: Sara Dickinson <sara@sinodun.com>
Cc: dns-privacy@ietf.org
Date: Mon, 30 Oct 2017 07:46:43 -0700
Message-ID: <9D3816E2-AE0D-4803-BBE8-FA98A196D376@vpnc.org>
In-Reply-To: <73F186C6-1F35-40B0-8C36-D4F011D11344@sinodun.com>
References: <878tfwey8w.fsf@fifthhorseman.net> <73F186C6-1F35-40B0-8C36-D4F011D11344@sinodun.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Mailer: MailMate (1.9.7r5425)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/IldUQ9GKwIh4eMMYcazm5UX4dY4>
Subject: Re: [dns-privacy] review of draft-ietf-dprive-dtls-and-tls-profiles-11: we should revert DNSSEC validation requirement
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Oct 2017 14:46:49 -0000

On 30 Oct 2017, at 6:11, Sara Dickinson wrote:

> I’d disagree that connecting to a server for which the meta-query 
> response failed DNSSEC validation results in _just_ a loss of privacy 
> for Opportunistic in this case. If the answer was BOGUS then it seems 
> reasonable to assume the server is not legitimate and so connecting 
> also results in the clients' entire DNS service being controlled by 
> the attacker.

There are many ways to get a BOGUS response that have nothing to do with 
the information being "not legitimate". Typically today, BOGUS comes 
from misconfigured servers such as expired keys, some nameservers out of 
sync, and so on.

You cannot infer from a BOGUS response about why it is bogus.

> Take the case where the DNS server from DHCP really is legitimate. The 
> fact that the meta-query answer _could_ be spoofed provides a vector 
> for an opportunistic client to be directed to an attackers' DNS 
> server. Note that this attack is not possible on a ’normal’ client 
> that directly uses the DHCP provided server, the attacker has to 
> attack each individual query. My concern here is that without DNSSEC 
> validation of the re-direct Opportunistic clients have an additional 
> risk of this kind of attack than ’normal’ ones.

Spoofing in normal DHCP and spoofing without DNSSEC seem equivalent to 
me.

> Also this is only a guaranteed DoS for the case where there is only a 
> single server configured. If there are multiple servers then the 
> attacker must spoof the meta-query answers for _all_ the servers to 
> achieve DoS. If it only spoofs one then the client can still get 
> service.

...unless the attacker can spoof the (typically) two servers that the 
client has addresses to.

> So one way to look at the trade-off seems to be is it worse that an 
> attacker can block your DNS service or gets an extra chance to control 
> all your DNS answers? I think you are arguing that for opportunistic 
> the latter is preferable because a principle of Opportunistic is that 
> it shouldn’t fail? If the WG decided that to be the case then it 
> needs to be clear in the document this choice comes with an additional 
> risk (and yet still not guarantee of privacy).

It is only an "additional risk" for a very limited attacker who can only 
attack one of a set of addresses.

If the WG wants to go down the path of making Opportunistic encryption 
even more difficult in order to feel that we offered the best security, 
requiring DNSSEC on the client is a good way to do that. I would still 
prefer more ubiquitous encryption.

--Paul Hoffman

v2.23.0 | Report a Bug | By Email