IETF Logo Mail Archive

Re: [dns-privacy] [Ext] Threat Model

Warren Kumari <warren@kumari.net> Tue, 05 November 2019 14:51 UTC

Return-Path: <warren@kumari.net>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD71B12081D for <dns-privacy@ietfa.amsl.com>; Tue, 5 Nov 2019 06:51:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tWWiLAOTu2PK for <dns-privacy@ietfa.amsl.com>; Tue, 5 Nov 2019 06:51:31 -0800 (PST)
Received: from mail-qt1-x842.google.com (mail-qt1-x842.google.com [IPv6:2607:f8b0:4864:20::842]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8DD65120824 for <dns-privacy@ietf.org>; Tue, 5 Nov 2019 06:29:54 -0800 (PST)
Received: by mail-qt1-x842.google.com with SMTP id x21so29571113qto.12 for <dns-privacy@ietf.org>; Tue, 05 Nov 2019 06:29:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=wpDVFttaKil6KdXhK/YQDWw//FynF5XNUEeqBj3/ldE=; b=ZAWBGQ3C6if3osiKaEeIVwVesCR3cmPdMGHPpMJCJ3DZCF8scngFPm5tn/kyRivRQQ gY/oHZje2sc8TMOQjxN0etbe2odSwPqH9OwFqGPnj8MlCLTmfLCTV0i+tm07ZXSVIjiy t9t5AjqAP9OHKiNMwcKZJqMc9sGP2BNVoNz7zXbGONsfHGCb1QIH7vjcZLyl7/J8WREw qi9brLy4HtPg/d6CPENTsPwdberCG6RFOquw24lo82fbgP40Air8ZGPikcqxYTGFv+6q 2iY4+rkf90PxpDLMYYtTfJyeVYj18JjWirDoQADxSKwqSbvdLY+5fC+IXsnhEIHsAw9c 7OTQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=wpDVFttaKil6KdXhK/YQDWw//FynF5XNUEeqBj3/ldE=; b=tqpZnod1Jeer/yrdnVH6HV3N3MX7sz099JHl9TGYpmdVcEg0tDAQPki66KvII5+NmT dzb1Nqa/+o4EiNeP5yQxuj6lOa/PdA5zOiCLJY4GU8inRD8AABDmpoB5l51nsQeszfkA aVzfni4SeiNJUkbZxkk4yCAwgKqkRUWpzLX7C6xz+93Y1UaZrvYJZzTzZ6UsqnMApI4l tdtWCrGhXWf8zONXS3H5svathA+9baz1AqtRQVT6WhVeoHpmxE+OJ/2Ki6Klxpnc8kvr 1SWPQiE16Vi7ikI5ScuLSlTCRgQV+UpmmR0KmiDozgF27csqaGk9JXhTqwCYk6oTKP7T QB8w==
X-Gm-Message-State: APjAAAWea3T+6x4Skmlyt/NgEpoHwor2myzpQuQf+Myn4nVbmJjSa3CW Pd8MUmHb9cVLA4ZjiO7iVVuqhAewrI0M/E23nNJ0fA==
X-Google-Smtp-Source: APXvYqymN1C+vE2qlW3aeYZxJHG8pKkIxDmm8Ab0jr/byJAibPGl+NEtTBNuI+WO0x0j7VjKbuOwldZ2KvXetRndJFQ=
X-Received: by 2002:aed:2907:: with SMTP id s7mr17818240qtd.265.1572964191560; Tue, 05 Nov 2019 06:29:51 -0800 (PST)
MIME-Version: 1.0
References: <CABcZeBMQEJ=LE8ATQYnJj59srsK47hf4HT3BMMg3X2crVfSUXQ@mail.gmail.com> <1a70035e-edef-a3f4-ea91-52409ba37828@icann.org> <CABcZeBPAtvf3RU2gKWzyTaNwd6NBGsBuxq+n6r0W6-2RCnivSA@mail.gmail.com> <17189d1a-7689-f68d-6fe3-8d704af614a3@icann.org> <CABcZeBOhSYvqPyDcm9zbMYRc03DmPcCKYTYE-uC54=Mm9HMcnQ@mail.gmail.com> <99ee8cd4-9418-2d64-57fd-487b4f2c3a1a@cs.tcd.ie> <CABcZeBOBFFi=dA_XEzhkYvRU6kzvND5CMQcMoyriYusDH0RbKQ@mail.gmail.com> <CAHw9_iLz5No-SKa74To03ida3DHfeKY58CrJFJpLph8FsvzNQQ@mail.gmail.com> <CABcZeBMFDbATVRvJvvs5b4giQ=0B82i76ahv-ffDgWJOzqZccw@mail.gmail.com> <CAHw9_i+e8veeAz+KYXjvchmjKJz6OZHX1pEYx_Tvs8n5xnfBnQ@mail.gmail.com> <6D6233DC-4D7C-45BC-9D4E-08E6E882C1A5@nohats.ca> <alpine.DEB.2.20.1911042035571.29247@grey.csi.cam.ac.uk> <CAH1iCioH86q1CX7A+F8ON4uzpGqipUy8m3iczyNqSKirAsYBQg@mail.gmail.com> <alpine.LRH.2.21.1911041652450.5093@bofh.nohats.ca> <CABcZeBOtY3saJe5DWTu=Jqy5guqdoKPKSR+XYddbvxwxKsxmig@mail.gmail.com>
In-Reply-To: <CABcZeBOtY3saJe5DWTu=Jqy5guqdoKPKSR+XYddbvxwxKsxmig@mail.gmail.com>
From: Warren Kumari <warren@kumari.net>
Date: Tue, 05 Nov 2019 09:29:14 -0500
Message-ID: <CAHw9_iKaeT0VEjZfoCi9Nddc+VBBj0JHWDHv+=g3xzvb6L+Nvg@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: Paul Wouters <paul@nohats.ca>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>, Brian Dickson <brian.peter.dickson@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/JFR-EOsY23VelaQQkMii454FPXM>
Subject: Re: [dns-privacy] [Ext] Threat Model
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Nov 2019 14:51:39 -0000

On Mon, Nov 4, 2019 at 5:13 PM Eric Rescorla <ekr@rtfm.com> wrote:
>
>
>
> On Mon, Nov 4, 2019 at 1:56 PM Paul Wouters <paul@nohats.ca> wrote:
>>
>> On Mon, 4 Nov 2019, Brian Dickson wrote:
>>
>> > The names of the servers (and certificate management) would be orthogonal to the signaling of DoT support. I would expect the TLSA records would
>> > be per-server and orthogonal to the per-zone signaling of DoT support.
>>
>> Again, that would be russian roulette. If I get an NS RRset with 3
>> nameservers, and only one of these has a TLSA record, what should I
>> do ?
>>
>> 1) Pick the TLSA one
>> 2) Pick a random one
>>
>> For 1) if this protocol is widely deployed, all clients will pick 1) so you just shot your redundancy in the foot.
>>
>> For 2) the clients get reduced privacy for no good reason, so why would a client do this?
>>
>> It is really a per-zone property, not a per-nameserver property.
>
>
> This is a good point, and seems like an argument against all of the opportunistic versions as well, even those with HSTS-style mechanisms.
>
> Suppose I look up a.example.com and get ns1.nameservers.example and ns2.nameservers.example, and I have talked to ns1 and know it does Dot but I don't know about ns2. What then? Or say I can't connect to ns1....


$ dig ns a.example.com
;; ANSWER SECTION:
a.example.com. 42923 IN NS ns1-dot.nameservers.example.
a.example.com. 42923 IN NS ns2.nameservers.example.

Now, if you cannot reach ns1-dot.nameservers.example, whether you fall
back to ns2.nameservers.example is a matter of client policy /
paranoia. As this is an *opportunistic* / better than nothing solution
I'd think that falling back makes sense. This really really isn't a
replacement for a more secure, downgrade resistant solution (like
Paul's), but it *is* an incrementally deployable, opportunistic
convention based solution. We could do it while figuring out a better,
more secure system...

W
>
> -Ekr
>
>> Paul
>>
>> _______________________________________________
>> dns-privacy mailing list
>> dns-privacy@ietf.org
>> https://www.ietf.org/mailman/listinfo/dns-privacy
>
> _______________________________________________
> dns-privacy mailing list
> dns-privacy@ietf.org
> https://www.ietf.org/mailman/listinfo/dns-privacy



-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf

v2.23.0 | Report a Bug | By Email