Re: [dns-privacy] [Ext] Threat Model
Warren Kumari <warren@kumari.net> Tue, 05 November 2019 14:51 UTC
Return-Path: <warren@kumari.net>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD71B12081D for <dns-privacy@ietfa.amsl.com>; Tue, 5 Nov 2019 06:51:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tWWiLAOTu2PK for <dns-privacy@ietfa.amsl.com>; Tue, 5 Nov 2019 06:51:31 -0800 (PST)
Received: from mail-qt1-x842.google.com (mail-qt1-x842.google.com [IPv6:2607:f8b0:4864:20::842]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8DD65120824 for <dns-privacy@ietf.org>; Tue, 5 Nov 2019 06:29:54 -0800 (PST)
Received: by mail-qt1-x842.google.com with SMTP id x21so29571113qto.12 for <dns-privacy@ietf.org>; Tue, 05 Nov 2019 06:29:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=wpDVFttaKil6KdXhK/YQDWw//FynF5XNUEeqBj3/ldE=; b=ZAWBGQ3C6if3osiKaEeIVwVesCR3cmPdMGHPpMJCJ3DZCF8scngFPm5tn/kyRivRQQ gY/oHZje2sc8TMOQjxN0etbe2odSwPqH9OwFqGPnj8MlCLTmfLCTV0i+tm07ZXSVIjiy t9t5AjqAP9OHKiNMwcKZJqMc9sGP2BNVoNz7zXbGONsfHGCb1QIH7vjcZLyl7/J8WREw qi9brLy4HtPg/d6CPENTsPwdberCG6RFOquw24lo82fbgP40Air8ZGPikcqxYTGFv+6q 2iY4+rkf90PxpDLMYYtTfJyeVYj18JjWirDoQADxSKwqSbvdLY+5fC+IXsnhEIHsAw9c 7OTQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=wpDVFttaKil6KdXhK/YQDWw//FynF5XNUEeqBj3/ldE=; b=tqpZnod1Jeer/yrdnVH6HV3N3MX7sz099JHl9TGYpmdVcEg0tDAQPki66KvII5+NmT dzb1Nqa/+o4EiNeP5yQxuj6lOa/PdA5zOiCLJY4GU8inRD8AABDmpoB5l51nsQeszfkA aVzfni4SeiNJUkbZxkk4yCAwgKqkRUWpzLX7C6xz+93Y1UaZrvYJZzTzZ6UsqnMApI4l tdtWCrGhXWf8zONXS3H5svathA+9baz1AqtRQVT6WhVeoHpmxE+OJ/2Ki6Klxpnc8kvr 1SWPQiE16Vi7ikI5ScuLSlTCRgQV+UpmmR0KmiDozgF27csqaGk9JXhTqwCYk6oTKP7T QB8w==
X-Gm-Message-State: APjAAAWea3T+6x4Skmlyt/NgEpoHwor2myzpQuQf+Myn4nVbmJjSa3CW Pd8MUmHb9cVLA4ZjiO7iVVuqhAewrI0M/E23nNJ0fA==
X-Google-Smtp-Source: APXvYqymN1C+vE2qlW3aeYZxJHG8pKkIxDmm8Ab0jr/byJAibPGl+NEtTBNuI+WO0x0j7VjKbuOwldZ2KvXetRndJFQ=
X-Received: by 2002:aed:2907:: with SMTP id s7mr17818240qtd.265.1572964191560; Tue, 05 Nov 2019 06:29:51 -0800 (PST)
MIME-Version: 1.0
References: <CABcZeBMQEJ=LE8ATQYnJj59srsK47hf4HT3BMMg3X2crVfSUXQ@mail.gmail.com> <1a70035e-edef-a3f4-ea91-52409ba37828@icann.org> <CABcZeBPAtvf3RU2gKWzyTaNwd6NBGsBuxq+n6r0W6-2RCnivSA@mail.gmail.com> <17189d1a-7689-f68d-6fe3-8d704af614a3@icann.org> <CABcZeBOhSYvqPyDcm9zbMYRc03DmPcCKYTYE-uC54=Mm9HMcnQ@mail.gmail.com> <99ee8cd4-9418-2d64-57fd-487b4f2c3a1a@cs.tcd.ie> <CABcZeBOBFFi=dA_XEzhkYvRU6kzvND5CMQcMoyriYusDH0RbKQ@mail.gmail.com> <CAHw9_iLz5No-SKa74To03ida3DHfeKY58CrJFJpLph8FsvzNQQ@mail.gmail.com> <CABcZeBMFDbATVRvJvvs5b4giQ=0B82i76ahv-ffDgWJOzqZccw@mail.gmail.com> <CAHw9_i+e8veeAz+KYXjvchmjKJz6OZHX1pEYx_Tvs8n5xnfBnQ@mail.gmail.com> <6D6233DC-4D7C-45BC-9D4E-08E6E882C1A5@nohats.ca> <alpine.DEB.2.20.1911042035571.29247@grey.csi.cam.ac.uk> <CAH1iCioH86q1CX7A+F8ON4uzpGqipUy8m3iczyNqSKirAsYBQg@mail.gmail.com> <alpine.LRH.2.21.1911041652450.5093@bofh.nohats.ca> <CABcZeBOtY3saJe5DWTu=Jqy5guqdoKPKSR+XYddbvxwxKsxmig@mail.gmail.com>
In-Reply-To: <CABcZeBOtY3saJe5DWTu=Jqy5guqdoKPKSR+XYddbvxwxKsxmig@mail.gmail.com>
From: Warren Kumari <warren@kumari.net>
Date: Tue, 05 Nov 2019 09:29:14 -0500
Message-ID: <CAHw9_iKaeT0VEjZfoCi9Nddc+VBBj0JHWDHv+=g3xzvb6L+Nvg@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: Paul Wouters <paul@nohats.ca>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>, Brian Dickson <brian.peter.dickson@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/JFR-EOsY23VelaQQkMii454FPXM>
Subject: Re: [dns-privacy] [Ext] Threat Model
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Nov 2019 14:51:39 -0000
On Mon, Nov 4, 2019 at 5:13 PM Eric Rescorla <ekr@rtfm.com> wrote: > > > > On Mon, Nov 4, 2019 at 1:56 PM Paul Wouters <paul@nohats.ca> wrote: >> >> On Mon, 4 Nov 2019, Brian Dickson wrote: >> >> > The names of the servers (and certificate management) would be orthogonal to the signaling of DoT support. I would expect the TLSA records would >> > be per-server and orthogonal to the per-zone signaling of DoT support. >> >> Again, that would be russian roulette. If I get an NS RRset with 3 >> nameservers, and only one of these has a TLSA record, what should I >> do ? >> >> 1) Pick the TLSA one >> 2) Pick a random one >> >> For 1) if this protocol is widely deployed, all clients will pick 1) so you just shot your redundancy in the foot. >> >> For 2) the clients get reduced privacy for no good reason, so why would a client do this? >> >> It is really a per-zone property, not a per-nameserver property. > > > This is a good point, and seems like an argument against all of the opportunistic versions as well, even those with HSTS-style mechanisms. > > Suppose I look up a.example.com and get ns1.nameservers.example and ns2.nameservers.example, and I have talked to ns1 and know it does Dot but I don't know about ns2. What then? Or say I can't connect to ns1.... $ dig ns a.example.com ;; ANSWER SECTION: a.example.com. 42923 IN NS ns1-dot.nameservers.example. a.example.com. 42923 IN NS ns2.nameservers.example. Now, if you cannot reach ns1-dot.nameservers.example, whether you fall back to ns2.nameservers.example is a matter of client policy / paranoia. As this is an *opportunistic* / better than nothing solution I'd think that falling back makes sense. This really really isn't a replacement for a more secure, downgrade resistant solution (like Paul's), but it *is* an incrementally deployable, opportunistic convention based solution. We could do it while figuring out a better, more secure system... W > > -Ekr > >> Paul >> >> _______________________________________________ >> dns-privacy mailing list >> dns-privacy@ietf.org >> https://www.ietf.org/mailman/listinfo/dns-privacy > > _______________________________________________ > dns-privacy mailing list > dns-privacy@ietf.org > https://www.ietf.org/mailman/listinfo/dns-privacy -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf
- [dns-privacy] Threat Model Eric Rescorla
- Re: [dns-privacy] Threat Model Christian Huitema
- Re: [dns-privacy] Threat Model Brian Dickson
- Re: [dns-privacy] Threat Model Ted Hardie
- Re: [dns-privacy] Threat Model Brian Dickson
- Re: [dns-privacy] [Ext] Threat Model Paul Hoffman
- Re: [dns-privacy] [Ext] Threat Model Eric Rescorla
- Re: [dns-privacy] [Ext] Threat Model Paul Hoffman
- Re: [dns-privacy] [Ext] Threat Model Eric Rescorla
- Re: [dns-privacy] [Ext] Threat Model Stephen Farrell
- Re: [dns-privacy] [Ext] Threat Model Eric Rescorla
- Re: [dns-privacy] what's good enough, or Threat M… John Levine
- Re: [dns-privacy] what's good enough, or Threat M… Eric Rescorla
- Re: [dns-privacy] [Ext] Threat Model Warren Kumari
- Re: [dns-privacy] [Ext] Threat Model Eric Rescorla
- Re: [dns-privacy] what's good enough, or Threat M… John R Levine
- Re: [dns-privacy] [Ext] Threat Model Warren Kumari
- Re: [dns-privacy] [Ext] Threat Model David Conrad
- Re: [dns-privacy] [Ext] Threat Model Paul Wouters
- Re: [dns-privacy] [Ext] Threat Model Stephen Farrell
- Re: [dns-privacy] Threat Model Livingood, Jason
- Re: [dns-privacy] [Ext] Threat Model Tony Finch
- Re: [dns-privacy] [Ext] Threat Model Paul Wouters
- Re: [dns-privacy] [Ext] Threat Model Brian Dickson
- Re: [dns-privacy] [Ext] Threat Model Paul Wouters
- Re: [dns-privacy] [Ext] Threat Model Eric Rescorla
- Re: [dns-privacy] [Ext] Threat Model Brian Dickson
- Re: [dns-privacy] [Ext] Threat Model John Levine
- Re: [dns-privacy] [Ext] Threat Model John Levine
- Re: [dns-privacy] [Ext] Threat Model Tony Finch
- Re: [dns-privacy] [Ext] Threat Model Paul Wouters
- Re: [dns-privacy] [Ext] Threat Model Warren Kumari
- Re: [dns-privacy] [Ext] Threat Model Warren Kumari
- Re: [dns-privacy] [Ext] Threat Model Paul Wouters
- Re: [dns-privacy] [Ext] Threat Model Warren Kumari
- Re: [dns-privacy] [Ext] Threat Model Brian Dickson
- Re: [dns-privacy] [Ext] Threat Model Dan Wing
- Re: [dns-privacy] [Ext] Threat Model Mark Andrews
- Re: [dns-privacy] [Ext] Threat Model Ralf Weber
- Re: [dns-privacy] [Ext] Threat Model Hugo Connery
- Re: [dns-privacy] [Ext] Threat Model Paul Wouters
- Re: [dns-privacy] [Ext] Threat Model Stephen Farrell
- Re: [dns-privacy] [Ext] Threat Model Paul Hoffman
- Re: [dns-privacy] [Ext] Threat Model Brian Dickson
- Re: [dns-privacy] [Ext] Threat Model Ted Hardie
- Re: [dns-privacy] [Ext] Threat Model Brian Dickson
- Re: [dns-privacy] [Ext] Threat Model Paul Wouters
- Re: [dns-privacy] [Ext] Threat Model Bob Harold
- Re: [dns-privacy] [Ext] Threat Model Paul Wouters
- Re: [dns-privacy] [Ext] Threat Model Stephen Farrell
- Re: [dns-privacy] [Ext] Threat Model Brian Dickson
- Re: [dns-privacy] [Ext] Threat Model Paul Ebersman
- Re: [dns-privacy] [Ext] Threat Model Paul Wouters
- Re: [dns-privacy] [Ext] Threat Model Bob Harold
- Re: [dns-privacy] [Ext] Threat Model sthaug