Re: [dns-privacy] New draft on encrypting the stub-to-resolver link: draft-hoffman-dns-tls-stub-00.txt
Paul Hoffman <paul.hoffman@vpnc.org> Wed, 20 August 2014 14:53 UTC
Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 480CA1A040D for <dns-privacy@ietfa.amsl.com>; Wed, 20 Aug 2014 07:53:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.647
X-Spam-Level:
X-Spam-Status: No, score=-3.647 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4_3dlvK9DSil for <dns-privacy@ietfa.amsl.com>; Wed, 20 Aug 2014 07:53:52 -0700 (PDT)
Received: from proper.com (Hoffman.Proper.COM [207.182.41.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 362841A03FE for <dns-privacy@ietf.org>; Wed, 20 Aug 2014 07:53:52 -0700 (PDT)
Received: from [10.20.30.90] (50-0-66-181.dsl.dynamic.sonic.net [50.0.66.181]) (authenticated bits=0) by proper.com (8.14.9/8.14.7) with ESMTP id s7KErkmt006709 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Wed, 20 Aug 2014 07:53:48 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: proper.com: Host 50-0-66-181.dsl.dynamic.sonic.net [50.0.66.181] claimed to be [10.20.30.90]
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <CAFggDF2tdiUzGmEi9u68mubR6F+Lp7U4dy0N6R7PQVAQ_nNw=g@mail.gmail.com>
Date: Wed, 20 Aug 2014 07:53:45 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <A22A1BAF-5B70-4574-AF92-B777FF5F89E9@vpnc.org>
References: <20140818175701.12317.96810.idtracker@ietfa.amsl.com> <FF99C324-2959-48EB-A187-18007F7AA364@vpnc.org> <CAJE_bqeoUx2gFsnVgZYfoWASkHaMgKW4tR552YRmQ4ZNzH1M=g@mail.gmail.com> <361D96E3-CD31-4E2B-88E3-46E44D6F8C3D@vpnc.org> <alpine.LFD.2.10.1408191650420.22835@bofh.nohats.ca> <EFBD7F1F-EB4B-4EC4-BE08-C7C92EC471FF@vpnc.org> <CAFggDF2tdiUzGmEi9u68mubR6F+Lp7U4dy0N6R7PQVAQ_nNw=g@mail.gmail.com>
To: Jacob Appelbaum <jacob@appelbaum.net>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/dns-privacy/JPySH6FABzScLrf0oZrWrkI9_TU
Cc: dns-privacy@ietf.org
Subject: Re: [dns-privacy] New draft on encrypting the stub-to-resolver link: draft-hoffman-dns-tls-stub-00.txt
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Aug 2014 14:53:54 -0000
On Aug 20, 2014, at 6:30 AM, Jacob Appelbaum <jacob@appelbaum.net> wrote: > On 8/19/14, Paul Hoffman <paul.hoffman@vpnc.org> wrote: >> [[ Combined PaulW's and Jacob's responses ]] >> >> On Aug 19, 2014, at 2:01 PM, Paul Wouters <paul@nohats.ca> wrote: >> >>> On Tue, 19 Aug 2014, Paul Hoffman wrote: >>> >>>>> I wonder this 'MUST' may be too strong (or I don't fully understand >>>>> the sense of this MUST). Since the upstream recursive resolver may or >>>>> may not support the TLS extension, the DNS forwarder may end up giving >>>>> up the resolution altogether. But depending on the stub clients' >>>>> policy it may be still better to provide encryption between the stub >>>>> and the forwarder. >>>> >>>> Good catch. Proposed replacement to handle the case where the recursive >>>> resolver doesn't do TLS: >>>> >>>> A stub resolver cannot tell whether it is sending queries to a >>>> recursive resolver or to a DNS forwarder. Therefore, a DNS forwarder >>>> that acts as a TLS server for DNS requests MUST also attempt to act as a >>>> TLS >>>> client for queries to its upstream recursive resolvers, but MAY >>>> use the normal DNS protocol on port 53 if an upstream recursive >>>> resolver does set up a TLS session. >>> >>> A resolver at a coffee shop is mostly concerned about protecting the DNS >>> in the public wifi, and might not worry at all about its DSL uplink, >>> especially when it has no real reason to trust its own uplink. So I >>> would just make it very generic: >>> >>> a DNS forwarder that acts as a TLS server for DNS requests SHOULD >>> attempt to use TLS with its upstream resolver(s) to maximize the >>> anonymity of its stub clients. >> >> I'm fine with that as a replacement for my suggestion above. > > I'd switch this to say 'confidentiality' rather than anonymity. > Anonymity is a much stronger claim which I adore but it seems out of > place here. Good catch, yes. >>>> Sure, let's be explicit. Proposed addition to the policy section: >>>> >>>> If a recursive resolver does not respond on port 443 or set up a TLS >>>> session, the stub resolver MAY use the normal DNS protocol on port 53. >>> >>> MAY sounds a little odd here. If there is no preconfiguration for >>> authenticating this resolver, I don't think we should advise >>> stubs to refuse to do DNS completely, which is what the MAY is >>> suggesting as a valid option. (this is breaking the "opportunistic >>> security design pattern recommendation advise" :) >>> >>> How about: >>> >>> If a recursive resolver for which an authentication method is >>> available does not respond on port 443 or fails to set up a TLS >>> session, the stub resolver SHOULD NOT use that resolver over >>> unencrypted DNS using port 53. If no authentication method is >>> available for the recusive resolver, the stub resolver SHOULD >>> fallback to using cleartext DNS on port 53. >> >> That seems mixed up. I think the policies we want to list are: >> >> a) Must have authenticated TLS, otherwise don't get any DNS responses >> >> b) Try to do authenticated TLS, but use unauthenticated TLS if possible, >> otherwise don't get any DNS responses >> >> c) Try to do authenticated TLS, but use unauthenticated TLS if possible, but >> allow cleartext on port 53 if TLS cannot be established >> >> Does this seem like the whole list? > > d) Don't do TLS at all, only try cleartext on port 53 (the sad default > state of the internet today) Hrm. That is not really a policy choice for *this draft*, but I see your point. I'll add it. > e) All the other DNS privacy stuff - eg: OpenDNS's encrypted DNS > stuff, djb's other work, etc. I can't list a policy that I can't cleanly describe. The OpenDNS folks still haven't produced a stable description of their protocol that I can find; if they have one, I'm happy to list it. DNScurve doesn't work for stub-to-recursive, I don't believe; only recursive-to-authoritative. >> On Aug 19, 2014, at 1:02 PM, Jacob Appelbaum <jacob@appelbaum.net> wrote: >> >>>>> I'm not a fan of making it possible for an attacker to downgrade with >>>>> a single (non-cryptographically protected) TCP RST packet. If I >>>>> configure a resolver and declare it to be secure (and use it as such), >>>>> why not fail closed? >>>> >>>> Because then hosts that use stub resolvers will not be able to use the >>>> DNS >>>> at all. >>> >>> That is correct and that is exactly what I expect when my network is >>> attacking me. Rather than leaking that I'm being visited an ad name >>> that implies I've visited a gay dating site, I want it to fail closed. >>> If I declare it as secure, I want it to remain secure - where the >>> security here is all about *confidentiality* and DNSSEC does the rest >>> with regard to integrity, etc. >> >> I think that would policy (a) listed above. Does that work for you? > > Yes. It is perfectly fine. If it was the default policy when > configuring a TLS aware resolver unless configured to be *less secure* > explicitly, certainly so. The document is not going to list what a default policy should be. >>>>> Why not detect that as an attack or as outright >>>>> network censorship? >>>> >>>> We could add such detection, but only if the value outweighs the >>>> complexity >>>> and possible failure modes. >>> >>> If the TLS connection fails to complete (authenicated or not), it >>> should be as simple as returning something like E_CENSORSHIP_DETECTED. >> >> It is reasonable for the policy to suggest that a later API might be able to >> detect which level of protection, if any, the user has gotten. > > I like the idea of a notice but I prefer the idea of explicitly > ensuring that one has configured a privacy DNS resolver - thus - it > seems the API needs to consider this from the start. If you want to work on an API, that's great. APIs for security have a long history of bringing down protocols in the IETF, I don't want the API to hold up the protocol. If you get started on it before this document is finished, I'm happy to point to your work-in-progress. >>> An error like "Unable to connect securely to resolver, please contact >>> your ISP" would be fine. >> >> And you might want to only use applications that use that later API. >> >>> Most OSes don't do anything remotely helpful when DNS fails. It might >>> be nice if that failure mode was privacy preserving... >> >> It might be, yes. >> >>>>> This seems to fail if there is an active attacker that blocks TLS >>>>> traffic - is there a way for the resolver to somehow learn in-band on >>>>> port 53 that this attack is happening? >>>> >>>> Probably, but you still haven't said what value there is in knowing that. >>>> A >>>> stub resolver has no log and no way of alerting anyone that it >>>> discovered >>>> something important. >>> >>> If my resolver allows upgrading to a secure method of communication, >>> I'd like to know. Furthermore, I'd like to automatically upgrade to >>> that secure communications path if it was available. An OS could probe >>> for a specific record type - similar to say, version.txt. >>> >>> e.g.: nslookup -q=txt -class=CHAOS query.privacy.bind. >>> >>> It could even learn the likely fingerprint of the server ala DANE, for >>> example. >> >> Once we have privacy for all types of stub resolvers, it could certainly be >> useful for a few people who have security-aware validating stub resolvers to >> have that information. It is an easy follow-on for those who care about it. >> > > I think a key thing is that we need a way to discover that an already > configured stub resolver supports this kind of confidentiality. When > the stub software updates, the resolver that is already configured > could be upgraded to use the privacy preserving path, for example. That would take an API. I really don't want to force that into this document, but as I said above, if you or someone wants to tackle the API question, I'm happy to point to it. --Paul Hoffman
- [dns-privacy] New draft on encrypting the stub-to… Paul Hoffman
- Re: [dns-privacy] New draft on encrypting the stu… Hosnieh Rafiee
- Re: [dns-privacy] New draft on encrypting the stu… Paul Wouters
- Re: [dns-privacy] New draft on encrypting the stu… Paul Hoffman
- Re: [dns-privacy] New draft on encrypting the stu… Hosnieh Rafiee
- Re: [dns-privacy] New draft on encrypting the stu… Joe Abley
- Re: [dns-privacy] New draft on encrypting the stu… Paul Wouters
- Re: [dns-privacy] New draft on encrypting the stu… Hosnieh Rafiee
- Re: [dns-privacy] [SPAM] Re: New draft on encrypt… Hosnieh Rafiee
- Re: [dns-privacy] New draft on encrypting the stu… Carsten Strotmann
- Re: [dns-privacy] New draft on encrypting the stu… 神明達哉
- Re: [dns-privacy] New draft on encrypting the stu… Paul Hoffman
- Re: [dns-privacy] New draft on encrypting the stu… Jacob Appelbaum
- Re: [dns-privacy] New draft on encrypting the stu… Paul Hoffman
- Re: [dns-privacy] New draft on encrypting the stu… Paul Wouters
- Re: [dns-privacy] New draft on encrypting the stu… Jacob Appelbaum
- Re: [dns-privacy] New draft on encrypting the stu… Jacob Appelbaum
- Re: [dns-privacy] New draft on encrypting the stu… Paul Wouters
- Re: [dns-privacy] [SPAM] Re: New draft on encrypt… Hosnieh Rafiee
- Re: [dns-privacy] New draft on encrypting the stu… Paul Hoffman
- Re: [dns-privacy] [SPAM] Re: New draft on encrypt… Carsten Strotmann
- Re: [dns-privacy] [SPAM] Re: New draft on encrypt… Hosnieh Rafiee
- Re: [dns-privacy] New draft on encrypting the stu… Jacob Appelbaum
- Re: [dns-privacy] [SPAM] Re: New draft on encrypt… Andrew Sullivan
- Re: [dns-privacy] New draft on encrypting the stu… Paul Hoffman
- Re: [dns-privacy] [SPAM] Re: New draft on encrypt… Hosnieh Rafiee
- Re: [dns-privacy] New draft on encrypting the stu… Jacob Appelbaum
- Re: [dns-privacy] New draft on encrypting the stu… Stephane Bortzmeyer
- Re: [dns-privacy] New draft on encrypting the stu… 神明達哉
- Re: [dns-privacy] [SPAM] Re: New draft on encrypt… Andrew Sullivan
- Re: [dns-privacy] [SPAM] Re: New draft on encrypt… Hosnieh Rafiee
- Re: [dns-privacy] New draft on encrypting the stu… Hosnieh Rafiee
- Re: [dns-privacy] [SPAM] Re: New draft on encrypt… Andrew Sullivan
- Re: [dns-privacy] [SPAM] Re: New draft on encrypt… Jacob Appelbaum
- Re: [dns-privacy] [SPAM] Re: New draft on encrypt… Paul Wouters
- Re: [dns-privacy] [SPAM] Re: New draft on encrypt… Jacob Appelbaum
- Re: [dns-privacy] New draft on encrypting the stu… Paul Hoffman
- Re: [dns-privacy] New draft on encrypting the stu… Paul Hoffman
- [dns-privacy] draft-hoffman-dns-tls-stub-01 posted Paul Hoffman
- Re: [dns-privacy] [SPAM] Re: New draft on encrypt… Hosnieh Rafiee
- Re: [dns-privacy] New draft on encrypting the stu… David Ulevitch
- Re: [dns-privacy] [SPAM] Re: New draft on encrypt… Andrew Sullivan
- Re: [dns-privacy] [SPAM] Re: New draft on encrypt… Hosnieh Rafiee
- Re: [dns-privacy] [SPAM] Re: New draft on encrypt… Hosnieh Rafiee
- Re: [dns-privacy] [SPAM] Re: New draft on encrypt… Andrew Sullivan
- Re: [dns-privacy] [SPAM] Re: New draft on encrypt… Hosnieh Rafiee
- Re: [dns-privacy] New draft on encrypting the stu… Wes Hardaker
- [dns-privacy] Authenticating the resolver Paul Hoffman
- Re: [dns-privacy] New draft on encrypting the stu… Mark Andrews
- Re: [dns-privacy] New draft on encrypting the stu… Wes Hardaker
- Re: [dns-privacy] Authenticating the resolver Wes Hardaker
- Re: [dns-privacy] Authenticating the resolver Paul Hoffman
- Re: [dns-privacy] New draft on encrypting the stu… John Heidemann
- Re: [dns-privacy] New draft on encrypting the stu… Phillip Hallam-Baker