Re: [dns-privacy] [Ext] Threat Model
Brian Dickson <brian.peter.dickson@gmail.com> Mon, 04 November 2019 22:20 UTC
Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E99C120B6C for <dns-privacy@ietfa.amsl.com>; Mon, 4 Nov 2019 14:20:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oDMlpUYDKXPM for <dns-privacy@ietfa.amsl.com>; Mon, 4 Nov 2019 14:20:53 -0800 (PST)
Received: from mail-vs1-xe31.google.com (mail-vs1-xe31.google.com [IPv6:2607:f8b0:4864:20::e31]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 317C0120B44 for <dns-privacy@ietf.org>; Mon, 4 Nov 2019 14:20:53 -0800 (PST)
Received: by mail-vs1-xe31.google.com with SMTP id 190so7548402vss.8 for <dns-privacy@ietf.org>; Mon, 04 Nov 2019 14:20:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=WsdiS33dRP8/sj0uSRb0ZRSONLrilHekiPyvZOlDEAE=; b=KcZjf7Rmmnu9+FtdZER3GM16gBSu8SZCGNsc5Uo7gZlD1hYsRTyRLs8I++h6JQupZB oOw9mC0zG/YoZjzOMjDC0ASV8MXGu/hOxmXzyXTHB1JY/Leqzm7iTCWwNBUN+D2Ql9Qj nZA6srAZ31PAd4SG8Yip1J+CnRNgLHb1G7Y3CVeiA05y+mvAPFIG+1lw2QTQ5cqQmzNv F0wr3StvoXfRNGSnskhlDb0w7vBw1BvgNYcy48688t3lfNtYIF0VHJ+5MYvmBooy0ou5 AFD4x2u8GG6UiziU8sUsbpYgFSd5x7pDdXmx2woM9cYgngladhoxmK91SPtb8QgMs+Wc bGCQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=WsdiS33dRP8/sj0uSRb0ZRSONLrilHekiPyvZOlDEAE=; b=GgsaRAComkR+eSgqlfUA3NES6vy6ZhavDHn2CRDx19sTveBEnbnMVlXW/X+5L33Rv+ OEE3ml1whS/Aaf/ljX3Za4sbAke+l7I6FVQbtUBoKBwiGoZySLvlGvnWHwsaQlatZsDv MuksINXflAO3ro3kFQihm6SJBmARxTAZ/+BiGjICbz0Ux1ltxZf0fOVh8ApFTDXMeJwp DRZHIvh1gJJE9Q5BnFjirQz1nHIkc9IduHBhdrt974bwOCNdoR+n1BiebqvxnajGkqSS aXoZP5bFQSTWzG2p1OS34ygr1FIAtZaRWSI/7uxdrtoT/r3qZzt4evhS9uKYzrdY70yA 10Fw==
X-Gm-Message-State: APjAAAW5t6aahSYybaTNiHCIWWrdgr3lydo1TEdD3Jkmvp6r22CX/SwD vAcSX5CK76JUnjjShMVJp0KKOkhsIoBBmWW4Bsk=
X-Google-Smtp-Source: APXvYqwIYdOp5RRcfVBlX6ulu5cr4UnTmmJ6yCMPUyEFXy5zTGp+40X1cxGziniTVA55hLzh+/0C/3J88HtMFRLtZNI=
X-Received: by 2002:a67:efd5:: with SMTP id s21mr5970601vsp.136.1572906052169; Mon, 04 Nov 2019 14:20:52 -0800 (PST)
MIME-Version: 1.0
References: <CABcZeBMQEJ=LE8ATQYnJj59srsK47hf4HT3BMMg3X2crVfSUXQ@mail.gmail.com> <1a70035e-edef-a3f4-ea91-52409ba37828@icann.org> <CABcZeBPAtvf3RU2gKWzyTaNwd6NBGsBuxq+n6r0W6-2RCnivSA@mail.gmail.com> <17189d1a-7689-f68d-6fe3-8d704af614a3@icann.org> <CABcZeBOhSYvqPyDcm9zbMYRc03DmPcCKYTYE-uC54=Mm9HMcnQ@mail.gmail.com> <99ee8cd4-9418-2d64-57fd-487b4f2c3a1a@cs.tcd.ie> <CABcZeBOBFFi=dA_XEzhkYvRU6kzvND5CMQcMoyriYusDH0RbKQ@mail.gmail.com> <CAHw9_iLz5No-SKa74To03ida3DHfeKY58CrJFJpLph8FsvzNQQ@mail.gmail.com> <CABcZeBMFDbATVRvJvvs5b4giQ=0B82i76ahv-ffDgWJOzqZccw@mail.gmail.com> <CAHw9_i+e8veeAz+KYXjvchmjKJz6OZHX1pEYx_Tvs8n5xnfBnQ@mail.gmail.com> <6D6233DC-4D7C-45BC-9D4E-08E6E882C1A5@nohats.ca> <alpine.DEB.2.20.1911042035571.29247@grey.csi.cam.ac.uk> <CAH1iCioH86q1CX7A+F8ON4uzpGqipUy8m3iczyNqSKirAsYBQg@mail.gmail.com> <alpine.LRH.2.21.1911041652450.5093@bofh.nohats.ca>
In-Reply-To: <alpine.LRH.2.21.1911041652450.5093@bofh.nohats.ca>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Mon, 04 Nov 2019 14:20:40 -0800
Message-ID: <CAH1iCiq3VjuFYaXho6+3Miu=5BAfze+Vk8qwGx+W_Hw5AiD8tg@mail.gmail.com>
To: Paul Wouters <paul@nohats.ca>
Cc: "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000008134dc05968cba00"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/JSxZf6MzGCFRziEVPxrNepLwkas>
Subject: Re: [dns-privacy] [Ext] Threat Model
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Nov 2019 22:21:02 -0000
On Mon, Nov 4, 2019 at 1:56 PM Paul Wouters <paul@nohats.ca> wrote: > On Mon, 4 Nov 2019, Brian Dickson wrote: > > > The names of the servers (and certificate management) would be > orthogonal to the signaling of DoT support. I would expect the TLSA records > would > > be per-server and orthogonal to the per-zone signaling of DoT support. > > Again, that would be russian roulette. If I get an NS RRset with 3 > nameservers, and only one of these has a TLSA record, what should I > do ? > IMNSHO, that is something the domain owner needs to consider, much more so than the resolver operator. Specifically, this is something that should probably go into a BCP about DoT: If you plan on doing DoT and using TLSA records, it is RECOMMENDED that the same level of redundancy for DoT servers is deployed as would be the general case for DNS (i.e. two minimum). (Along with an explanation of why not having TLSA records for at least two distinct server names would create an availability/security weakness.) Other than the question of just one TLSA, I think the recommendation on what to do if only a subset of NS RRSET members have TLSA records, is to try to use all the ones that have TLSA records, repeatedly, before doing anything else. The "anything else" could be any of several things, from some variation of "serve stale" to SERVFAIL to using Do53. Brian > > 1) Pick the TLSA one > 2) Pick a random one > > For 1) if this protocol is widely deployed, all clients will pick 1) so > you just shot your redundancy in the foot. > > For 2) the clients get reduced privacy for no good reason, so why would a > client do this? > > It is really a per-zone property, not a per-nameserver property. > > Paul >
- [dns-privacy] Threat Model Eric Rescorla
- Re: [dns-privacy] Threat Model Christian Huitema
- Re: [dns-privacy] Threat Model Brian Dickson
- Re: [dns-privacy] Threat Model Ted Hardie
- Re: [dns-privacy] Threat Model Brian Dickson
- Re: [dns-privacy] [Ext] Threat Model Paul Hoffman
- Re: [dns-privacy] [Ext] Threat Model Eric Rescorla
- Re: [dns-privacy] [Ext] Threat Model Paul Hoffman
- Re: [dns-privacy] [Ext] Threat Model Eric Rescorla
- Re: [dns-privacy] [Ext] Threat Model Stephen Farrell
- Re: [dns-privacy] [Ext] Threat Model Eric Rescorla
- Re: [dns-privacy] what's good enough, or Threat M… John Levine
- Re: [dns-privacy] what's good enough, or Threat M… Eric Rescorla
- Re: [dns-privacy] [Ext] Threat Model Warren Kumari
- Re: [dns-privacy] [Ext] Threat Model Eric Rescorla
- Re: [dns-privacy] what's good enough, or Threat M… John R Levine
- Re: [dns-privacy] [Ext] Threat Model Warren Kumari
- Re: [dns-privacy] [Ext] Threat Model David Conrad
- Re: [dns-privacy] [Ext] Threat Model Paul Wouters
- Re: [dns-privacy] [Ext] Threat Model Stephen Farrell
- Re: [dns-privacy] Threat Model Livingood, Jason
- Re: [dns-privacy] [Ext] Threat Model Tony Finch
- Re: [dns-privacy] [Ext] Threat Model Paul Wouters
- Re: [dns-privacy] [Ext] Threat Model Brian Dickson
- Re: [dns-privacy] [Ext] Threat Model Paul Wouters
- Re: [dns-privacy] [Ext] Threat Model Eric Rescorla
- Re: [dns-privacy] [Ext] Threat Model Brian Dickson
- Re: [dns-privacy] [Ext] Threat Model John Levine
- Re: [dns-privacy] [Ext] Threat Model John Levine
- Re: [dns-privacy] [Ext] Threat Model Tony Finch
- Re: [dns-privacy] [Ext] Threat Model Paul Wouters
- Re: [dns-privacy] [Ext] Threat Model Warren Kumari
- Re: [dns-privacy] [Ext] Threat Model Warren Kumari
- Re: [dns-privacy] [Ext] Threat Model Paul Wouters
- Re: [dns-privacy] [Ext] Threat Model Warren Kumari
- Re: [dns-privacy] [Ext] Threat Model Brian Dickson
- Re: [dns-privacy] [Ext] Threat Model Dan Wing
- Re: [dns-privacy] [Ext] Threat Model Mark Andrews
- Re: [dns-privacy] [Ext] Threat Model Ralf Weber
- Re: [dns-privacy] [Ext] Threat Model Hugo Connery
- Re: [dns-privacy] [Ext] Threat Model Paul Wouters
- Re: [dns-privacy] [Ext] Threat Model Stephen Farrell
- Re: [dns-privacy] [Ext] Threat Model Paul Hoffman
- Re: [dns-privacy] [Ext] Threat Model Brian Dickson
- Re: [dns-privacy] [Ext] Threat Model Ted Hardie
- Re: [dns-privacy] [Ext] Threat Model Brian Dickson
- Re: [dns-privacy] [Ext] Threat Model Paul Wouters
- Re: [dns-privacy] [Ext] Threat Model Bob Harold
- Re: [dns-privacy] [Ext] Threat Model Paul Wouters
- Re: [dns-privacy] [Ext] Threat Model Stephen Farrell
- Re: [dns-privacy] [Ext] Threat Model Brian Dickson
- Re: [dns-privacy] [Ext] Threat Model Paul Ebersman
- Re: [dns-privacy] [Ext] Threat Model Paul Wouters
- Re: [dns-privacy] [Ext] Threat Model Bob Harold
- Re: [dns-privacy] [Ext] Threat Model sthaug