IETF Logo Mail Archive

Re: [dns-privacy] [Ext] Threat Model

"John Levine" <johnl@taugh.com> Tue, 05 November 2019 02:40 UTC

Return-Path: <johnl@iecc.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C6D612006F for <dns-privacy@ietfa.amsl.com>; Mon, 4 Nov 2019 18:40:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.157
X-Spam-Level:
X-Spam-Status: No, score=-0.157 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DATE_IN_PAST_03_06=1.592, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=2IUhriXS; dkim=pass (1536-bit key) header.d=taugh.com header.b=XF/Ed/KS
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TXQh21ytRV6m for <dns-privacy@ietfa.amsl.com>; Mon, 4 Nov 2019 18:40:48 -0800 (PST)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9936512006B for <dns-privacy@ietf.org>; Mon, 4 Nov 2019 18:40:48 -0800 (PST)
Received: (qmail 49671 invoked from network); 5 Nov 2019 02:40:44 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=c205.5dc0e12c.k1911; i=printer-iecc.com@submit.iecc.com; bh=yxYJ/lZ+CqMTWBnPaqNXgsT9Fu3LandT7IGXh+AzE8E=; b=2IUhriXS4R1YpG4uk75ieKPCq2a6EQ4mH41aOXxEzGeYHEllzrY07l6aWCl3LHAex1oPZbCjvBY45Z9+R9oODH6qLXp7xEEaYnE6vuwYsdVCB3xkQG4A37+gauUuia6wy+UFLbeX2q6J8KOjxBjYjOSy67Ew9AmCovzEp+5Dta7FQGlw2lEPvQsJTIYeSaPOCj5nRxMWPIg4msXCc6yASh0lBsU34u2XDPMz/kGzv5DcJTBtxXzhvxX6Yybd0PPN
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=c205.5dc0e12c.k1911; olt=printer-iecc.com@submit.iecc.com; bh=yxYJ/lZ+CqMTWBnPaqNXgsT9Fu3LandT7IGXh+AzE8E=; b=XF/Ed/KSO8iqgoUjB53KjYyCgjtZ2kuBjLbo1GFyM8J4d+aqXfB/yz9Rm0EROhcZpbFFHy9Ig5BiehxDoETYsD+UnNXjlhXzHtnMjOg4/Nb7HdVHpAolYP+jCez2nLZJLbh8YZLVHr6QQ07cUbqtvX68j5c701DdYtjXiSzSpg01USLOqoP9qmpWVESXcxNaeLBHIZonU+OqQOVDFCV95MVaGBQgrCK1Q4rMG1iDQQu4Pm01Hs86TmEh4UVYXFqn
Received: from ary.local ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPSA (TLS1.2 ECDHE-RSA AES-256-GCM AEAD, printer@iecc.com) via TCP6; 05 Nov 2019 02:40:44 -0000
Received: by ary.local (Postfix, from userid 501) id 81392E5C71B; Mon, 4 Nov 2019 18:19:06 -0500 (EST)
Date: Mon, 04 Nov 2019 18:19:06 -0500
Message-Id: <20191104231906.81392E5C71B@ary.local>
From: John Levine <johnl@taugh.com>
To: dns-privacy@ietf.org
Cc: paul@nohats.ca
In-Reply-To: <alpine.LRH.2.21.1911041611360.5093@bofh.nohats.ca>
Organization: Taughannock Networks
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset="utf-8"
Content-transfer-encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/M-dQNxytsk-xZGPRGxomqHk9-OE>
Subject: Re: [dns-privacy] [Ext] Threat Model
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Nov 2019 02:40:50 -0000

In article <alpine.LRH.2.21.1911041611360.5093@bofh.nohats.ca> you write:
>> That's per-zone, though, whereas DoT support is per-server.
>
>Maybe that's ideal, but one would expect that a zone only rolls this
>out once all their nameservers support it.

Most of my zones have a secondary run by somebody else, whose software
is never in sync with mine.  It's also fairly common for large operators
to mitigate their DNS risk by spreading DNS across multiple providers.
If you have to wait until every server can do ADoT rather than until
some of them can, that will make deployment a lot slower.

> Otherwise, whether or not
>resolvers do DoT to authoritative servers would be an odd game of
>russian roulette depending on which NS record was followed, something
>that could even be tweaked by an attacker, like by stripping glue from
>the ones that did support it.

There are plenty of signal schemes that don't fail that way.  See my
recent draft.

>> DS records that somehow encode NS target names in their rdata might
>> work...
>
>That still leaves too much control at the parent to change it against
>the child's wishes. A DNSKEY flag commits the child zone using publication
>at its parent without giving the parent a veto.

The parent zone always has a veto.  It can remove the NS or DS records if it
doesn't like what the child is doing.

R's,
John

v2.23.0 | Report a Bug | By Email