IETF Logo Mail Archive

Re: [dns-privacy] review of draft-ietf-dprive-dtls-and-tls-profiles-11: we should revert DNSSEC validation requirement

Sara Dickinson <sara@sinodun.com> Mon, 30 October 2017 16:22 UTC

Return-Path: <sara@sinodun.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9CF115F7B for <dns-privacy@ietfa.amsl.com>; Mon, 30 Oct 2017 09:22:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hxACCOMMdjcZ for <dns-privacy@ietfa.amsl.com>; Mon, 30 Oct 2017 09:22:49 -0700 (PDT)
Received: from balrog.mythic-beasts.com (balrog.mythic-beasts.com [IPv6:2a00:1098:0:82:1000:0:2:1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AA5085F7C for <dns-privacy@ietf.org>; Mon, 30 Oct 2017 09:12:01 -0700 (PDT)
Received: from [62.232.251.194] (port=5444 helo=[192.168.12.23]) by balrog.mythic-beasts.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.89) (envelope-from <sara@sinodun.com>) id 1e9CfQ-0000Wm-7Q; Mon, 30 Oct 2017 16:12:00 +0000
From: Sara Dickinson <sara@sinodun.com>
Message-Id: <FDB29A92-9491-4119-A41D-1936F062AB2A@sinodun.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_5B71FBBA-D2E2-4177-BD0E-80C4ED8D6C97"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Mon, 30 Oct 2017 16:11:57 +0000
In-Reply-To: <871slkd66k.fsf@fifthhorseman.net>
Cc: dns-privacy@ietf.org
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
References: <878tfwey8w.fsf@fifthhorseman.net> <73F186C6-1F35-40B0-8C36-D4F011D11344@sinodun.com> <871slkd66k.fsf@fifthhorseman.net>
X-Mailer: Apple Mail (2.3273)
X-BlackCat-Spam-Score: 3
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/NNjUCYqw7Y3CF8SKS0bpPXDs4Ys>
Subject: Re: [dns-privacy] review of draft-ietf-dprive-dtls-and-tls-profiles-11: we should revert DNSSEC validation requirement
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Oct 2017 16:22:52 -0000

> On 30 Oct 2017, at 15:08, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote:
> 
> On Mon 2017-10-30 13:11:41 +0000, Sara Dickinson wrote:
>> I really do think a description there of the trade-offs of DNSSEC
>> validation are warranted
> 
> I agree that a discussion of the tradeoffs involved in DNSSEC validation
> of the opportunistic meta-query is warranted.  I just come to a
> different conclusion than the requirements in draft-11.
> 
>> if it ends up just being a MAY (although I would like to see SHOULD as
>> a minimum for opportunistic).
> 
> SHOULD validate, but with what failure mode?  are we really saying that
> opportunistic SHOULD deliver a DoS instead of a loss of privacy?  I
> discuss a few optional responses for failures in opportunistic mode
> below.

Can we separate out Opportunistic Privacy from Opportunistic DNSSEC (which I don’t think is really a thing, apart from a logging mechanism)? They are orthogonal.

Because if not…. are you saying that a fully validating stub using Opportunistic privacy mode shouldn’t DNSSEC validation anything, ever? Or it can validate all answers except the one for it’s DNS resolver? :-)

> 
>>> Choice 0 is the same outcome as the non-DNSSEC-validating scenario for
>>> strict clients (no mitigation),
>> 
>> Agreed - DNSSEC validation just provides earlier detection for Strict clients
> 
> or, converts success to failure in the case of DNSSEC misconfiguration
> (because the connection would otherwise have succeeded) :(

Ok, but … If the DNSSEC is misconfigured for a privacy server then DANE authentication won’t work either…

> 
>> So one way to look at the trade-off seems to be is it worse that an
>> attacker can block your DNS service or gets an extra chance to control
>> all your DNS answers? I think you are arguing that for opportunistic
>> the latter is preferable because a principle of Opportunistic is that
>> it shouldn’t fail? If the WG decided that to be the case then it needs
>> to be clear in the document this choice comes with an additional risk
>> (and yet still not guarantee of privacy).
> 
> it is "an extra chance only" in the scenario where points outlined above
> hold.  An attacker who can also race and beat the DHCP server has the
> exact same chance already, right?

I don’t buy the ‘if DHCP is already vulnerable we shouldn’t worry about securing the meta-query’ argument. I'd like to think we are designing Opportunistic such that the meta-query is at least as secure as whatever mechanism is or might be used in future to obtain the default DNS server so that opportunistic is no weaker than ’no privacy’.

I hear the case that requiring DNSSEC validation could block deployment for the specific case of ADN only + Opportunistic. So ti sounds like it boils down to two alternatives in section 7.2:

“ Such records SHOULD be validated when using Opportunistic Privacy.”

“ Such records MAY be validated when using Opportunistic Privacy.”

I’d obviously favour SHOULD.

Sara

v2.23.0 | Report a Bug | By Email