IETF Logo Mail Archive

Re: [dns-privacy] [Ext] Intermediate proposal (what I was saying at the mic)

Brian Dickson <brian.peter.dickson@gmail.com> Thu, 05 August 2021 18:06 UTC

Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 632703A1C0C for <dns-privacy@ietfa.amsl.com>; Thu, 5 Aug 2021 11:06:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jCibs2r5GPpb for <dns-privacy@ietfa.amsl.com>; Thu, 5 Aug 2021 11:06:26 -0700 (PDT)
Received: from mail-lf1-x132.google.com (mail-lf1-x132.google.com [IPv6:2a00:1450:4864:20::132]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8718F3A1C03 for <dns-privacy@ietf.org>; Thu, 5 Aug 2021 11:06:26 -0700 (PDT)
Received: by mail-lf1-x132.google.com with SMTP id y34so12756174lfa.8 for <dns-privacy@ietf.org>; Thu, 05 Aug 2021 11:06:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=2xPCz8cbXDmgyqJiv/7z65AUodnX4E9CI75LitWckeI=; b=O4nLzOtYM0Or6CCR59hsdqjda+CnBQB+ZEz7XBd1K37UZQdGT3eQbnf15MUletzr8p kgL1lGlJx6AOaNDlsNhqqA3B28A1YoARFmrNzWygXN8935+pJK3paRH2YFgrS/rz/DwP 9YPV8bsqx4ojJcn4SyzlY0MVCllGafHyoFtKFITT3wz1kCtgV/9VTMYslHbMRvsnHbh4 V7DiFV4AnB9G1pXRxR7RXaVl43cwr2S7bvhm3lQK3HL6JmlyCNbPL38V8jetOqaVFG9T uvuujoU9+L69SwzwQeQsi00ktuTskP51d2JCovRVpsh3h7fP+IgdPqj589i6Wwa5sB17 YNsQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=2xPCz8cbXDmgyqJiv/7z65AUodnX4E9CI75LitWckeI=; b=mqfLte8/eHl+V2SRaG2BuCc7xlXv7gKscJdDxdUEVeaXCowGyi2aLgSUaMnFkf+vmn syt4hkMm8NXIoU6T6BDobsNwO5yPXhJqKLTht/gtg6/DfEjU2xlCnxBMns8wUVeH+UCg XaxGf/2fDDncomKbemVEOCuHlpR/RUH7Fvpl8cFWGmeHagQuQ9f06od2ajsnYuMW+wQT FT9uidd84YZnY46eH6FzrcLTeSDVF6t5J82dGfQ0yeqvNLOqaidn7eTVaZLMdgq5c+tL ksUMtV0OrJsYLG2jaNkkleYMJ7rdW6xsMXZ8zS766JqhChDridOqSR+9QV5Ljzr9zecx Ni4Q==
X-Gm-Message-State: AOAM5330aj4LpakKB8BT9kNzXjFmFrM8dLeIlkg+Ec7MsaNKuGzGzvfU W7Z/5PrR7VvbHlRu1HvcZW4yo9I5ObNrcP+Rb1F4KzH8
X-Google-Smtp-Source: ABdhPJwAzpm+8xJ+z1xxDEMPvEyGUoTVzy7Wfe2kBomcpPlW49VU4X0wEW0dWOVFnWF90a6GL2arE7aAq980Ce8+Ur0=
X-Received: by 2002:ac2:4c2b:: with SMTP id u11mr4619850lfq.316.1628186784242; Thu, 05 Aug 2021 11:06:24 -0700 (PDT)
MIME-Version: 1.0
References: <CABcZeBNRZsyjd-M_hKOwxdqY=Y7oZs5-d4waqPHb9gO-GJNV+Q@mail.gmail.com> <8b2ac283-614e-40d2-b6bf-5e67d5324aaa@www.fastmail.com> <CABcZeBM+rBLgUs+xzyhTOjCFuPdjUDPDMeFL6CAXanDaicC+Pg@mail.gmail.com> <CAHbrMsA3ROoeeDXm_HpXP73uFjVrEQUycQ0OR0e6JE0hCoS1sw@mail.gmail.com> <5EEBC284-71B3-4308-B5C6-AF3847A6ED36@icann.org>
In-Reply-To: <5EEBC284-71B3-4308-B5C6-AF3847A6ED36@icann.org>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Thu, 05 Aug 2021 11:06:12 -0700
Message-ID: <CAH1iCio6Jvi0_iQ7CFi8cny4poeOSJc1zcCHzwOP_4HWwHJYtg@mail.gmail.com>
To: Paul Hoffman <paul.hoffman@icann.org>
Cc: DNS Privacy Working Group <dns-privacy@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e7243905c8d3c6c2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/R1VczeerOvFe9JsoL_ZiLhu2YtQ>
Subject: Re: [dns-privacy] [Ext] Intermediate proposal (what I was saying at the mic)
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Addition of privacy to the DNS protocol <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Aug 2021 18:06:33 -0000

On Tue, Aug 3, 2021 at 1:55 PM Paul Hoffman <paul.hoffman@icann.org> wrote:

> On Aug 3, 2021, at 1:34 PM, Ben Schwartz <bemasc=
> 40google.com@dmarc.ietf.org> wrote:
> >
> > In my view,
> >
> > 1. We should provide guidance on how to do unauthenticated DoT/Q using
> default-port probing, like we used to have in
> https://datatracker.ietf.org/doc/html/draft-ietf-dprive-opportunistic-adotq-00
> .
> >
> > 2. Publishing a SVCB record should indicate support for authenticated
> encryption.  Nameservers that don't support authenticated encryption can
> offer opportunistic encryption based on default-port probing.
> >
> > 3. We should allow nameservers to indicate support for authentication
> via common PKI, DANE, or both.
> >
> > 4. SVCB and TLSA records are a firm promise, but resolver behavior is
> always up to the operator.  They can choose whether to "fail closed", skip
> authentication, fall back to UDP, etc.
>
> If the WG is going to go to DS in the parent to have a signed signaling
> response, it would make sense that the signal in the child have an
> identical format. If we go with that, I'd rather see CDS be used in the
> child instead of SVCB.
>
> I like using #4 as a way to bridge the two use cases (well, the stated
> unauthenticated use case and whatever fully-authenticated use case
> eventually gets published). That way, resolvers that have the
> unauthenticated use case have more reliable ways to get the signal, and
> also can get a signal for DoH.
>

Some (IMNSHO) important observations, and recommendation for direction on
these:

   - SVCB in the name server name's zone is where the signalling belongs
   (on what transports are supported, per NS name, as well as authenticated or
   not, etc)
   - TTL on DS is controlled by the parent zone, and may not be appropriate
   for risky changes, thus not a good place for signalling
   - DS is a good place to protect the glue (NS records themselves, plus
   glue A and AAAA records) - in fact, it is the only viable solution for that
      - DS for the NS needs to scale according the NS RDATA, not the owner
      names, so the DS per zone should not include the zone name (too
esoteric to
      discuss/debate this point, I think)
   - Signaling transport should be SHOULD, just to avoid port probing.
      - Opportunistic authentication is different from opportunistic period
      - It is better to signal transport and whether it is authenticated
      (in once place, the SVCB record)
   - The parent DS is per zone, not per name server, so that is NOT where
   transport/opportunistic signaling belongs (e.g. changing those MUST NOT be
   per zone)
   - There is a separate DS for the name server's names' zone, of course...
      - That is where the glue A/AAAA records can be added to protect the
      resolution needed for querying for SVCB records
   - I don't think there is any reason to specifically support unsigned
   name server name zones
      - You need signed data to protect the information needed to get to TLS
      - It's integrity, not privacy, that is needed at this step
      - The first query to the NS name's zone cannot be TLS yet, because
      the info for TLS isn't available yet (catch 22)
   - TLSA allows signaling of WebPKI as an optional required validation
   over the certificate in the TLSA record (types 0/1 vs 2/3 IIRC).
      - Optional validation != optional WebPKI
      - You can have a signal that says "mandatory validation using TLSA
      but not WebPKI"
      - That signal could instead be, "mandatory validation using both TLSA
      and WebPKI"
      - Both are downgrade resistant
   - SVCB would signal DNS operators intent for failure mode
      - E.g. opportunistic (fail to fallback) vs mandatory (fail hard),
      subject to resolver's own policies (which could ignore DNS operator's
      signal)
   - If you require a signed zone anyway, and are going to do TLS (that's
   what we are discussing), then *requiring* TLSA records (with or without
   WebPKI) is a very easy thing to justify
      - Reminder: just because type 2/3 records don't require WebPKI
      validation, does not mean you can't use CA issued certs for those
      - It just means the validation avoids having to do WebPKI stuff.
      - DNSSEC signatures protect the cert fingerprint (EE or parental) in
      all cases
   - TL;DR: registrant zone gets DS with protection over NS RDATA; name
   server name delegation is similarly protected; name server name resolution
   at some point depends on glue A/AAAA which also get DS protection; name
   server name has SVCB and TLSA records; SVCB signals opportunistic or not;
   TLS validation via WebPKI is signaled via TLSA; deployments and roll-back
   are handled strictly in the name server name's zone (including use of
   appropriate TTL values during deployment/rollback)

Resolvers can still work with this even if they don't do DNSSEC validation.
They do lose downgrade protection, but can still resolve fine.

Resolvers that do DNSSEC validation are protected against downgrade, IFF
the DNS operator has elected to signal hard failure. This protects against
MITM on both DNS and transport (TLS).

Brian

v2.23.0 | Report a Bug | By Email