IETF Logo Mail Archive

Re: [dns-privacy] Adam Roach's No Objection on draft-ietf-dprive-bcp-op-08: (with COMMENT)

Brian Dickson <brian.peter.dickson@gmail.com> Fri, 07 February 2020 11:34 UTC

Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 05F6B120100; Fri, 7 Feb 2020 03:34:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oOuZ4u_AcSun; Fri, 7 Feb 2020 03:33:58 -0800 (PST)
Received: from mail-pg1-x536.google.com (mail-pg1-x536.google.com [IPv6:2607:f8b0:4864:20::536]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1D8D312001A; Fri, 7 Feb 2020 03:33:57 -0800 (PST)
Received: by mail-pg1-x536.google.com with SMTP id 6so1006269pgk.0; Fri, 07 Feb 2020 03:33:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=Jr0Df65gytjYENSvh3z+2oFq2hwg/Tm6nPbLJQkJLwk=; b=LSdTnR+wmXkXygBGnrglpUzl3sdTI+EzTK/RWy3DerLbuGD4/xilCbFwJ01DN/VA4V n5VqILdd1Rfw8jEgp/gZ3aQyt83m3j4BkJ94l5CgbbI8Pu0ikq0l3grfC5e0d5DsFRyA oMVH1QvIcVGu+TcSJa01XkcXQ0YHLn0QD3ewrWlbsUeF9PKvE2mlbg/wNFHnAZUoFwOH UvbWfRBa9lvtLVUkLV3yo4yr9ETTGLE4csVIauLFufVVmKbweAXAeQlfw4t3WOQwPvdf EN6f5cep1X8gvSY+DCFNDxcEhSRbJfUGm14iQFvdQEaGEo/PSY8jF+xmNPciK35Z78st 4ytQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=Jr0Df65gytjYENSvh3z+2oFq2hwg/Tm6nPbLJQkJLwk=; b=PCPRBtvb3vTeV8miZssGNH2uazxJI4T8dLLy9AAtn8iAvq69bKJPVKUWosUOuqwva0 QvK304m4qpvI8QRBuG+gfXLOuUxA5BcbpUfRbCnDNzK0BCcat4nO27GAbx6gJW5hN/SL i9VA9rmDdv8+uAszIMDXaHTyRofPSBEmK477FSdSfIoYTUOoLpOw21WINyH+yaHNGj/s 2nQAEPvvIA1NAAYnEJGD+egDn4en4Jgr+Xi6J2G6Oec1OXUNXcgI0zXNOE2Ecd/M+MzW nPK9sYr57igA/VbyrDHQjmAonf6ZFGPTkRBuOV/6LEqR9uaX3tEXJvL6wP70akkZvYQ5 lcJw==
X-Gm-Message-State: APjAAAVSpY77nv95uoAeJ+6W5A8SF139kgeRwNto5wRc+yispXMfa0qu gcDtXuWGWu9pdu7XH6MpFYhMPjZ5CZM=
X-Google-Smtp-Source: APXvYqwNke0+hlPdsXiZMNagCvCtO41cklyrIPR3MJBRJ5keEuWRg1TBFyWGs426GED/CqNjfB6uYw==
X-Received: by 2002:a63:66c6:: with SMTP id a189mr8381864pgc.401.1581075237253; Fri, 07 Feb 2020 03:33:57 -0800 (PST)
Received: from ?IPv6:2601:646:8800:1f50:1566:2d0d:eeed:b5ef? ([2601:646:8800:1f50:1566:2d0d:eeed:b5ef]) by smtp.gmail.com with ESMTPSA id q25sm2867884pfg.41.2020.02.07.03.33.56 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 07 Feb 2020 03:33:56 -0800 (PST)
Content-Type: multipart/alternative; boundary="Apple-Mail-C8AFEA74-3E10-4F66-A9AA-ECF0C35C0649"
Content-Transfer-Encoding: 7bit
From: Brian Dickson <brian.peter.dickson@gmail.com>
Mime-Version: 1.0 (1.0)
Date: Fri, 07 Feb 2020 03:33:54 -0800
Message-Id: <FB13F0AC-5A31-4DB4-9CAA-54DCD78CA871@gmail.com>
References: <CABcZeBNf5OvHJBoDA8b9gaEpWW0=weWq0S3TTYV+60pEGjfnkw@mail.gmail.com>
Cc: Benjamin Kaduk <kaduk@mit.edu>, Tim Wicinski <tjw.ietf@gmail.com>, Adam Roach <adam@nostrum.com>, The IESG <iesg@ietf.org>, dprive-chairs@ietf.org, draft-ietf-dprive-bcp-op@ietf.org, DNS Privacy Working Group <dns-privacy@ietf.org>
In-Reply-To: <CABcZeBNf5OvHJBoDA8b9gaEpWW0=weWq0S3TTYV+60pEGjfnkw@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
X-Mailer: iPhone Mail (17C54)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/RLwOuTQUrFvV5M1Yhf1r4XzeYm4>
Subject: Re: [dns-privacy] Adam Roach's No Objection on draft-ietf-dprive-bcp-op-08: (with COMMENT)
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Feb 2020 11:34:01 -0000

Top reply to keep it brief:
WebPKI requires online keys. It is a core part of TLS; encrypting something  with the private key is the critical security function of the handshake.
DNSSEC does not require online keys. This is due to the communication model of DNS: publication. Once published, DNSSEC doesn’t care how you obtain the records. The validation depends only on public keys.
(There are instances where on-the-fly DNSSEC signing is done, of course; the general practice for how that is done is with HSM.)

Zone signing is generally done offline, and in many cases is done with an HSM. Keys that aren’t online are by their nature protected from compromise.

Some TLS keys may be protected with similar mechanisms, but it is nowhere near the percentage of DNSSEC.

DNSSEC validation is complete protection against an attacker who is not on-path.

Brian

Sent from my iPhone

> On Feb 7, 2020, at 2:17 AM, Eric Rescorla <ekr@rtfm.com> wrote:
> 
> 
> 
> 
>> On Fri, Feb 7, 2020 at 12:19 AM Brian Dickson <brian.peter.dickson@gmail.com> wrote:
>> 
>> 
>>> On Thu, Feb 6, 2020 at 9:39 PM Eric Rescorla <ekr@rtfm.com> wrote:
>>> 
>>> 
>>>> On Thu, Feb 6, 2020 at 5:14 PM Benjamin Kaduk <kaduk@mit.edu> wrote:
>>>> 
>>>> but given that the recursive has no way of knowing what the
>>>> DNS client is planning to do (and that some ~20% of web traffic does not
>>>> use TLS), it's hard for me to argue that this document is making the wrong
>>>> recommendation about DNSSEC validation.
>>> 
>>> The question at hand is not about whether it ought to recommend DNSSEC validation but rather whether the text around that, which implies that failure to do so has a high risk of sending your sensitive *web* traffic to the attacker, is accurate given the high fraction of Web traffic that is protected with TLS and the likely even higher fraction of sensitive traffic that is.
>> 
>> The issue around implied risk, is a longitudinal one.
>> 
>> For sake of argument, let's assume 100.0% of web traffic is TLS protected.
>> Let's also assume that of the privacy resolver operators, there is at least one that does not do DNSSEC.
>> 
>> If an attacker obtains the private key for *some* certificate for a web site, what is the risk for the customers of the two groups of resolver operators?
>> 
>> The risk for the DNSSEC validating operators' clients is zero if the web site is in a DNSSEC signed domain. 
>> The risk for the non-DNSSEC validating operators' clients is non-zero if the web site is in a DNSSEC signed domain.
> 
> I don't think we're getting anywhere particularly useful here, so I'll probably make this my last response unless something particularly new emerges.
> 
> The ability of an attacker to compromise a given connection depends on (1) the ability to intercept the wire traffic and (2) the ability to compromise the TLS connection. A successful attack (as a general matter) requires both of these abilities. Because there are a number of environments in which the ability to intercept wire traffic is trivial (e.g., an open WiFi hotspot) TLS is designed under the assumption that the attacker has ability (1), in which case, the security rests on ability (2), which it might achieve in a number of ways, with key compromise being one of them.
> 
> It is certainly true that defense in depth is a good thing and that measures which strengthen the user's wire traffic against interception by the attacker will generally increase security. However, it is neither the case that DNSSEC validation is sufficient to guarantee this protection (contra your statement above state above) nor that in the absence of DNSSEC validation compromise of the user's data is a generally anticipated consequence (as implied by the text in question). It is not sufficient because (1) the attacker may be on-path, in which case it is irrelevant whether the client is able to resolve the right IP address or (2) the DNSSEC signing key is itself uncompromised [usually we just assume that keys are secure, but given that the scenario you are positing for WebPKI failure is key compromise, DNSSEC signing key compromise needs also to be in scope]. It is not necessary because, as has been noted already, we generally assume that the WebPKI provides a reasonable level of security on its own, although, as Adam observes, nothing is perfect.
> 
> -Ekr
> 
>>

v2.23.0 | Report a Bug | By Email